Although I haven’t signed up to do the official review, I was looking at python-meshio[1], and I found that it contains a function substantially derived from a StackOverflow answer[2]. While I’m impressed that upstream cared enough to give credit, this leaves me with a question.
Normally I would suggest that, to be strictly correct, the license of the copied-and-modified snippet should be added to the package’s License expression. But all answers on StackOverflow are, depending on when they are posted[3], licensed CC-BY-SA-2.5, CC-BY-SA-3.0, or CC-BY-SA-4.0. In this case, the applicable license is CC-BY-SA-3.0[4].
All of these licenses are listed as allowed in Fedora for content, but not for code. Strictly speaking, then, this appears to be code under a not-allowed-for-code license. At the same time, it is hard to believe that prohibiting packages containing snippets from StackOverflow would be an intended outcome.
Since code copied or heavily inspired by StackOverflow answers is extremely widespread, and the only thing that is perhaps unusual here is that proper attribution is present, I’m curious how cases like this *ought* to be handled.
– Ben Beasley (FAS: music)
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2283539
[2] https://github.com/nschloe/meshio/blob/b2ee99842e119901349fdeee06b5bf61e01f4...
On Thu, Aug 1, 2024 at 4:18 PM Ben Beasley code@musicinmybrain.net wrote:
Although I haven’t signed up to do the official review, I was looking at python-meshio[1], and I found that it contains a function substantially derived from a StackOverflow answer[2]. While I’m impressed that upstream cared enough to give credit, this leaves me with a question.
Normally I would suggest that, to be strictly correct, the license of the copied-and-modified snippet should be added to the package’s License expression. But all answers on StackOverflow are, depending on when they are posted[3], licensed CC-BY-SA-2.5, CC-BY-SA-3.0, or CC-BY-SA-4.0. In this case, the applicable license is CC-BY-SA-3.0[4].
All of these licenses are listed as allowed in Fedora for content, but not for code. Strictly speaking, then, this appears to be code under a not-allowed-for-code license. At the same time, it is hard to believe that prohibiting packages containing snippets from StackOverflow would be an intended outcome.
Since code copied or heavily inspired by StackOverflow answers is extremely widespread, and the only thing that is perhaps unusual here is that proper attribution is present, I’m curious how cases like this *ought* to be handled.
This situation has come up before. I think there was at least one like it involving dotnet.
While we shouldn't attempt to uncover hypothetical undisclosed derivatives of StackOverflow snippets, in the rare cases where there is an attempt to provide attribution etc., we need to review them, not only because Fedora has a longstanding policy not allowing (otherwise allowable) Creative Commons licenses for 'code', but also because in the typical (rare) case there will be some sort of potential license compliance issue.
In this case, though, while I see how the meshio function has some similarities to the cited StackOverflow code, I don't think the distinctive elements of each are quite close enough that I would conclude there is a license compliance issue. Therefore the StackOverflow license issue should not be relevant.
Richard
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2283539
[2] https://github.com/nschloe/meshio/blob/b2ee99842e119901349fdeee06b5bf61e01f4...
[3] https://stackoverflow.com/help/licensing
[4] https://stackoverflow.com/posts/8964779/timeline
-- _______________________________________________ legal mailing list -- legal@lists.fedoraproject.org To unsubscribe send an email to legal-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hey,
Ben Beasley code@musicinmybrain.net writes:
Although I haven’t signed up to do the official review, I was looking at python-meshio[1], and I found that it contains a function substantially derived from a StackOverflow answer[2]. While I’m impressed that upstream cared enough to give credit, this leaves me with a question.
Normally I would suggest that, to be strictly correct, the license of the copied-and-modified snippet should be added to the package’s License expression. But all answers on StackOverflow are, depending on when they are posted[3], licensed CC-BY-SA-2.5, CC-BY-SA-3.0, or CC-BY-SA-4.0. In this case, the applicable license is CC-BY-SA-3.0[4].
All of these licenses are listed as allowed in Fedora for content, but not for code. Strictly speaking, then, this appears to be code under a not-allowed-for-code license. At the same time, it is hard to believe that prohibiting packages containing snippets from StackOverflow would be an intended outcome.
Since code copied or heavily inspired by StackOverflow answers is extremely widespread, and the only thing that is perhaps unusual here is that proper attribution is present, I’m curious how cases like this *ought* to be handled.
I had a similar question and got some specific advice at: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/104
I think this is the relevant bit for your question:
""" I do not think Fedora should take any position on the presence of a SO-referencing snippet that doesn't refer to CC BY-SA (except maybe in some extreme case).
...
If you encounter other cases [in code] where there's a reference to SO along with a reference to CC BY-SA, let us know. """
Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
-
Ben Beasley -
Omair Majid -
Richard Fontana