On 01/16/2010 05:37 PM, Jason L Tibbitts III wrote: > I figured I'd start with this list and broaden to devel@ if people think > it's a good idea. > > In doing (very) many package reviews, I've found one of the most > time-consuming things to be doing a proper license review.  Even > something simple with, say, an LGPLv2+ notice can get complicated when a > single GPLv2 file sneaks in.  It's complicated enough that I suspect in > many cases license review just isn't being done.  Plus the complexities > of licensing coupled with the complexities of our packaging guidelines > really poses a high barrier for anyone wanting to do proper license > reviews. > > So I'm proposing that we separate the roles of the package reviewer from > the license reviewer, allowing someone who wants to concentrate on > licensing do participate in the review process without having to deal > with the complexities of the packaging guidelines (or even building the > software).  This isn't intended to preclude someone from taking a new > request and doing both packaging and licensing review, but simply to > allow folks to go through the existing reviews and indicate that they've > been checked for licensing issues so that someone could later go through > and review the packaging without having to struggle over the licensing. > > I propose to handle this with a simple entry in the whiteboard and a > comment by the reviewer.  I can add a report under > http://fedoraproject.org/PackageReviewStatus listing tickets which need > license review, and am prepared to write a utility to facilitate things > as much as possible.  When a license question comes up, FE-Legal would > be blocked just as it is now.  (Apologies to spot.)  I would ask for > help from others to document the license review process as much as > possible. > > I think in the end that with a dedicated team of folks doing license > checks, we can get the review process moving a bit quicker and cut down > on incidences of unwanted things leaking into the distro that have to be > cleaned up later. Seems reasonable. We might be able to do a FAD to train some people on looking at licenses to jump start this process. We might also consider deploying something like FOSSology (which I've had on my todo list for ages). Not as a replacement for this, but as an additional helper tool. http://fossology.org/

On 01/16/2010 05:55 PM, Luis Villa wrote: > Something like fossology seems like it would save everyone involved a > ton of time and pain; frankly, potentially enough that it would remove > most of the objections Jason has highlighted. Well, until I'm confident that fossology is thorough and accurate enough, I don't want to jump to conclusions.

>>>>> "LV" == Luis Villa <luis(a)tieguy.org&gt; writes: LV> I know lack of reviewers is already a serious bottleneck in the LV> process; would having a separate cadre of license reviewers mean LV> more delays? How could it possibly be so, unless a separate license review was somehow made a blocker to the process?

 That's not what's being proposed.  At worse, nobody would do separate license reviews and the regular package reviewers would continue as they do now.  At best, all packages would be checked for license issues before the regular package review happens, and package reviewers can avoid worrying about license issues.  Reality will probably be somewhere in between.  Any separate license review takes work off of the already far overworked package reviewers; I can't imagine how that could hurt.

I don't know how fossology works, but if there's any way I can automate calling it then I'll be happy to look into it.  Currently automation would be limited to a tool that would pick a ticket which needs license review, pull down the most recent posted srpm, unpack it and drop you into a shell to look around, and automatically updating bugzilla. Plenty of possibility to hang other tools off of that, except that I don't really know of any that could be run.