On Thu, Sep 7, 2023 at 11:35 AM Daniel P. Berrangé <berrange(a)redhat.com> wrote:
Does anyone have feedback on this license review questionmark
On Tue, Aug 29, 2023 at 12:11:38PM +0100, Daniel P. Berrangé wrote:
> Hi Legal
> The 'sgx-sdk' package is currently open for review with a view to
> adding to Fedora:
> One of the last stumbling blocks is that it includes a copy of the
> "dlmalloc" code under the CC0 license, which is now a forbidden
> code license for packages being newly added to Fedora.
> The authors of sgx-sdk have contacted the original author of
> dlmalloc, and he apparently suggested that since CC0 is a public
> domain license, they can just add a second license header of their
> choosing to the source files and Fedora can then ignore the orignial
> CC0 license.
> This smells fishy to me, as I can't come with rationale for why
> adding a second "BSD" license header to the source file and justify
> Fedora ignoring the original CC0. The original code would still
> explicitly not have a patent grant, and an extra license doesn't
> seem to alter that fact.
> It was pointed out that this approach has already been taken by
> OpenJDK, where they took CC0 code and added a GPL-v2-only header:
> OpenJDK though would be grandfathered in, since it existed in
> Fedora before CC0 was forbidden, so I'm not sure that can be
> relied on as a precedent.
> I am not a lawyer, so I want an expert opinion on this suggestion
> that adding a 2nd license header allows Fedora to ignore the
> original CC0 license. If it is true, then it would appear to
> make the whole exercise of banning CC0 effectively pointless.
Yes, I agree. If this happened upstream and we were unaware of it,
that would be one thing, but this is not the case.
This 'trick' has been suggested before. Aside from the policy issue,
it's actually not clear that CC0 allows this because CC0 contains a
clause prohibiting sublicensing which AFAIK is in all the CC licenses
(though possibly its inclusion in CC0 is a bug).
I had the impression previously that Doug Lea didn't mean to use CC0
in a serious sense and that he was just recharacterizing an earlier
public domain dedication release, but I guess that might not be right.
However, if earlier versions of this code were under CC-PDDC or a more
informal public domain dedication, it may be that the quantum of stuff
actually under CC0 is fairly minimal.