As part of the jaxb 4.0.2 -> 4.0.3 update, part of this package is needed for its code generation. Therefore, I would like to package it in Fedora. This package has complex licensing which is why I am asking for a review. Note that I only need the "xsdlib" subdirectory.
I only need a stripped-down version of this package as if by downloading: https://github.com/xmlark/msv/archive/refs/tags/msv-2022.7.tar.gz
and running (inside the msv-msv-2022.7 directory):
find . -mindepth 1 -maxdepth 1 -type d ! -name 'xsdlib' -exec rm -rf {} + rm -rf xsdlib/src/main/resources rm -rf xsdlib/src/test grep -l -r --ignore-case 'proprietary' | xargs rm -v
Most problematic license files are: copyright.txt and license.txt in https://github.com/xmlark/msv/tree/main/docs/xsdlib. To my knowledge, all files that remained use explicit BSD-3-Clause or Apache-1.1. Question is whether we could have removed the copyright.txt and license.txt files in the first place.
Current upstream: https://github.com/xmlark/msv Previous package in Fedora (used different source repository): https://koji.fedoraproject.org/koji/packageinfo?packageID=2576 Previous bug related to licensing: https://bugzilla.redhat.com/show_bug.cgi?id=87684
Also grep --ignore-case for "proprietary" "confidential", "nuclear".
On Tue, Aug 8, 2023 at 9:00 AM Marián Konček mkoncek@redhat.com wrote:
As part of the jaxb 4.0.2 -> 4.0.3 update, part of this package is needed for its code generation. Therefore, I would like to package it in Fedora. This package has complex licensing which is why I am asking for a review. Note that I only need the "xsdlib" subdirectory.
I only need a stripped-down version of this package as if by downloading: https://github.com/xmlark/msv/archive/refs/tags/msv-2022.7.tar.gz
and running (inside the msv-msv-2022.7 directory):
find . -mindepth 1 -maxdepth 1 -type d ! -name 'xsdlib' -exec rm -rf {} + rm -rf xsdlib/src/main/resources rm -rf xsdlib/src/test grep -l -r --ignore-case 'proprietary' | xargs rm -v
Most problematic license files are: copyright.txt and license.txt in https://github.com/xmlark/msv/tree/main/docs/xsdlib. To my knowledge, all files that remained use explicit BSD-3-Clause or Apache-1.1. Question is whether we could have removed the copyright.txt and license.txt files in the first place.
Current upstream: https://github.com/xmlark/msv Previous package in Fedora (used different source repository): https://koji.fedoraproject.org/koji/packageinfo?packageID=2576 Previous bug related to licensing: https://bugzilla.redhat.com/show_bug.cgi?id=87684
Also grep --ignore-case for "proprietary" "confidential", "nuclear".
Can you create a package just from that subset of the xsdlib directory as you indicated above?
In those files, what I saw on a quick review was:
- pom.xml : there's a Sun BSD license that is probably OK for Fedora but does not seem to match any known variant. (It's tempting to just ignore this but since it's probably OK we might as well add it.)
- Oracle 3-clause BSD licenses: most of these seem to be BSD-3-Clause, but there was one for which SPDX would need to revise the markup, I think ( xsdlib/src/main/java/com/sun/msv/datatype/regexp/InternalImpl.java)
- The Apache 1.1 license appearing on a number of source files does not quite match SPDX Apache-1.1, would require SPDX revision to the Apache-1.1 markup
So these seem fairly nonproblematic but it would be helpful if you could create issues for these in fedora-license-data and then at github.com/spdx/license-list-XML.
But if you need to package any of the other stuff in this repository that may complicate things further.
Richard
As for https://github.com/xmlark/msv/blob/main/docs/xsdlib/copyright.txt I think this should be ignored.
On Tue, Aug 8, 2023 at 2:24 PM Richard Fontana rfontana@redhat.com wrote:
On Tue, Aug 8, 2023 at 9:00 AM Marián Konček mkoncek@redhat.com wrote:
As part of the jaxb 4.0.2 -> 4.0.3 update, part of this package is needed for its code generation. Therefore, I would like to package it in Fedora. This package has complex licensing which is why I am asking for a review. Note that I only need the "xsdlib" subdirectory.
I only need a stripped-down version of this package as if by downloading: https://github.com/xmlark/msv/archive/refs/tags/msv-2022.7.tar.gz
and running (inside the msv-msv-2022.7 directory):
find . -mindepth 1 -maxdepth 1 -type d ! -name 'xsdlib' -exec rm -rf {} + rm -rf xsdlib/src/main/resources rm -rf xsdlib/src/test grep -l -r --ignore-case 'proprietary' | xargs rm -v
Most problematic license files are: copyright.txt and license.txt in https://github.com/xmlark/msv/tree/main/docs/xsdlib. To my knowledge, all files that remained use explicit BSD-3-Clause or Apache-1.1. Question is whether we could have removed the copyright.txt and license.txt files in the first place.
