legal

legal@lists.fedoraproject.org

1 participants
1389 discussions

Fwd: Invitation from FSFE to Online Q&A Session about DMA & Free Software
by Richard Fontana 13 Mar '25

13 Mar '25

---------- Forwarded message --------- From: Dario Presutti <dario(a)fsfe.org> Date: Thu, Mar 13, 2025 at 11:06 AM Subject: Invitation from FSFE to Online Q&A Session about DMA & Free Software To: <rfontana(a)redhat.com> Cc: Lucas Lasota <lucas.lasota(a)fsfe.org> Dear Richard, I hope this email finds you well. My name is Dario, and I am a project manager at the Free Software Foundation Europe (FSFE). I received your contact from Matthias Kirschner - pleased to e-meet you! I am reaching out because my colleague Lucas (CC’d) and I are actively working on the implementation of the Digital Markets Act (DMA) and its implications for Free Software. Recently, we have received many questions from other Free Software organisations regarding this topic. To address these, at the FSFE, we have decided to host an online Q&A session specifically for representatives of FOSS organisations, We would be delighted if you could participate. We would also appreciated if you could post this invitation to the Fedora Legal Mailing List (https://docs.fedoraproject.org/en-US/legal/) because we think this might be of interest. Below, you’ll find key details about the event. Thank you in advance! --- # Online Q&A session – DMA & Free Software: what Free Software organisations need to know Date: 24 March 2025 Time: 17:30 CET Location: Online (FSFE’s instance) Registration required: https://share.fsfe.org/apps/forms/s/riaMwgdMcgTnpHTTX3g92bkk As you may already know, the DMA is a landmark regulation by the European Union, designed to limit the power of large technology companies acting as “gatekeepers” and to foster fairer competition. Among its key provisions, the DMA establishes obligations for these dominant platforms, including the right to install and uninstall software freely, access to third-party app stores, and enhanced interoperability measures. These provisions have the potential to create new opportunities for Free Software development, distribution, and adoption. This session will provide Free Software organisation representatives the opportunity to: - Gain a deeper understanding of how the DMA’s enforcement impacts the Free Software ecosystem and the FSFE’s role in this process - Learn about FSFE’s legal efforts, including its ongoing litigation against Apple at the Court of Justice of the European Union. (If you attended FOSDEM, you may have seen FSFE Legal Programme Manager Lucas Lasota’s keynote on this topic [1]) - Engage directly with the FSFE team working on these issues. Event page: https://fsfe.org/news/2025/news-20250306-01.en.html ---- If you have any questions or need further information, please don’t hesitate to reach out! Thank you again. Best regards, Dario [1] https://fosdem.org/2025/schedule/event/fosdem-2025-5084-how-we-are-defendin… -- Dario Presutti (he/him/none) | Project Manager Free Software Foundation Europe e.V. Schönhauser Allee 6/7, 10119 Berlin, Germany Matrix: @dario:fsfe.org | Email: dario(a)fsfe.org

1 0

Fwd: SPDX Statistics - 123 packages remaining
by Miroslav Suchý 22 Feb '25

22 Feb '25

-------- Přeposlaná zpráva -------- Hot news: - the review of licenses in queue has been stalled for several weeks Two weeks ago we had: > * 24347spec files in Fedora > > * 30986license tags in all spec files > > * 127 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2246tags have not been converted to SPDX yet > > * 15 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.48% ░░░░░░░░░█100% > > ELN subset: > > 57 out of 2317 packages are not converted yet (progress 97.54%) > Today we have: * 24379 spec files in Fedora * 31024license tags in all spec files * 123 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2220tags have not been converted to SPDX yet * 16 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.60% ░░░░░░░░░█100% ELN subset: 57 out of 2316 packages are not converted yet (progress 97.54%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 35 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. I released new version of fedora-license-data with one new license. 11 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

Properly releasing software to the public domain
by Jason L Tibbitts III 20 Feb '25

20 Feb '25

I have some pieces of software which I always intended to release to the public domain. I understand that it not possible in all jurisdictions, so in the past I would allow CC0 in this case and used the following license statement: # Originally written by Jason Tibbitts <j(a)tib.bs> in 2016. # Donated to the public domain. If you require a statement of license, please # consider this work to be licensed as "CC0 Universal", any version you choose. Now, if course Fedora decided a couple of years ago that we can't use CC0 for code. Is there a Fedora-approved method for disclaiming copyright? I would like to do this the right way (in part because this software is used by Fedora and I would like to package it for Fedora), but it seems contradictory to use something like MIT-0 because the first line is literally "Copyright <YEAR> <COPYRIGHT HOLDER>". Does 0BSD work? That's at https://opensource.org/license/0bsd

