Auditing the augeas project source file licenses I found a handful of files where the license was not specified sufficiently clearly. I've raised this upstream:
https://github.com/hercules-team/augeas/issues/816
For the unspecified BSD variant the original author has already confirmed they're ok with BSD-2-Clause which solves that case, but I'm doubtful they'll resolve everything in a sufficiently fast timeframe for Fedora's SPDX conversion.
In a few of the cases which say "LGPL" or "LGPLv2+" without an exact version, I'm fairly comfortable assuming the intent was to match the augeas overall license which was LGPL-2.1-or-later.
For the files which merely say:
This file is licensed under the GPL.
I'm not sure what the best practice is ? Can I justify "GPL-1.0-or-later" in the Fedora spec on the basis that the non-version specific declaration in the source could legitimately cover any GPL version ?
With regards, Daniel
On Mon, Sep 18, 2023 at 2:16 PM Daniel P. Berrangé berrange@redhat.com wrote:
Auditing the augeas project source file licenses I found a handful of files where the license was not specified sufficiently clearly. I've raised this upstream:
[ . . . ]
For the files which merely say:
This file is licensed under the GPL.I'm not sure what the best practice is ? Can I justify "GPL-1.0-or-later" in the Fedora spec on the basis that the non-version specific declaration in the source could legitimately cover any GPL version ?
That seems to be the approach that the Linux kernel has generally taken in their conversion of source file license notices to SPDX-License-Identifier: strings. Obviously it's defensible on GPL interpretation grounds. I personally don't like it, among other reasons because I think in probably most of these cases the author must not have meant to encompass GPLv1 in the license grant, since GPLv1 became rapidly obsolete after the introduction of GPLv2 (unlike the situation with the introduction of GPLv3). This is pretty obvioiusly the case for the kernel, which did not adopt the GPL until (shortly) after the introduction of GPLv2 and which AFAIK always had a copy of GPLv2, but not GPLv1, in the source code. There might be some rare exceptions for GPL code copied into the kernel that originated with pre-Linux projects.
I also think it's a flaw in SPDX, or the application of SPDX identifiers anyway, that "any version of the GPL" is equated with "GPL version 1 or later", which I think subtly communicates somethint different, but I don't think I would succeed in convincing anyone of this.
Richard
Richard
On Mon, Sep 18, 2023 at 02:41:29PM -0400, Richard Fontana wrote:
On Mon, Sep 18, 2023 at 2:16 PM Daniel P. Berrangé berrange@redhat.com wrote:
Auditing the augeas project source file licenses I found a handful of files where the license was not specified sufficiently clearly. I've raised this upstream:
[ . . . ]
For the files which merely say:
This file is licensed under the GPL.I'm not sure what the best practice is ? Can I justify "GPL-1.0-or-later" in the Fedora spec on the basis that the non-version specific declaration in the source could legitimately cover any GPL version ?
That seems to be the approach that the Linux kernel has generally taken in their conversion of source file license notices to SPDX-License-Identifier: strings. Obviously it's defensible on GPL interpretation grounds. I personally don't like it, among other reasons because I think in probably most of these cases the author must not have meant to encompass GPLv1 in the license grant, since GPLv1 became rapidly obsolete after the introduction of GPLv2 (unlike the situation with the introduction of GPLv3). This is pretty obvioiusly the case for the kernel, which did not adopt the GPL until (shortly) after the introduction of GPLv2 and which AFAIK always had a copy of GPLv2, but not GPLv1, in the source code. There might be some rare exceptions for GPL code copied into the kernel that originated with pre-Linux projects.
I do tend to agree with your thoughts wrt the GPLv1. I think in my whole career I've only come across individual files licensed under the GPLv1 a handful of times. With that in mind it would seem more natural to treat unspecified version as 2.0-or-later, given that will be the 99.99% common case. Ultimtely this is for the upstream project to resolve, if we indicate GPL-2.0-or-later in the Fedora spec we're not causing a license problem, just giving our best interpretation of the fuzzy situation.
With regards, Daniel
-
Daniel P. Berrangé -
Richard Fontana