[Fedora-legal-list] Re: effective license (was: SPDX Statistics - R.U.R. edition)

On Tue, Sep 19, 2023 at 08:06:45AM +0200, Björn Persson wrote: > Richard Fontana wrote: > > I basically don't recognize "effective license" as a valid concept. I > > see people using it, perhaps increasingly, but I never see any > > definition of what it means. > > Here's an attempt at a definition of "effective license": > > Suppose I have a package with several source files, some of which are > licensed as GPL-2.0-or-later and others as GPL-3.0-or-later. All the > source files are compiled into a single executable file. > > GPL-3.0-or-later does not allow me to convey the executable as > GPL-2.0-only. GPL-2.0-or-later allows me to convey it as GPL-3.0-only > or a hypothetical later version. Thus the executable is – effectively – > covered by the terms of GPL-3.0-or-later. I'd say that the effective > license of the executable is GPL-3.0-or-later. > > If license x allows replacing itself with license y, then (x AND y) > simplifies into y. The effective license of a combined work is y. The problem I have with this kind of "effective" analysis is that it can lead to a rather misleading presentation of the license of a package. Consider that the package has 10,000 source files, of which 9999 are GPL-2.0-or-later, and 1 is GPL-3.0-or-later. Lets say the 9999 files are compiled into 1 binary, and the single 3.0 file is compiled into 2nd binary.

The effective analysis rule says we should express the license of the RPM package as GPL-3.0-or-later, even though the overwhealming majority of the package is GPL-2.0-or-later.

> All of the above applies only when sources under different licenses are > combined to form a program or library based on those sources. It does > not apply when a package contains multiple separate programs under > different licenses. SPDX expressions don't make that distinction.

I view that as intentionally misleading on the part of Fedora, so am very happy we dropped the effective analysis practice for RPM spec license tags.

It also had a result of changing license changes on rebases to new versions, even if the existing binaries were not changed. eg libfoo.so was GPL-2.0-or-later, and then a new release added a libbar.so as GPL-3.0-or-later. The RPM package would have to be changed to say 3.0-or-later by effective license doctrine, despite the pre-existing libfoo.so (that everyone currently uses) remaining 2.0-or-later.

> All of the above applies only when sources under different licenses are > combined to form a program or library based on those sources. It does > not apply when a package contains multiple separate programs under > different licenses. SPDX expressions don't make that distinction.

> If licenses x and y contradict each other, so that it's impossible to > comply with both, then the effective license is nil. Such a combined > work is not allowed. That would be true from the POV of a single binary, but not true from the POV of a package RPM spec. We aggregate the license of everything in the RPM, so it is valid for the RPM spec to include incompatible license sets.

> All of the above applies only when sources under different licenses are > combined to form a program or library based on those sources. It does > not apply when a package contains multiple separate programs under > different licenses. SPDX expressions don't make that distinction.