Current upstream: https://github.com/xmlark/msv Previous package in Fedora (used different source repository): https://koji.fedoraproject.org/koji/packageinfo?packageID=2576 Previous bug related to licensing: https://bugzilla.redhat.com/show_bug.cgi?id=87684
Also grep --ignore-case for "proprietary" "confidential", "nuclear".
Can you create a package just from that subset of the xsdlib directory as you indicated above?
In those files, what I saw on a quick review was:
- pom.xml : there's a Sun BSD license that is probably OK for Fedora
but does not seem to match any known variant. (It's tempting to just ignore this but since it's probably OK we might as well add it.)
- Oracle 3-clause BSD licenses: most of these seem to be BSD-3-Clause,
but there was one for which SPDX would need to revise the markup, I think ( xsdlib/src/main/java/com/sun/msv/datatype/regexp/InternalImpl.java)
- The Apache 1.1 license appearing on a number of source files does
not quite match SPDX Apache-1.1, would require SPDX revision to the Apache-1.1 markup
So these seem fairly nonproblematic but it would be helpful if you could create issues for these in fedora-license-data and then at github.com/spdx/license-list-XML.
But if you need to package any of the other stuff in this repository that may complicate things further.
Richard
Yes, I would like to package only that part.
Does license review need to be done before or after submitting a package review in Bugzilla?
Regarding opening issues on fedora / spdx: * one part is about adding / not adding Oracle / Sun's variant of BSD-3-Clause * the other is about accepting differently formatted Apache-1.1?
Does formatting matter to SPDX?
On 8. 8. 2023 20:24, Richard Fontana wrote:
On Tue, Aug 8, 2023 at 9:00 AM Marián Konček mkoncek@redhat.com wrote:
As part of the jaxb 4.0.2 -> 4.0.3 update, part of this package is needed for its code generation. Therefore, I would like to package it in Fedora. This package has complex licensing which is why I am asking for a review. Note that I only need the "xsdlib" subdirectory.
I only need a stripped-down version of this package as if by downloading: https://github.com/xmlark/msv/archive/refs/tags/msv-2022.7.tar.gz
and running (inside the msv-msv-2022.7 directory):
find . -mindepth 1 -maxdepth 1 -type d ! -name 'xsdlib' -exec rm -rf {} + rm -rf xsdlib/src/main/resources rm -rf xsdlib/src/test grep -l -r --ignore-case 'proprietary' | xargs rm -v
Most problematic license files are: copyright.txt and license.txt in https://github.com/xmlark/msv/tree/main/docs/xsdlib. To my knowledge, all files that remained use explicit BSD-3-Clause or Apache-1.1. Question is whether we could have removed the copyright.txt and license.txt files in the first place.
Current upstream: https://github.com/xmlark/msv Previous package in Fedora (used different source repository): https://koji.fedoraproject.org/koji/packageinfo?packageID=2576 Previous bug related to licensing: https://bugzilla.redhat.com/show_bug.cgi?id=87684
Also grep --ignore-case for "proprietary" "confidential", "nuclear".
Can you create a package just from that subset of the xsdlib directory as you indicated above?
In those files, what I saw on a quick review was:
- pom.xml : there's a Sun BSD license that is probably OK for Fedora
but does not seem to match any known variant. (It's tempting to just ignore this but since it's probably OK we might as well add it.)
- Oracle 3-clause BSD licenses: most of these seem to be BSD-3-Clause,
but there was one for which SPDX would need to revise the markup, I think ( xsdlib/src/main/java/com/sun/msv/datatype/regexp/InternalImpl.java)
- The Apache 1.1 license appearing on a number of source files does
not quite match SPDX Apache-1.1, would require SPDX revision to the Apache-1.1 markup
So these seem fairly nonproblematic but it would be helpful if you could create issues for these in fedora-license-data and then at github.com/spdx/license-list-XML.
But if you need to package any of the other stuff in this repository that may complicate things further.
Richard
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2230450
On 9. 8. 2023 13:35, Marián Konček wrote:
Yes, I would like to package only that part.
Does license review need to be done before or after submitting a package review in Bugzilla?
Regarding opening issues on fedora / spdx:
- one part is about adding / not adding Oracle / Sun's variant of
BSD-3-Clause
- the other is about accepting differently formatted Apache-1.1?
Does formatting matter to SPDX?
On 8. 8. 2023 20:24, Richard Fontana wrote:
On Tue, Aug 8, 2023 at 9:00 AM Marián Konček mkoncek@redhat.com wrote:
As part of the jaxb 4.0.2 -> 4.0.3 update, part of this package is needed for its code generation. Therefore, I would like to package it in Fedora. This package has complex licensing which is why I am asking for a review. Note that I only need the "xsdlib" subdirectory.
