May 2023 - legal - Fedora Mailing-Lists

by David Schwörer

Hi, I tried to update python gelidum to SPDX. I wanted to check the license file [0] with licensecheck. The output is "MIT License". As I was not sure whether that is old notation or SPDX, I checked the documentation [1], and that says it is "Full name" instead. I went to the list of allowed license [2] and searched for "MIT License" - but there is no license with such a name. Do I need to open an issue for that license at [3]? Are the docs at [1] wrong? Did I use the wrong tool? Thanks, David [0] https://github.com/diegojromerolopez/gelidum/blob/main/LICENSE [1] https://docs.fedoraproject.org/en-US/legal/license-audit-tools/#_licensec... [2] https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ [3] https://gitlab.com/fedora/legal/fedora-license-data/-/issues

1 hour, 10 minutes

5
7
0 / 0

Fwd: SPDX Statistics - Rust edition

by Miroslav Suchý

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - Rust edition Datum: Sun, 28 May 2023 07:23:58 +0200 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Two weeks ago we had: > * 23030 spec files in Fedora > > * 29532license tags in all spec files > > * 18604 tags have not been converted to SPDX yet > > * 7059tags can be trivially converted using `license-fedora2spdx` > > * Progress: 37% ░░░███████ 100% > Today we have: * 23060 spec files in Fedora * 29563license tags in all spec files * 18398 tags have not been converted to SPDX yet * 6955tags can be trivially converted using `license-fedora2spdx` * Progress: 37.8% ░░░███████ 100% ELN subset: * 1831 out of 4343 packages are not converted yet The list of packages needed to be converted is again here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List of packages from ELN subset that needs to be converted: https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt New version of fedora-license-data has been released. Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. I updated the progress in this spreadsheet: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE80... New projection when we will be finished is 2024-09-07. Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Why SPDX Rust edition? Because on today's date on 28 May 1987. During the Cold war, Mathias Rust made a pirate flight from Helsinki to Moscow and landed near Red Square. https://en.wikipedia.org/wiki/Mathias_Rust Do you hesitate how to proceed with the migration? Please follow https://docs.fedoraproject.org/en-US/legal/update-existing-packages/ or attend SPDX office hours (see different thread in this mailing list) Miroslav

23 hours, 32 minutes

2
1
0 / 0

SPDX office hours Tuesday cancelled

by Jilayne Lovejoy

Hi all, Given we just had the hackfest last week, we are cancelling the standing SPDX Office Hours for tomorrow, May 23rd. The next SPDX Office Hours will be June 27th at 8am US eastern time at https://meet.google.com/jbz-erzk-btc?authuser=0&hs=122 Thanks! Jilayne

1 week, 2 days

1
0
0 / 0

perl-Crypt-Argon2: CC0-1.0 OR Apache-2.0

by Chuck Anderson

Is a disjunctive license that includes CC0-1.0 as one of the options acceptable for Fedora? I'm intending to submit perl-Crypt-Argon2 for Fedora review and the C source code files [2] say: "You may use this work under the terms of a Creative Commons CC0 1.0 License/Waiver or the Apache Public License 2.0, at your option." But some of the files only mention CC0-1.0. In the github [2] only dist.ini mentions CC0-1.0 without Apache-2.0, but on CPAN [1] this is expanded to README, LICENSE, lib/Crypt/Argon2.pm and script/argon2-calibrate. I'd like to ask upstream to add a dual-license with Apache-2.0 everywhere CC0-1.0 is mentioned, but only if that would be an acceptable result. dist.ini: name = Crypt-Argon2 author = Leon Timmermans <leont(a)cpan.org> license = CC0_1_0 copyright_holder = Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, Samuel Neves, Thomas Pornin and Leon Timmermans copyright_year = 2013 LICENSE: "Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, Samuel Neves, Thomas Pornin and Leon Timmermans has dedicated the work to the Commons by waiving all of his or her rights to the work worldwide under copyright law and all related or neighboring legal rights he or she had in the work, to the extent allowable by law. Works under CC0 do not require attribution. When citing the work, you should not imply endorsement by the author. Creative Commons Legal Code CC0 1.0 Universal [...trimmed full license text...]" [1] https://metacpan.org/dist/Crypt-Argon2 [2] https://github.com/Leont/crypt-argon2

