On 2/6/24 02:06, Miroslav Suchý wrote:

Dne 06. 02. 24 v 5:52 Orion Poplawski napsal(a):

...

Could someone check my work here:

https://src.fedoraproject.org/fork/orion/rpms/ccache/tree/unbundle

If I need to list the remaining bundled code, I think I have:

# See LICENSE.adoc for licenses of bundled codes # blake3 is Apache-2.0 # minitrace.h is MIT # span.hpp is BSL-1.0 # url.cpp/hpp is MIT License:        GPL-3.0-or-later AND Apache-2.0 AND BSL-1.0 AND MIT

Thank you!

I see few more:

http://miroslav.suchy.cz/fedora/spdx-reports/ccache

Right, thanks for that. But the branch I posted has had some work unbundling a number of items.

But mainly I was looking for confirmation that I do need to list all of the licenses of all of the third_party code.

I think https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuideline... could be clearer on this point.

On 2/7/24 8:22 AM, Richard Fontana wrote:

On Wed, Feb 7, 2024 at 10:02 AM Orion Poplawski orion@nwra.com wrote:

...

But mainly I was looking for confirmation that I do need to list all of the licenses of all of the third_party code.

I think https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuideline... could be clearer on this point.

To be clear - this page was updated when we adopted SPDX identifiers and refers to the page that Richard mentions below for more details.

but yes, we are due for a review/refresh of all the licensing documentation now that some time has passed. On Richard and my to-do list!

That page is somewhat out of date relative to the legal documentation. The page https://docs.fedoraproject.org/en-US/legal/license-field/ was completely rewritten a few months ago though is still incomplete.

Richard

---

legal mailing list -- legal@lists.fedoraproject.org To unsubscribe send an email to legal-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Hi,

On Thu, 2024-02-08 at 10:43 +0100, Dominik 'Rathann' Mierzejewski wrote:

...

Right, thanks for that. But the branch I posted has had some work unbundling a number of items.

But mainly I was looking for confirmation that I do need to list all of the licenses of all of the third_party code.

I think https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuideline... could be clearer on this point.

One way of finding out which source files end up in the binary package is inspecting the corresponding -debugsource package. You could even install/extract its contents and run licensecheck on that tree.

Note that might both miss any sources embedded through build- dependencies and might have too many sources if you are using license tags for the binaries in each sub-packages since it bundles all sources for all binaries in all sub-packages. Using some elfutils tools you could get a more exact list using something like:

$ dnf install <sub-package> $ dnf builddep <sub-package> $ dnf debuginfo-install <sub-package>

$ for i in `rpm -ql <sub-package>`; \ do eu-elfclassify --elf --file $i; \ if [ $? -eq 0 ]; then eu-srcfiles --exec $i; fi; done | sort -u \ | xargs licensecheck --shortname-scheme spdx | cut -f2- -d: \ | sort -u | sed -z -e 's/\n / AND /g'

(A newer, not yet released, version of eu-srcfiles should also be able to create a zip file of all the sources gotten through debuginfod.fedoraproject.org, so you don't need to install the builddep and debuginfo locally.)

Cheers,

Mark