I only need a stripped-down version of this package as if by downloading: https://github.com/xmlark/msv/archive/refs/tags/msv-2022.7.tar.gz
and running (inside the msv-msv-2022.7 directory):
find . -mindepth 1 -maxdepth 1 -type d ! -name 'xsdlib' -exec rm -rf {} + rm -rf xsdlib/src/main/resources rm -rf xsdlib/src/test grep -l -r --ignore-case 'proprietary' | xargs rm -v
Most problematic license files are: copyright.txt and license.txt in https://github.com/xmlark/msv/tree/main/docs/xsdlib. To my knowledge, all files that remained use explicit BSD-3-Clause or Apache-1.1. Question is whether we could have removed the copyright.txt and license.txt files in the first place.
Current upstream: https://github.com/xmlark/msv Previous package in Fedora (used different source repository): https://koji.fedoraproject.org/koji/packageinfo?packageID=2576 Previous bug related to licensing: https://bugzilla.redhat.com/show_bug.cgi?id=87684
Also grep --ignore-case for "proprietary" "confidential", "nuclear".
Can you create a package just from that subset of the xsdlib directory as you indicated above?
In those files, what I saw on a quick review was:
- pom.xml : there's a Sun BSD license that is probably OK for Fedora
but does not seem to match any known variant. (It's tempting to just ignore this but since it's probably OK we might as well add it.)
- Oracle 3-clause BSD licenses: most of these seem to be BSD-3-Clause,
but there was one for which SPDX would need to revise the markup, I think ( xsdlib/src/main/java/com/sun/msv/datatype/regexp/InternalImpl.java)
- The Apache 1.1 license appearing on a number of source files does
not quite match SPDX Apache-1.1, would require SPDX revision to the Apache-1.1 markup
So these seem fairly nonproblematic but it would be helpful if you could create issues for these in fedora-license-data and then at github.com/spdx/license-list-XML.
But if you need to package any of the other stuff in this repository that may complicate things further.
Richard
On Wed, Aug 9, 2023 at 7:35 AM Marián Konček mkoncek@redhat.com wrote:
Yes, I would like to package only that part.
Does license review need to be done before or after submitting a package review in Bugzilla?
I don't think we (Fedora Legal people) care about that in general (unless there's some specific reason to think that a package wouldn't be allowed in Fedora for some non-license-related reason).
Regarding opening issues on fedora / spdx:
- one part is about adding / not adding Oracle / Sun's variant of
BSD-3-Clause
- the other is about accepting differently formatted Apache-1.1?
Does formatting matter to SPDX?
I have lost track of this but I think the issue was not formatting but some of the language of the Apache Software License 1.1 variant did not match the SPDX identifier. In general, formatting is irrelevant.
Richard
On 8. 8. 2023 20:24, Richard Fontana wrote:
On Tue, Aug 8, 2023 at 9:00 AM Marián Konček mkoncek@redhat.com wrote:
As part of the jaxb 4.0.2 -> 4.0.3 update, part of this package is needed for its code generation. Therefore, I would like to package it in Fedora. This package has complex licensing which is why I am asking for a review. Note that I only need the "xsdlib" subdirectory.
I only need a stripped-down version of this package as if by downloading: https://github.com/xmlark/msv/archive/refs/tags/msv-2022.7.tar.gz
and running (inside the msv-msv-2022.7 directory):
find . -mindepth 1 -maxdepth 1 -type d ! -name 'xsdlib' -exec rm -rf {} + rm -rf xsdlib/src/main/resources rm -rf xsdlib/src/test grep -l -r --ignore-case 'proprietary' | xargs rm -v
Most problematic license files are: copyright.txt and license.txt in https://github.com/xmlark/msv/tree/main/docs/xsdlib. To my knowledge, all files that remained use explicit BSD-3-Clause or Apache-1.1. Question is whether we could have removed the copyright.txt and license.txt files in the first place.
Current upstream: https://github.com/xmlark/msv Previous package in Fedora (used different source repository): https://koji.fedoraproject.org/koji/packageinfo?packageID=2576 Previous bug related to licensing: https://bugzilla.redhat.com/show_bug.cgi?id=87684
Also grep --ignore-case for "proprietary" "confidential", "nuclear".
Can you create a package just from that subset of the xsdlib directory as you indicated above?
In those files, what I saw on a quick review was:
- pom.xml : there's a Sun BSD license that is probably OK for Fedora
but does not seem to match any known variant. (It's tempting to just ignore this but since it's probably OK we might as well add it.)
- Oracle 3-clause BSD licenses: most of these seem to be BSD-3-Clause,
but there was one for which SPDX would need to revise the markup, I think ( xsdlib/src/main/java/com/sun/msv/datatype/regexp/InternalImpl.java)
- The Apache 1.1 license appearing on a number of source files does
not quite match SPDX Apache-1.1, would require SPDX revision to the Apache-1.1 markup
So these seem fairly nonproblematic but it would be helpful if you could create issues for these in fedora-license-data and then at github.com/spdx/license-list-XML.
But if you need to package any of the other stuff in this repository that may complicate things further.
Richard
-- Marián Konček _______________________________________________ legal mailing list -- legal@lists.fedoraproject.org To unsubscribe send an email to legal-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-
Marián Konček -
Richard Fontana