legal

legal@lists.fedoraproject.org

1 participants
1396 discussions

Fwd: SPDX Statistics - 127 packages remaining
by Miroslav Suchý 07 Feb '25

07 Feb '25

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 127 packages remaining Datum: Fri, 7 Feb 2025 06:42:03 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - the review of licenses in queue has been stalled for several weeks Two weeks ago we had: > * 24401spec files in Fedora > > * 31038license tags in all spec files > > * 142 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2289 tags have not been converted to SPDX yet > > * 16 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.48% ░░░░░░░░░█100% > > ELN subset: > > 61 out of 2316 packages are not converted yet (progress 97.41%) > Today we have: * 24347spec files in Fedora * 30986license tags in all spec files * 127 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2246tags have not been converted to SPDX yet * 15 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.48% ░░░░░░░░░█100% ELN subset: 57 out of 2317 packages are not converted yet (progress 97.54%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 35 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. There was no release of fedora-license-data. 12 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

[ANNOUNCE] Please join me for the 4th annual open source compliance tooling workshop FOSDEM fringe event, in Brussels, Belgium on January 31st, 2025
by Philippe Ombredanne 10 Jan '25

10 Jan '25

Hello everyone! Are you heading to FOSDEM? Join us for a one-day workshop for developers and users of open source SCA, SBOM, and license and security compliance tools. This is on Friday, January 31, 2025 in Brussels, just before FOSDEM 2025 https://workshop.aboutcode.org If you are involved with Fedora legal issues around open source license compliance, you are super welcome to join! The program will be a single track unconference with the day split in two: tools developers share their plans in the morning and users share their requirements in the afternoon. Then we will be trying to hopefully match requirements and plans, and hatch some plans for cross-project collaboration. This is the 4th time we have this event, and we expect a who-s-who in the space to join for the day, like last year where we were about 75 participants and had a blast! Registration is required. We have free tickets available for the community, but we encourage your contributions to help us pay for the event's expenses! Visit https://workshop.aboutcode.org We're also looking for generous sponsors to help fund the venue and catering - you can contribute online directly or email me directly at pombredanne(a)aboutcode.org I look forward to seeing you there. -- Cordially Philippe Ombredanne AboutCode.org AboutCode - Open source for open source - https://www.aboutcode.org VulnerableCode - the open code and open data vulnerability database ScanCode - scan your code, for origin/license/vulnerabilities, report SBOMs package-url - the mostly universal and essential SBOM identifier for packages DejaCode - What's in your code?!

1 0

Fwd: SPDX Statistics - 161 packages remaining
by Miroslav Suchý 10 Jan '25

10 Jan '25

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 161 packages remaining Datum: Fri, 10 Jan 2025 07:07:35 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - New version of upstream SPDX list has been released https://github.com/spdx/license-list-XML/releases/tag/v3.26.0 Most of the licenses were added due to Fedora. Three weeks (because of Christmas) ago we had: > * 24368spec files in Fedora > > * 31025license tags in all spec files > > * 224 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2475 tags have not been converted to SPDX yet > > * 21 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.28% ░░░░░░░░░█100% > > ELN subset: > > 62 out of 2314 packages are not converted yet (progress 97.32%) > Today we have: * 24379spec files in Fedora * 30988license tags in all spec files * 161 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2325 tags have not been converted to SPDX yet * 21 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.48% ░░░░░░░░░█100% ELN subset: 61 out of 2316 packages are not converted yet (progress 97.37%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 55 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. New version of fedora-license-data has been released. With: 3 new licenses and several public domain or ultrapermissive dedications 12 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

Fwd: SPDX Statistics - 224 packages remaining
by Miroslav Suchý 20 Dec '24

20 Dec '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 224 packages remaining Datum: Fri, 20 Dec 2024 20:36:53 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - All PRs for firmware packages are merged. - Small improvements to legal-doc has been done. If you want to dive into the changes see https://gitlab.com/fedora/legal/fedora-legal-docs/-/merge_requests/?sort=cl… Two weeks ago we had: > * 24366spec files in Fedora > > * 31018license tags in all spec files > > * 268 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2542 tags have not been converted to SPDX yet > > * 29 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.14% ░░░░░░░░░█100% > Today we have: * 24368spec files in Fedora * 31025license tags in all spec files * 224 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2475 tags have not been converted to SPDX yet * 21 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.28% ░░░░░░░░░█100% ELN subset: 62 out of 2314 packages are not converted yet (progress 97.32%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 55 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. I did NOT released new fedora-license-data as there were added a public domain dedication and an ultra permissive dedication. 11 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

