Kevin Kofler via devel wrote:
Now you have to compare every word of the MIT license
with the very similar templates such as MIT, MIT-CMU, MIT-feh, etc., and
then figure out which one it actually is. If it is even one of these and not
some random mix of several variants (one sentence from here, one sentence
from there, …).
You're right. MIT/BSD License variants are a pain to deal with. In
practice, they are mostly equivalent, so having to identify is a burden
without a lot of benefit.
Currently, there's MIT variants such as the HPND that aren't even part
of the new license list, despite being explicitly listed on the old list
and being used by packages like libX11[1]. As that license deprecated,
it's not likely to cause issues when importing new packages, but it is
still used by older packages. There are other examples of licenses
missing from the new list that are already blocking new packages[2].
[1]:
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/1#note_96957...
[2]:
https://gitlab.com/fedora/legal/fedora-license-data/-/merge_requests/12#n...
But that is how things work in practice. It is just impossible to
read
through every source file and scan for copied snippets. They can even appear
in the middle of a file, with the license attached right there. So the
packager and the reviewer will both check the COPYING/LICENSE/LICENCE file
provided by upstream, then go exemplarily through a handful source files to
check that the copyright header and/or SPDX REUSE header matches that
license, and then declare that as the one License.
This is onerous if you do it manually, but there are tools to make it a
bit easier. You can use scancode-toolkit or licencecheck to scan the
entire codebase. I believe the RH legal folks recommended the former at
some point, but licensecheck is used by fedora-review and actually
packaged in Fedora[^1]. The Legal docs recommend SPDX license-diff[3]
and [4] to see if a certain license text exists in SPDX.
[^1]: I wish luck to anyone who tries to package tries to package scancode.
There are quite a few unpackaged dependencies...
[3]:
https://addons.mozilla.org/en-US/firefox/addon/spdx-license-diff/
[4]:
https://tools.spdx.org/app/check_license/
--
Thanks,
Maxwell G (@gotmax23)
Pronouns: He/Him/His