What's the best way to raise licensing issues in already-added packages?
I think there are largely two cases:
* Fedora and its distributors comply with the licensing terms, but the
license is not obviously on Fedora's allowed list. An example would
be an obscure field-of-use restriction (as in the JSON license).
* Fedora and its distributors appear violating the license. An example
would be a package that ships a pre-built Linux kernel binary without
the required GPL notices, and without corresponding soruce code.
Do these two cases need to be treated differently? In the past, I may
have filed bugs in Bugzilla, but this might be construed as a bit rude.
I looked at <https://docs.fedoraproject.org/en-US/legal/> and couldn't
find any discussion of this topic. Sorry if I missed it.
With the update to the regex-syntax crate package that I'm building
right now, the license will change from "MIT OR Apache-2.0" to "(MIT
OR Apache-2.0) AND Unicode-DFS-2016".
The project includes code that is derived from Unicode data files, and
it already shipped a license text for the Unicode-DFS-2016 license for
this reason - but the SPDX license string in upstream crate metadata
doesn't reflect this fact. It also appears that the inclusion of the
additional license file was made after the package was initially
reviewed for Fedora, and as a result, previous versions of this
package didn't include the Unicode license in its License tag.
I have also opened an upstream discussion about this, since I believe
that the upstream license specifier is wrong (i.e. missing " ... AND
Unicode-DFS-2016"), but upstream developers don't appear convinced
(even though similar changes were already made in equivalent cases for
other Rust projects):
This change will probably have at least some "ripple effect" across
Rust packages in Fedora once they are rebuilt against this new
version, since basically everything depends on the "regex" crate
(which depends on regex-syntax), either directly, or indirectly.
I'm pretty sure that this package now has the the correct license tag
(i.e. project has two parts: first part is dual-licensed "MIT OR
Apache-2.0", second part is derived from Unicode data and is licensed
"Unicode-DFS-2016", so the license tag should reflect *both* parts),
but if I am wrong about this, please get my attention, so I can revert
this change in a timely manner.
The manual for XMLada comes with this statement:
| Copyright (C) 2000-2002, Emmanuel Briot
| Copyright (C) 2003-2011, AdaCore
| This document may be copied, in whole or in part, in any form or by
| any means, as is or with alterations, provided that (1) alterations
| are clearly marked as alterations and (2) this copyright notice is
| included unmodified in any copy.
That's all of it. The upstream source is here:
What shall we call this license in SPDX notation?