Usage of modified DUMB library with license patches
by Alexey Lunev 02 Dec '24

02 Dec '24

Hi everyone! I want to bring `zmusic` into Fedora, but there is some issues with licensing. ZMusic uses DUMB library, which has unusual DUMB-0.9.3 license[0], but it is basically zlib license with extra clauses which can restrict it to count as free and accepted license. Fedora already has `dumb ` package, it patches[1] license to make it equivalent to zlib, with permission from original authors[2]. It was 18 years ago. I cannot use this package, because DUMB library, which is bundled with ZMusic, is heavily modified[3]. Is it OK to do the same, or do i need to ask permission from authors again? [0]: https://github.com/kode54/dumb/blob/master/LICENSE [1]: https://src.fedoraproject.org/rpms/dumb/blob/rawhide/f/dumb-0.9.3-license-c… [2]: https://src.fedoraproject.org/rpms/dumb/blob/rawhide/f/license-clarificatio… [3]: https://github.com/ZDoom/ZMusic/blob/master/licenses/legal.txt#L15-L19

3 4

License change between Unicode 15.0.0 and 15.1.0? Unicode-DFS-2016 vs. Unicode-3.0
by Fabio Valentini 27 Nov '24

27 Nov '24

Hi all, The upstream project of one of the packages I maintain has changed its license metadata from `(MIT OR Apache-2.0) AND Unicode-DFS-2016` to `(MIT OR Apache-2.0` AND Unicode-3.0` in the last release: https://github.com/dtolnay/unicode-ident/pull/28 The Unicode-DFS-2016 license text is indeed no longer available from the unicode.org website, where it has been replaced with the Unicode-3.0 license text. As far as I know, the Unicode-DFS-2016 license was applicable to code derived from Unicode data - is this no longer the case? Has the Unicode-3.0 license replaced it for this purpose? If this is indeed the case, does this need to be reflected in other places (like the Rust standard library / compiler), which reference the old Unicode-DFS-2016 license text, too? Fabio

2 2

Fwd: SPDX Statistics - 305 packages remaining
by Miroslav Suchý 22 Nov '24

22 Nov '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 305 packages remaining Datum: Fri, 22 Nov 2024 08:24:46 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - I walked through all packages with "Public Domain" license. For all such packages I identified the public domain dedication and added it to https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-doma… Richard F. did the review and I opened PRs for such packages to change the license to LicenseRef-Fedora-Public-Domain. There are about 30 PRs wating to be merged. In several cases I had to open issue as the public domain dedication is not easy and has some sort of problem. - Unfortunately in several cases, the evaluation of dedication (either public domain or "Redistributable") was found as not good enough. I.e. the license is not allowed. Several packages has been already retired in Fedora Linux because of that. You can track it here: https://bugzilla.redhat.com/show_bug.cgi?id=2310597 - I started walking through "Redistributable, no modification permitted" that is usually used in firmware package. It is much smaller set of packages compared to Public Domain set. I should have it done by next report. But the analysis is much harder. - sometimes you used in License tag deprecated license id https://spdx.github.io/spdx-spec/v2.3/SPDX-license-list/#a3-deprecated-lice… Note that while we usually abbreviate the communication that you must use SPDX ID, but there is silent part "and approved for usage in Fedora Linux". I.e. such ID must be in fedora-license-data. And these deprecated ID are not there (and never will be). - We have 59 open issues for fedora-license-data https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?sort=updated_… From past experience, you should expect that it will take about 3 months to proceed all these issues. - For most packages the license change is "just" committed to dist-git. The change in binary RPM will be visible after next mass rebuild (scheduled to 2025-01-15). Two weeks ago we had: > * 24311spec files in Fedora > > * 30967license tags in all spec files > > * 360 tags are not SPDX complient (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2658 tags have not been converted to SPDX yet > > * 86 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 98.84% ░░░░░░░░░█100% > > ELN subset: > 68 out of 2310 packages are not converted yet (progress 97.06%) > Today we have: * 24340spec files in Fedora * 30993license tags in all spec files * 305 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2587 tags have not been converted to SPDX yet * 56 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.02% ░░░░░░░░░█100% ELN subset: 62 out of 2313 packages are not converted yet (progress 97.32%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 59 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. New version of fedora-license-data has been released. With: 7 new licenses and lots of public domain dedications and several firmware licenses 12 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. New projection when we will be finished is 2024-11-30 (+13 days from last report). Pure linear approximation. This information no longer makes sense. Most of the packages are already SPDX compliant and for most of the remaining packages we have open issue that will take weeks/months to be resolved. I will remove this prediction from future reports. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

