Dne 19. 01. 22 v 4:42 Jilayne Lovejoy napsal(a):
On 1/13/22 2:59 PM, Richard Fontana wrote:
On Thu, Jan 13, 2022 at 8:56 AM Vít Ondruch vondruch@redhat.com wrote:
With my packagers hat on, I'd like this to be as simple as me (or some scanner) going through the code and listing all the licenses which are then put into `License` tag. The rest can handle automation, e.g. are these licenses good and in right combination, what is effective Fedora license. I am not sure why I, as a packager, should be involved in decision if Artistic should be listed somewhere or not.
so, are you saying you'd like to use a license scanner (e.g., ScanCode or FOSSology) to scan a proposed new package for Fedora and then have those results checked against the "good" list and then generate the License tag? This sounds like something that would require some additional tooling to be written to take the FOSSology results and compare them against the Fedora-license data, right?
All I wanted to say is that determining SW license is not always easy for packager. For my packages, I typically check for the licenses in following places:
1) Metadata
2) License files
3) Readme
4) License scanner (typically licensecheck, because it is easy a straight forward).
5) Skimming through the code.
This should give me reasonable list of licenses. This is the nontrivial part.
But from here, it should be quite easy to proceed with some tool. Therefore if I put something fishy into license tag, the build would not be allowed to proceed.
For a packager, if Artistic is allowed/listed or not, it should not be any concern as long as the build passes. Or is there SSPL listed and build fails, then the package should be finally concerned why it fails.
IOW, at this stage, we should not discuss if Artistic should be listed in `License` tag or not. If it was Ok up to day, then it will be Ok for foreseeable future, with SPDX identifiers or not. Should it be reassessed? Probably, but not sooner prior we can validate the `License` tag content.
Vít