5 6

Fwd: SPDX Statistics - 127 packages remaining
by Miroslav Suchý 07 Feb '25

07 Feb '25

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 127 packages remaining Datum: Fri, 7 Feb 2025 06:42:03 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - the review of licenses in queue has been stalled for several weeks Two weeks ago we had: > * 24401spec files in Fedora > > * 31038license tags in all spec files > > * 142 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2289 tags have not been converted to SPDX yet > > * 16 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.48% ░░░░░░░░░█100% > > ELN subset: > > 61 out of 2316 packages are not converted yet (progress 97.41%) > Today we have: * 24347spec files in Fedora * 30986license tags in all spec files * 127 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2246tags have not been converted to SPDX yet * 15 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.48% ░░░░░░░░░█100% ELN subset: 57 out of 2317 packages are not converted yet (progress 97.54%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 35 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. There was no release of fedora-license-data. 12 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

[ANNOUNCE] Please join me for the 4th annual open source compliance tooling workshop FOSDEM fringe event, in Brussels, Belgium on January 31st, 2025
by Philippe Ombredanne 10 Jan '25

10 Jan '25

Hello everyone! Are you heading to FOSDEM? Join us for a one-day workshop for developers and users of open source SCA, SBOM, and license and security compliance tools. This is on Friday, January 31, 2025 in Brussels, just before FOSDEM 2025 https://workshop.aboutcode.org If you are involved with Fedora legal issues around open source license compliance, you are super welcome to join! The program will be a single track unconference with the day split in two: tools developers share their plans in the morning and users share their requirements in the afternoon. Then we will be trying to hopefully match requirements and plans, and hatch some plans for cross-project collaboration. This is the 4th time we have this event, and we expect a who-s-who in the space to join for the day, like last year where we were about 75 participants and had a blast! Registration is required. We have free tickets available for the community, but we encourage your contributions to help us pay for the event's expenses! Visit https://workshop.aboutcode.org We're also looking for generous sponsors to help fund the venue and catering - you can contribute online directly or email me directly at pombredanne(a)aboutcode.org I look forward to seeing you there. -- Cordially Philippe Ombredanne AboutCode.org AboutCode - Open source for open source - https://www.aboutcode.org VulnerableCode - the open code and open data vulnerability database ScanCode - scan your code, for origin/license/vulnerabilities, report SBOMs package-url - the mostly universal and essential SBOM identifier for packages DejaCode - What's in your code?!

1 0

Fwd: SPDX Statistics - 161 packages remaining
by Miroslav Suchý 10 Jan '25

10 Jan '25

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 161 packages remaining Datum: Fri, 10 Jan 2025 07:07:35 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - New version of upstream SPDX list has been released https://github.com/spdx/license-list-XML/releases/tag/v3.26.0 Most of the licenses were added due to Fedora. Three weeks (because of Christmas) ago we had: > * 24368spec files in Fedora > > * 31025license tags in all spec files > > * 224 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2475 tags have not been converted to SPDX yet > > * 21 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.28% ░░░░░░░░░█100% > > ELN subset: > > 62 out of 2314 packages are not converted yet (progress 97.32%) > Today we have: * 24379spec files in Fedora * 30988license tags in all spec files * 161 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2325 tags have not been converted to SPDX yet * 21 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.48% ░░░░░░░░░█100% ELN subset: 61 out of 2316 packages are not converted yet (progress 97.37%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 55 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. New version of fedora-license-data has been released. With: 3 new licenses and several public domain or ultrapermissive dedications 12 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

Fwd: SPDX Statistics - 224 packages remaining
by Miroslav Suchý 20 Dec '24

20 Dec '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 224 packages remaining Datum: Fri, 20 Dec 2024 20:36:53 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - All PRs for firmware packages are merged. - Small improvements to legal-doc has been done. If you want to dive into the changes see https://gitlab.com/fedora/legal/fedora-legal-docs/-/merge_requests/?sort=cl… Two weeks ago we had: > * 24366spec files in Fedora > > * 31018license tags in all spec files > > * 268 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2542 tags have not been converted to SPDX yet > > * 29 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.14% ░░░░░░░░░█100% > Today we have: * 24368spec files in Fedora * 31025license tags in all spec files * 224 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2475 tags have not been converted to SPDX yet * 21 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.28% ░░░░░░░░░█100% ELN subset: 62 out of 2314 packages are not converted yet (progress 97.32%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 55 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. I did NOT released new fedora-license-data as there were added a public domain dedication and an ultra permissive dedication. 11 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