SPDX tag for this Unicode source license
by Peter Lemenkov 21 Nov '24

21 Nov '24

Hello! I've stumbled upon the following legal text (a bunch of usually bundled UTF-conversion routines are licensed under this one): ``` Copyright 2001-2004 Unicode, Inc. Disclaimer This source code is provided as is by Unicode, Inc. No claims are made as to fitness for any particular purpose. No warranties of any kind are expressed or implied. The recipient agrees to determine applicability of information provided. If this file has been purchased on magnetic or optical media from Unicode, Inc., the sole remedy for any claim will be exchange of defective media within 90 days of receipt. Limitations on Rights to Redistribute This Code Unicode, Inc. hereby grants the right to freely use the information supplied in this file in the creation of products supporting the Unicode Standard, and to make copies of this file in any form for internal or external distribution as long as this notice remains attached. ``` What's the proper SPDX tag for this one? License checking tool during the fedora-review says its "Unicode strict" but license-fedora2spdx doesn't know about this one although it is a quite popular one according to GitHub * https://github.com/search?q="This+source+code+is+provided+as+is+by+Unicode%2C+Inc"&type=code -- With best regards, Peter Lemenkov.

2 2

Fedora SPDX ID for CRC32 License
by Ian McInerney 08 Nov '24

08 Nov '24

I posted this as a comment in one of the old license review issues here https://gitlab.com/fedora/legal/fedora-license-data/-/issues/512#note_20755…, but it doesn't seem to have been noticed. Basically, in the license data there is a file for "LicenseRef-CRC32" here https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/data/Licens…, listing it as allowed and with the expression for the license line as "LicenseRef-CRC32". However, then there was a review request for that same license in https://gitlab.com/fedora/legal/fedora-license-data/-/issues/512 which ended up saying that the license identifier should be "LicenseRef-Fedora-UltraPermissive", and doesn't seem to mention the existing "LicenseRef-CRC32" in the license data. So, my question is, which is the proper expression to use for this license given that it seems there are now two expressions for it?

2 1

Licensing BIP derived files
by Cristian Le 04 Oct '24

04 Oct '24

Hi, This issue came up when trying to package rust-tiny-bip39 [1]. Basically there are some projects that are spun off of Bitcoin Improvement Proposals (BIP), in this case BIP39 [2] which establishes a wordlist which can be use as mnemonic to encode/decode a long series of bits. Te issue is that typically these BIPs are licensed [3], but (maybe) because BIP39 has not passed the proposed stage, it did not receive a proper license. So the question is, how to deal with the wordlist defined in BIP39? Contacting the upstream developer is difficult as they don't have an open issue page, and the main means of external people to get in touch with them is through their google mailing list, which would require exposing my personal gmail account to who knows what (given the association with bitcoin), which I am not comfortable of doing. In Fedora there is another BIP39 based project, python-mnemonic [4], which is the reference code for BIP39, where the only license specified is MIT. I have looked at the review request ticket [5], but the licensing of BIP39 was not discussed there. Any advice on this situation? [1]: https://bugzilla.redhat.com/show_bug.cgi?id=2297307 [2]: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki [3]: https://github.com/bitcoin/bips/blob/master/bip-0002.mediawiki#bip-licensing [4]: https://src.fedoraproject.org/rpms/python-mnemonic [5]: https://bugzilla.redhat.com/show_bug.cgi?id=1395867

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal