I'm doing a review for miopen [1][2] and I'm hitting an issue with the license file(s) that I'm not sure how to handle. I suspect that this isn't a unique situation so I'm asking here.
The upstream is distributed as MIT but contains a few files which have additional or different licenses. Two files include BSD-2-Clause, two files include Apache-2.0 and one is Public Domain. The upstream project includes a LICENSE.txt file which only contains the MIT license.
As I understand packaging policy, we're only supposed to include license text which is present upstream. If the package only includes the LICENSE.txt file with the binaries, that's missing the BSD and Apache licenses.
I'm unclear on how this is supposed to be handled. Can't we just include the text from the files with non-MIT licenses in a separate file or by appending them to the end of upstream's LICENSE.txt? We could ask upstream to include the BSD-2-Clause and Apache-2.0 text in their LICENSE file but this seems like something that's not really their problem. They're not distributing binaries, they're distributing the copyright notice with the individual files.
Does anyone have knowledge on how situations like this have been handled in the past?
Thanks,
Tim
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2261201 [2] https://github.com/ROCm/MIOpen
Hi,
Tim Flink tflink@fedoraproject.org writes:
The upstream is distributed as MIT but contains a few files which have additional or different licenses. Two files include BSD-2-Clause, two files include Apache-2.0 and one is Public Domain. The upstream project includes a LICENSE.txt file which only contains the MIT license.
I have a similar scenario with some of my packages. What I do is mark all the LICENSE.txt files that upstream includes as %license and leave it at that. I don't create/modify/update any existing upstream files.
The other licenses (which aren't listed in LICENSE.txt), I list them in spec file using the License tag.
In your case, that would be using something like:
License: MIT and BSD-2-Clause and Apache-2.0 and LicenseRef-Fedora-Public-Domain
(And please add the public domain text to https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-domai...)
Someone please correct me if this is wrong.
Cheers, Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
On 15/02/2024 23:57, Omair Majid wrote:
Tim Flink tflink@fedoraproject.org writes:
The upstream is distributed as MIT but contains a few files which have additional or different licenses. Two files include BSD-2-Clause, two files include Apache-2.0 and one is Public Domain. The upstream project includes a LICENSE.txt file which only contains the MIT license.
I have a similar scenario with some of my packages. What I do is mark all the LICENSE.txt files that upstream includes as %license and leave it at that. I don't create/modify/update any existing upstream files.
The other licenses (which aren't listed in LICENSE.txt), I list them in spec file using the License tag.
In your case, that would be using something like:
License: MIT and BSD-2-Clause and Apache-2.0 and LicenseRef-Fedora-Public-Domain
(And please add the public domain text to https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-domai...)
Someone please correct me if this is wrong.
It's wrong for licenses like Apache which require that the full text is included. The guidelines explain what is needed:
https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuideline...
Tom
On 2/15/24 17:26, Tom Hughes wrote:
On 15/02/2024 23:57, Omair Majid wrote:
Tim Flink tflink@fedoraproject.org writes:
The upstream is distributed as MIT but contains a few files which have additional or different licenses. Two files include BSD-2-Clause, two files include Apache-2.0 and one is Public Domain. The upstream project includes a LICENSE.txt file which only contains the MIT license.
I have a similar scenario with some of my packages. What I do is mark all the LICENSE.txt files that upstream includes as %license and leave it at that. I don't create/modify/update any existing upstream files.
The other licenses (which aren't listed in LICENSE.txt), I list them in spec file using the License tag.
In your case, that would be using something like:
License: MIT and BSD-2-Clause and Apache-2.0 and LicenseRef-Fedora-Public-Domain
(And please add the public domain text to https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-domai...)
Someone please correct me if this is wrong.
It's wrong for licenses like Apache which require that the full text is included. The guidelines explain what is needed:
https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuideline...
This topic is touched on, yes but I also think this exact situation is a bit of a gap in what's covered there.
As I read the guidelines, there are two situations covered: 1. All applicable licenses are in the LICENSE file(s) from upstream 2. No (complete) LICENSE file is provided, no complete license text is provided and getting the license text added upstream is not an option (upstream is unwilling, unresponsive etc.)
In this specific case, the license text is included in the affected files, so it's not a case of upstream just mentioning a license in the README or something like that.
I'm wondering whether extracting the license text from source files and either putting that text into an additional LICENSE file or appending them to upstream's LICENSE file is seen as an acceptable alternative as we would be using upstream's text, just moving it around a bit and not taking a potentially different source (copying from SPDX, osi et. al).
Tim
On Thu, Feb 15, 2024 at 9:24 PM Tim Flink tflink@fedoraproject.org wrote:
On 2/15/24 17:26, Tom Hughes wrote:
On 15/02/2024 23:57, Omair Majid wrote:
Tim Flink tflink@fedoraproject.org writes:
The upstream is distributed as MIT but contains a few files which have additional or different licenses. Two files include BSD-2-Clause, two files include Apache-2.0 and one is Public Domain. The upstream project includes a LICENSE.txt file which only contains the MIT license.
I have a similar scenario with some of my packages. What I do is mark all the LICENSE.txt files that upstream includes as %license and leave it at that. I don't create/modify/update any existing upstream files.
The other licenses (which aren't listed in LICENSE.txt), I list them in spec file using the License tag.
In your case, that would be using something like:
License: MIT and BSD-2-Clause and Apache-2.0 and LicenseRef-Fedora-Public-Domain
(And please add the public domain text to https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-domai...)
Someone please correct me if this is wrong.
It's wrong for licenses like Apache which require that the full text is included. The guidelines explain what is needed:
https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuideline...
This topic is touched on, yes but I also think this exact situation is a bit of a gap in what's covered there.
As I read the guidelines, there are two situations covered:
- All applicable licenses are in the LICENSE file(s) from upstream
- No (complete) LICENSE file is provided, no complete license text is provided and getting the license text added upstream is not an option (upstream is unwilling, unresponsive etc.)
In this specific case, the license text is included in the affected files, so it's not a case of upstream just mentioning a license in the README or something like that.
I'm wondering whether extracting the license text from source files and either putting that text into an additional LICENSE file or appending them to upstream's LICENSE file is seen as an acceptable alternative as we would be using upstream's text, just moving it around a bit and not taking a potentially different source (copying from SPDX, osi et. al).
Not sure if these comments are helpful: The Fedora policy on inclusion of license files is in tension with the policy on License tags. This was true before as well as after the adoption of SPDX identifiers in favor of Callaway license abbreviations. We (the people who worked on revising the Fedora legal documentation substantially beginning in summer 2022) deliberately did not touch the stuff on inclusion of license files, because frankly we couldn't figure out what to do. The traditional policy doesn't really make much sense, but there isn't any other approach that's clearly better.
Anyway, it is very common for a project to have a LICENSE file that does not have all of the licenses that apply to all of the source code. As far as I understand the Fedora policy on license file inclusion, it's something like "if it's in something that looks like a LICENSE or COPYING file, include it; if there's *no* such global file, copy some relevant license text from a source file; if there's no relevant license text in a source file and it's clear what the license is supposed to be, try to get the upstream project to add a license file" (and/or add the license file yourself). I may have some of that wrong.
Eventually we are going to want to revise this policy because the existing policy is so hard to justify but I have no idea what the revised policy ought to be. I have actually suggested not having any license files in binary RPMs, on the grounds that all the licenses ought to be in the source code, but a colleague of mine seemed to feel that was a bit radical.
Richard
On Thu, Feb 15, 2024 at 2:06 PM Tim Flink tflink@fedoraproject.org wrote:
Does anyone have knowledge on how situations like this have been handled in the past?
I know in the past at least some packagers have submitted requests to upstream to include the additional license texts but I don't know if that was a general policy.
-Toshio
Dne 16. 02. 24 v 1:21 Toshio Kuratomi napsal(a):
On Thu, Feb 15, 2024 at 2:06 PM Tim Flink tflink@fedoraproject.org wrote:
Does anyone have knowledge on how situations like this have been handled in the past?
I know in the past at least some packagers have submitted requests to upstream to include the additional license texts but I don't know if that was a general policy.
This IMHO is the right answer and there is also this guideline part of review guidelines [1]:
~~~
SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
~~~
IOW I believe that license tag should be always the source of truth and the rest needs to be clarified with upstream, but it is not blocker.
Vít
[1]: https://docs.fedoraproject.org/en-US/packaging-guidelines/ReviewGuidelines/#...
packaging@lists.fedoraproject.org