2015-07-09 14:08 GMT+02:00 Josh Boyer <jwboyer(a)fedoraproject.org&gt;: To give some context, I'm currently discussing with other RPM distribution to push OpenStack packaging upstream. One of the topic raised was using common licensing classification, and the Linux Foundation has been working to standardize this. Some of our fellow distributions have standardized to SPDX or considering it: * Suse: standardized to SPDX * Debian: considering it https://wiki.debian.org/SPDX * Ubuntu: same (Canonical is also part of the SPDX WG) Though, I was skeptic at first, I must admit that there is some gain to standardize our licensing nomenclature. And maybe reuse all the licensing compliance checking tools from SPDX. If we agree and Legal approves it, the plan would be: * Updating guidelines to reflect this * Fix fedora-review, rpmlint -there's already a fix from Suse- and all package compliance checking tools * Then require, all new packages should follow the SPDX format for license tag * provenpackagers massively fix all the specs (could be automated) Benefits: * share a common standard with other distributions (including the other leading RPM one) and ease communication. * reuse SPDX tooling for license compliance checking (slides from FOSDEM 2015 talks: https://spdx.org/sites/spdx/files/FOSDEM_2015-v2-static.pdf) * doesn't change anything in our licensing policies (ie: what we accept or not) Inconvenients: * requires changing our guidelines, and tooling => low to medium impact * mass changing all specs => could be automated I know this would raise a lot of questions, so I want to have your feedback before thinking submitting a F24 changes. Regards, H.

On 9.7.2015 14:48, Haïkel wrote: Actually, openSUSE has a tool for this: https://github.com/openSUSE/spec-cleaner It can convert their old license abbrevs to SPDX, I don't know if we are using the same ones, but the data set can be changed of course. Another thing is that this would most certainly also affect EPEL/RHEL, so it is probably not only Fedora's decision to make. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok

On Thu, Jul 09, 2015 at 03:22:41PM +0200, Haïkel wrote: The point I made earlier (wasn't posted to devel@) was that the SPDX abbreviations are not equivalents of the abbreviations in use by Fedora. "MIT" is used in Fedora and in SPDX, but they do not mean the same thing. "MPLv1.1" in Fedora is not equivalent to "MPL-1.0" or whatever in SPDX. So what is the point of adopting a different abbreviation system if the meaning of the underlying referenced things or concepts is not the same? One answer might be that Fedora should radically alter its longstanding approach to license abbreviations in such a way that use of the SPDX abbreviations would actually make sense. Is there really any interest in doing that though? Now, if there is already in the larger world a layer of confusion over how the SPDX abbreviations are being used (as I'm beginning to think there may be), perhaps that weakens my concern, but then I don't see the compelling argument to shift to a different abbreviation system. Better for all the main community distros to get together and create their own standardized abbreviation system, suitable for distros rather than commercial compliance product vendors which are the entities that appear to be mainly driving the SPDX effort. Richard

On Thu, Jul 09, 2015 at 03:53:51PM +0200, Stanislav Ochotnicky wrote: Yes, that is it (well, there may be additional incongruities but that's the one I know about). To use "MIT" in the way Fedora does would conflict with the whole philosophy of the SPDX abbreviation system, as I understand it. No, because they wouldn't have any standard name. As I understand it, SPDX has created a set of abbreviations meant to cover the most commonly-encountered license texts or license notices. Most of the licenses that Fedora classifies as "MIT" would not have any SPDX name (maybe even all but the OSI-style MIT license). RF

SPDX provides a more accurate way to represent the licensing of a package. For example the following SPDX report illustrates that the licensing of xorg-server-1.12.2.tar.bz2 is more than a single variant of the MIT license: http://spdx.windriver.com/LQI/Report/xorg-server-1.12.2.tar.bz2_7fe6bfc07... The report's "LicenseRef" tab represents less common licenses (or variants of licenses). - Mark -----Original Message----- From: legal-bounces(a)lists.fedoraproject.org [mailto:legal-bounces@lists.fedoraproject.org] On Behalf Of Adam Jackson Sent: Thursday, July 09, 2015 7:47 AM To: Development discussions related to Fedora Cc: Fedora legal mailing list Subject: Re: [Fedora-legal-list] [RFC] Switching to SPDX in license tags On Thu, 2015-07-09 at 10:05 -0400, Richard Fontana wrote: Hilariously, X.org's standard license text (as found near the top of xserver/COPYING) would match neither SPDX's "MIT" nor its "X11" license. - ajax _______________________________________________ legal mailing list legal(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/legal

On Thu, Jul 09, 2015 at 02:03:43PM +0200, Haïkel wrote: What distros or upstream projects are actually using the SPDX format? I am not aware of any. I am aware of some projects using these identifiers. However, Fedora's use of license abbreviations is different in nature from that of SPDX, so I'd be concerned that use of the SPDX abbreviations would result in confusion (or else a costly change to Fedora's practices). (Separately I consider the SPDX identifiers problematic because in a number of cases they clash with common organic community abbreviations which happen to be in wide use in the Fedora community.) RF