1 week, 4 days

2
1
0 / 0

Fwd: SPDX Statistics - SPDX Hackfest edition

by Miroslav Suchý

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - SPDX Hackfest edition Datum: Wed, 17 May 2023 08:23:51 +0200 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Two weeks ago we had: > * 23000 spec files in Fedora (wow, nice round number :) ) > > * 29503license tags in all spec files > > * 18744 tags have not been converted to SPDX yet > > * 7157tags can be trivially converted using `license-fedora2spdx` > > * Progress: 36% ░░░███████ 100% > > ELN subset: > > * 1987 out of 4704 packages are not converted yet > Today we have: * 23030 spec files in Fedora (wow, nice round number :) ) * 29532license tags in all spec files * 18604 tags have not been converted to SPDX yet * 7059tags can be trivially converted using `license-fedora2spdx` * Progress: 37% ░░░███████ 100% ELN subset: * 1907 out of 4567 packages are not converted yet The list of packages needed to be converted is again here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List of packages from ELN subset that needs to be converted: https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt New version of fedora-license-data has been released. Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. I updated the progress in this spreadsheet: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE80... New projection when we will be finished is 2024-08-19. Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or email to me is fine. Why SPDX Hackfest edition? Because **today** we organize hackfest where we show you example of conversion and you will have opportunity to talk to us (both lawyers and engineers). https://communityblog.fedoraproject.org/fedora-legal-spdx-hackfest/ Note: this was rescheduled so you may find two dates there. The valid one is 2023-05-17 Do you hesitate how to proceed with the migration? Please follow https://docs.fedoraproject.org/en-US/legal/update-existing-packages/ or attend SPDX office hours (see different thread in this mailing list) Miroslav

1 week, 4 days

3
4
0 / 0

[Fedocal] Reminder meeting : Fedora Legal - SPDX Hackfest

by dcantrell＠redhat.com

Dear all, You are kindly invited to the meeting: Fedora Legal - SPDX Hackfest on 2023-05-17 from 10:00:00 to 14:00:00 US/Eastern At https://meet.google.com/fiu-jdzq-mws The meeting will be about: Hackfest for updating the license field in ELN packages to SPDX license expressions. Google Meet: https://meet.google.com/fiu-jdzq-mws There will be a short presentation for background and a demo on updating a package to start, then we'll work on packages and be available for questions and help. We plan to have more events like this to help package maintainers convert License tags in spec files to SPDX syntax. Source: https://calendar.fedoraproject.org//meeting/10505/

3 weeks

1
0
0 / 0

public domain dedication variants in the wild (found in Fedora)

by Jilayne Lovejoy

Hi SPDX-legal Some time ago, I raised the issue of the possibility of finding a proliferation of "public domain "dedication" texts in the course of Fedora reviewing package license info to adopt SPDX ids. Please see https://lists.spdx.org/g/Spdx-legal/topic/93048752#3202 for the background Fedora has been "collecting" such texts here https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-do... and using a specific LicenseRef-Fedora-Public-Domain as a sort of placeholder SPDX id. The idea being, no assessment of how many of these types of dedications exist has been collected in one place in order for the SPDX-legal community to assess. I estimate that Fedora has collected about 48 variations of public domain statements that are not specifically identified on the SPDX License List. I'm going to assume many of these packages also show up in other major distros. I'd like to raise the conversation as to: 1) Should each unique entry be added to the SPDX License List as a standalone entry (like normal, in that one SPDX license id represents a specific, identifiable license/set of text)? 2) Should SPDX consider a different approach by defining one SPDX id to represent any one of a collection of specifically identified and vetted texts? I'd love to hear your yes or no answer to these questions and why you answered as such :) Also see for background: https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_upd... https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_pub... We likely won't have time to discuss this on Thursday's call, but I wanted to start the discussion here and perhaps we can dedicate some time at an upcoming meeting. Thanks, Jilayne (copying Fedora-legal for awareness)

