Fwd: SPDX Statistics - 305 packages remaining - legal - Fedora mailing-lists

22 Nov 2024

      -------- Přeposlaná zpráva --------
Předmět: 	SPDX Statistics - 305 packages remaining
Datum: 	Fri, 22 Nov 2024 08:24:46 +0100
Od: 	Miroslav Suchý msuchy@redhat.com
Společnost: 	Red Hat Czech, s.r.o.
Komu: 	Development discussions related to Fedora devel@lists.fedoraproject.org
Hot news:
- I walked through all packages with "Public Domain" license. For all such packages I identified the public domain 
dedication and added it to 
https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-domai... Richard F. did the 
review and I opened PRs for such packages to change the license to LicenseRef-Fedora-Public-Domain. There are about 30 
PRs wating to be merged. In several cases I had to open issue as the public domain dedication is not easy and has some 
sort of problem.
- Unfortunately in several cases, the evaluation of dedication (either public domain or "Redistributable") was found as 
not good enough. I.e. the license is not allowed. Several packages has been already retired in Fedora Linux because of 
that. You can track it here: https://bugzilla.redhat.com/show_bug.cgi?id=2310597
- I started walking through "Redistributable, no modification permitted" that is usually used in firmware package. It is 
much smaller set of packages compared to Public Domain set. I should have it done by next report. But the analysis is 
much harder.
- sometimes you used in License tag deprecated license id 
https://spdx.github.io/spdx-spec/v2.3/SPDX-license-list/#a3-deprecated-licen... Note that while we usually abbreviate 
the communication that you must use SPDX ID, but there is silent part "and approved for usage in Fedora Linux". I.e. 
such ID must be in fedora-license-data. And these deprecated ID are not there (and never will be).
- We have 59 open issues for fedora-license-data 
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?sort=updated_d...
   From past experience, you should expect that it will take about 3 months to proceed all these issues.
- For most packages the license change is "just" committed to dist-git. The change in binary RPM will be visible after 
next mass rebuild (scheduled to 2025-01-15).
Two weeks ago we had:
...

24311spec files in Fedora

30967license tags in all spec files

360 tags are not SPDX complient (number from line bellow minus packages with LicenseRef-Callaway-*)

2658 tags have not been converted to SPDX yet

86 tags can be trivially converted using `license-fedora2spdx`

Progress: 98.84% ░░░░░░░░░█100%

ELN subset:
68 out of 2310 packages are not converted yet (progress 97.06%)
Today we have:
* 24340spec files in Fedora
* 30993license tags in all spec files
* 305 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*)
* 2587 tags have not been converted to SPDX yet
* 56 tags can be trivially converted using `license-fedora2spdx`
* Progress: 99.02% ░░░░░░░░░█100%
ELN subset:
62 out of 2313 packages are not converted yet (progress 97.32%)
Graph of these data with the burndown chart:
https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807rp...
The list of packages needed to be converted is here:
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-fi...
List by package maintainers is here
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-fi...
Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 59 packages:
https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-pa...
Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license 
and assign ID.
New version of fedora-license-data has been released. With:
7 new licenses and lots of public domain dedications and several firmware licenses
     12 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) 
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B%...
Legal docs and especially
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
was updated too.
New projection when we will be finished is 2024-11-30 (+13 days from last report).  Pure linear approximation. This 
information no longer makes sense. Most of the packages are already SPDX compliant and for most of the remaining 
packages we have open issue that will take weeks/months to be resolved. I will remove this prediction from future reports.
If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license 
tag matches SPDX formula, you can put your package on ignore list
https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt
Either pull-request or direct email to me is fine.
Miroslav