On 09.07.2015 15:14, Haïkel wrote: Yes, but it is hack-ish. SPDX doesn't provide anywhere near the license short names we need, so we (openSUSE) resorted to keeping our own list in parallel. The idea was to try to get the other license short names upstream to SPDX, but that was painstakingly slow. Recently, SPDX changed the short name list again, meaning we have to go back over it. If Fedora does go ahead with SPDX shortnames, the same issue will arise (not all licenses that Fedora requires are in the SPDX short names list). Given that openSUSE 'borrowed' Fedora's good/bad license list years ago, perhaps it would be possible to sync up on those short names that SPDX does not have. -- Ciaran Farrell

On Thu, Jul 9, 2015 at 8:22 AM, Ciaran Farrell <cfarrell(a)suse.com&gt; wrote: Is there a link to this parallel list somewhere? It would be interesting to compare. Hopefully its moving forward a lot faster now, the team added over 80 licenses last year from the Fedora list, and for the new ones did their best to keep the Fedora licenses. Please see spreadsheet at: https://docs.google.com/spreadsheets/d/1LUJuzGKC5K2yYuAg8S-2VYbS2dmg_4IlF... where there is a matching of the fedora names to the most recent SPDX license list. First tab is full SPDX list and shows corresponding Fedora ones when they exist (SPDX-LL2.1-->Fedora). The second tab (Fedora not on SPDX) is those from Fedora that aren't on the SPDX list, and where some help is needed to get them there. Any help folks want to give resolving those ambiguities and open questions is most welcome (mail to spdx-legal at The second tab on the spreadsheet has the licenses that haven't been added, all the rest have (keeping the Fedora name when another wasn't already present). If you've some licenses that aren't on the list, you want to see added, the process for adding them is documented: http://spdx.org/spdx-license-list/request-new-license-or-exception Thanks, Kate

On Thu, Jul 9, 2015 at 9:40 AM, Richard Fontana <rfontana(a)redhat.com&gt; wrote: I asked the same thing. I'm reasonably sure SuSE is not providing full SPDX format files and we are instead just speaking about the abbreviations. It would be good to get an answer from Haikel though. josh

2015-07-09 15:42 GMT+02:00 Tom Callaway <tcallawa(a)redhat.com&gt;: Yes, we're not concerned by the SPDX (sorry for the confusion). I was speaking about the short identifiers, not providing the SPDX files. agreed, but automation can lessen the pain, and we could just fix/bump specs without rebuilding. It will be picked up at the next build or mass rebuild. I don't really have an opinion, on that matter, I trust Fedora Legal judgment. And that's what I would consider as a strong blocker. Yes, and I'm not sure that as community-led distribution, we could ever do that. It's more about standardizing on the licensing identifiers nomenclature. Moreover, i was also interested in the licensing compliance checking tool which could be leveraged in reviews. H.

2015-07-09 16:21 GMT+02:00 Richard Fontana <rfontana(a)redhat.com&gt;: if it's commonly shared with other distros (and Suse already switched to it). H.

On Thu, 2015-07-09 at 10:49 -0400, Richard Fontana wrote: If the goal is to come to a common set of abbreviations for licenses might it be an idea to work together with an organization like the FSF who already analyze and categorizes all Free Software licenses. They keep a public license list and assign unique short identifiers to each of them: http://www.gnu.org/licenses/license-list.html That abbreviation can then be used to uniquely identify a Free Software license including a stable reference to the actual licenses. e.g. for the SGI Free Software License B, version 2.0 one would use the identifier "SGIFreeB" which can then be used to get a reference to the actual license in the Free Software Directory as: http://www.gnu.org/licenses/license-list.html#SGIFreeB (Note that Fedora currently just calls this "MIT") The advantage of the unique identifiers in the above license list is that there is no ambiguity. They eventually refer to the exact text of the license. Assuming that is what Fedora wants (which I am not sure of, it might be too much detail). Cheers, Mark

On Thu, Jul 9, 2015 at 12:15 PM, Haïkel <hguemar(a)fedoraproject.org&gt; wrote: Which is _exactly_ the problem Richard, Spot, and Adam have conveyed. SPDX and common opensource nomenclature do not match at all and switching to SPDX runs a very real risk of making things even more confusing. Haikel, you have said several times that you wanted the input of Fedora legal. You have gotten responses from both the main Fedora legal contact point (Spot) and an actual lawyer (Richard, whom would likely advise that he is not giving legal advice) that making this change would not be beneficial. I suggest we lean on their expertise and let this idea go. josh

On 9 July 2015 at 13:24, Richard Fontana <rfontana(a)redhat.com&gt; wrote: AppStream uses it[1], and also tries to map the Fedora licences to SPDX forms[2], with a limited amount of success. We use it to show a clickable link in gnome-software. Richard. [1] http://www.freedesktop.org/software/appstream/docs/chap-Metadata.html#sec... [2] https://github.com/hughsie/appstream-glib/blob/master/libappstream-builde...