3 weeks, 1 day

1
0
0 / 0

Fwd: SPDX Statistics - Victory day

by Miroslav Suchý

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - Victory day Datum: Mon, 8 May 2023 09:48:26 +0200 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Two weeks ago we had: > * 22961 spec files in Fedora > > * 29459license tags in all spec files > > * 19099 tags have not been converted to SPDX yet > > * 7404tags can be trivially converted using `license-fedora2spdx` > > * Progress: 35% ░░░███████ 100% > Today we have: * 23000 spec files in Fedora (wow, nice round number :) ) * 29503license tags in all spec files * 18744 tags have not been converted to SPDX yet * 7157tags can be trivially converted using `license-fedora2spdx` * Progress: 36% ░░░███████ 100% ELN subset: * 1987 out of 4704 packages are not converted yet The list of packages needed to be converted is again here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List of packages from ELN subset that needs to be converted: https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt New version of fedora-license-data has been released. Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. I updated the progress in this spreadsheet: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE80... You converted about 400 license tags in 14 days. New projection when we will be finished is 2024-07-30. Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or email to me is fine. Why Victory day? On this day, 78 years ago Karl Dönitz announce capitulation of Germany via radio. You can listen to his announcement https://www.youtube.com/watch?v=b8tXt0buPbA or read about the Victory day https://en.wikipedia.org/wiki/Victory_in_Europe_Day Do you hesitate how to proceed with the migration? Please follow https://docs.fedoraproject.org/en-US/legal/update-existing-packages/ or attend SPDX office hours (see different thread in this mailing list) Miroslav

3 weeks, 2 days

1
0
0 / 0

Re: Changing the License tag of python-rpm-generators from GPLv2+ to a monstrosity

by Richard Fontana

On Fri, May 5, 2023 at 9:56 AM Chris Kelley <ckelley(a)redhat.com> wrote: > > As a purely logical expression, this simplifies to "GPL-2.0-or-later AND LGPL-2.1-or-later". Is that sort of simplification not allowed? The short answer is, these are not truly logical expressions and therefore they shouldn't necessarily simplify. Of course you could adopt some arbitrary convention for such simplification, which might or might not be well-grounded in some interpretation of the licenses at issue. In the past, there was no documented uniform set of conventions and basically each package maintainer applied their own assumptions about how license expressions could be simplified, leading to general inconsistency across different packages. The general trend in Fedora that I observed over many years was that license tags were getting more specific, i.e. less "simplification" was being done (or ignoring certain licenses was occurring less). This is actually shown by the fact that the Callaway system had a "Public Domain" which was widely used in packages with license tags containing references to other licenses. So we aren't actually changing policy here. Still, the cases involving public domain dedications are fairly extreme in this regard. If we *were* to adopt some system of simplification of license expressions that's probably where we'd start. Richard > > On Fri, 5 May 2023, 13:20 Miro Hrončok, <mhroncok(a)redhat.com> wrote: >> >> python-rpm-generators License tag changes from GPLv2+ to: >> >> GPL-2.0-or-later AND LGPL-2.1-or-later AND (LicenseRef-Fedora-Public-Domain OR >> LGPL-2.1-or-later OR GPL-2.0-or-later) >> >> https://src.fedoraproject.org/rpms/python-rpm-generators/pull-request/67 >> >> Funny thing is that the "(LicenseRef-Fedora-Public-Domain OR LGPL-2.1-or-later >> OR GPL-2.0-or-later)" thing was originally chosen to keep the License tag of >> the package simple while allowing others to grab the code from it without >> obligations :/ >> >> -- >> Miro Hrončok >

3 weeks, 5 days

1
0
0 / 0

Re: Changing the License tag of python-rpm-generators from GPLv2+ to a monstrosity

by Mamoru TASAKA

Chris Kelley wrote on 2023/05/05 22:55: > As a purely logical expression, this simplifies to "GPL-2.0-or-later AND > LGPL-2.1-or-later". Is that sort of simplification not allowed? > This is no longer allowed: https://docs.fedoraproject.org/en-US/legal/license-field/#_no_effective_l... Yes, so I am also re-checking the whole sources in the srpm I maintain... Regards, Mamoru > > On Fri, 5 May 2023, 13:20 Miro Hrončok, <mhroncok(a)redhat.com> wrote: > >> python-rpm-generators License tag changes from GPLv2+ to: >> >> GPL-2.0-or-later AND LGPL-2.1-or-later AND >> (LicenseRef-Fedora-Public-Domain OR >> LGPL-2.1-or-later OR GPL-2.0-or-later) >> >> https://src.fedoraproject.org/rpms/python-rpm-generators/pull-request/67 >> >> Funny thing is that the "(LicenseRef-Fedora-Public-Domain OR >> LGPL-2.1-or-later >> OR GPL-2.0-or-later)" thing was originally chosen to keep the License tag >> of >> the package simple while allowing others to grab the code from it without >> obligations :/ >> >> -- >> Miro Hrončok >> -- >> Phone: +420777974800 >> IRC: mhroncok >> _______________________________________________ >> devel mailing list -- devel(a)lists.fedoraproject.org >> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > > > _______________________________________________ > devel mailing list -- devel(a)lists.fedoraproject.org > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

3 weeks, 5 days

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal May 2023