On Tue, Apr 4, 2023 at 10:55 AM Miro Hrončok mhroncok@redhat.com wrote:

Hello,

during a package review I came across this License tag (simplified):

License: ((Apache-2.0 OR MIT) AND BSD-3-Clause) AND (Apache-2.0 OR MIT)

Where "(Apache-2.0 OR MIT) AND BSD-3-Clause" is a license of one "unit" built into the RPM and "Apache-2.0 OR MIT" is a license of another "unit". (Both units are built into a single binary if that makes a difference.)

Do I change that to:

License: (Apache-2.0 OR MIT) AND BSD-3-Clause

Or not?

I know that we are not supposed to calculate "effective license", but in my head they both mean the exact same thing.

I guess this isn't explicitly addressed here: https://docs.fedoraproject.org/en-US/legal/license-field/

We do say:

"The license expression must reflect the disjunctive license choice even if one or both of the license identifiers in the OR expression also appear separately in the composite license expression." and "A single license identifier should only appear once in an "AND" expression regardless of how many distinct source or binary components the corresponding license covers for the relevant binary RPM." and also the example:

"Example: bar.rpm contains three executable utility programs. You’ve determined that two of them are each licensed under GPL version 2 only, while the third is licensed under the MIT license. The spec file would have:

License: GPL-2.0-only AND MIT

It would not be GPL-2.0-only AND GPL-2.0-only AND MIT, even though from an orthodox GPL interpretation standpoint there are two separate GPL-licensed "Programs" in this package."

I think the debatable decision not to attempt to reflect sub-RPM "units" is key.

So I think it follows from that that complex SPDX expressions should only appear once in a larger AND expression.

At any rate, I think that's what the rule should be, so in your case,

((Apache-2.0 OR MIT) AND BSD-3-Clause) AND (Apache-2.0 OR MIT)

should just be represented as

(Apache-2.0 OR MIT) AND BSD-3-Clause

However, I think something like this:

(Apache-2.0 OR MIT OR Unlicense) AND BSD-3-Clause AND (Apache-2.0 OR MIT)

would not "reduce" to

(Apache-2.0 OR MIT OR Unlicense) AND BSD-3-Clause

or

(Apache-2.0 OR MIT) AND BSD-3-Clause

because we are stubbornly adhering to the view that it is useful to reflect all disjunctive license expressions (if only because this was a convention in the Callaway system).

Note: we are making these policies up, since the SPDX spec (rightly) does not attempt to address any of it and outside of Fedora, uses of SPDX expressions for project/package license metadata are extremely primitive and unsophisticated at present, so there are no useful practices or conventions for Fedora to draw upon.

Richard

On 04. 04. 23 16:55, Miro Hrončok wrote:

Hello,

during a package review I came across this License tag (simplified):

License: ((Apache-2.0 OR MIT) AND BSD-3-Clause) AND (Apache-2.0 OR MIT)

Where "(Apache-2.0 OR MIT) AND BSD-3-Clause" is a license of one "unit" built into the RPM and "Apache-2.0 OR MIT" is a license of another "unit". (Both units are built into a single binary if that makes a difference.)

Do I change that to:

License: (Apache-2.0 OR MIT) AND BSD-3-Clause

Or not?

I know that we are not supposed to calculate "effective license", but in my head they both mean the exact same thing.

For clarity, this is the actual case:

https://git.sr.ht/~gotmax23/fedora-python-orjson/tree/b823cdba3e42ea2d7b0493...

License: (Apache-2.0 OR MIT) AND (Apache-2.0 OR BSL-1.0) AND ((Apache-2.0 OR MIT) AND BSD-3-Clause) AND Apache-2.0

I suggested to turn it into:

License: (Apache-2.0 OR MIT) AND (Apache-2.0 OR BSL-1.0) AND BSD-3-Clause AND Apache-2.0