Usage of modified DUMB library with license patches
by Alexey Lunev 02 Dec '24

02 Dec '24

Hi everyone! I want to bring `zmusic` into Fedora, but there is some issues with licensing. ZMusic uses DUMB library, which has unusual DUMB-0.9.3 license[0], but it is basically zlib license with extra clauses which can restrict it to count as free and accepted license. Fedora already has `dumb ` package, it patches[1] license to make it equivalent to zlib, with permission from original authors[2]. It was 18 years ago. I cannot use this package, because DUMB library, which is bundled with ZMusic, is heavily modified[3]. Is it OK to do the same, or do i need to ask permission from authors again? [0]: https://github.com/kode54/dumb/blob/master/LICENSE [1]: https://src.fedoraproject.org/rpms/dumb/blob/rawhide/f/dumb-0.9.3-license-c… [2]: https://src.fedoraproject.org/rpms/dumb/blob/rawhide/f/license-clarificatio… [3]: https://github.com/ZDoom/ZMusic/blob/master/licenses/legal.txt#L15-L19

3 4

License change between Unicode 15.0.0 and 15.1.0? Unicode-DFS-2016 vs. Unicode-3.0
by Fabio Valentini 27 Nov '24

27 Nov '24

Hi all, The upstream project of one of the packages I maintain has changed its license metadata from `(MIT OR Apache-2.0) AND Unicode-DFS-2016` to `(MIT OR Apache-2.0` AND Unicode-3.0` in the last release: https://github.com/dtolnay/unicode-ident/pull/28 The Unicode-DFS-2016 license text is indeed no longer available from the unicode.org website, where it has been replaced with the Unicode-3.0 license text. As far as I know, the Unicode-DFS-2016 license was applicable to code derived from Unicode data - is this no longer the case? Has the Unicode-3.0 license replaced it for this purpose? If this is indeed the case, does this need to be reflected in other places (like the Rust standard library / compiler), which reference the old Unicode-DFS-2016 license text, too? Fabio

2 2

Fwd: SPDX Statistics - 305 packages remaining
by Miroslav Suchý 22 Nov '24

22 Nov '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 305 packages remaining Datum: Fri, 22 Nov 2024 08:24:46 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - I walked through all packages with "Public Domain" license. For all such packages I identified the public domain dedication and added it to https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-doma… Richard F. did the review and I opened PRs for such packages to change the license to LicenseRef-Fedora-Public-Domain. There are about 30 PRs wating to be merged. In several cases I had to open issue as the public domain dedication is not easy and has some sort of problem. - Unfortunately in several cases, the evaluation of dedication (either public domain or "Redistributable") was found as not good enough. I.e. the license is not allowed. Several packages has been already retired in Fedora Linux because of that. You can track it here: https://bugzilla.redhat.com/show_bug.cgi?id=2310597 - I started walking through "Redistributable, no modification permitted" that is usually used in firmware package. It is much smaller set of packages compared to Public Domain set. I should have it done by next report. But the analysis is much harder. - sometimes you used in License tag deprecated license id https://spdx.github.io/spdx-spec/v2.3/SPDX-license-list/#a3-deprecated-lice… Note that while we usually abbreviate the communication that you must use SPDX ID, but there is silent part "and approved for usage in Fedora Linux". I.e. such ID must be in fedora-license-data. And these deprecated ID are not there (and never will be). - We have 59 open issues for fedora-license-data https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?sort=updated_… From past experience, you should expect that it will take about 3 months to proceed all these issues. - For most packages the license change is "just" committed to dist-git. The change in binary RPM will be visible after next mass rebuild (scheduled to 2025-01-15). Two weeks ago we had: > * 24311spec files in Fedora > > * 30967license tags in all spec files > > * 360 tags are not SPDX complient (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2658 tags have not been converted to SPDX yet > > * 86 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 98.84% ░░░░░░░░░█100% > > ELN subset: > 68 out of 2310 packages are not converted yet (progress 97.06%) > Today we have: * 24340spec files in Fedora * 30993license tags in all spec files * 305 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2587 tags have not been converted to SPDX yet * 56 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.02% ░░░░░░░░░█100% ELN subset: 62 out of 2313 packages are not converted yet (progress 97.32%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 59 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. New version of fedora-license-data has been released. With: 7 new licenses and lots of public domain dedications and several firmware licenses 12 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. New projection when we will be finished is 2024-11-30 (+13 days from last report). Pure linear approximation. This information no longer makes sense. Most of the packages are already SPDX compliant and for most of the remaining packages we have open issue that will take weeks/months to be resolved. I will remove this prediction from future reports. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal