I'm sure I've seen discussion of this before, but I can't find it in the mailing list, and https://fedoraproject.org/wiki/Forbidden_items?rd=ForbiddenItems#MP3_Support doesn't spell it out.
The Squeak VM package in Fedora includes the upstream source code for MP3 support, but disables actually building it. Is that okay, or does the tarball need to be sanitized?
On Sun, 30 Sep 2012 16:56:21 -0400, Matthew Miller wrote:
I'm sure I've seen discussion of this before, but I can't find it in the mailing list, and https://fedoraproject.org/wiki/Forbidden_items?rd=ForbiddenItems#MP3_Support doesn't spell it out.
The Squeak VM package in Fedora includes the upstream source code for MP3 support, but disables actually building it. Is that okay, or does the tarball need to be sanitized?
https://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohib...
On Mon, Oct 01, 2012 at 02:32:26AM +0200, Michael Schwendt wrote:
The Squeak VM package in Fedora includes the upstream source code for MP3 support, but disables actually building it. Is that okay, or does the tarball need to be sanitized?
https://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohib...
Right, I saw that, but it's not clear if MP3 falls under "not allowed to ship even as source code". If that's the case, shouldn't we just say so?
This: https://bugzilla.redhat.com/show_bug.cgi?id=247983 brings up a number of issues. But here, https://bugzilla.redhat.com/show_bug.cgi?id=481056#c5, Gavin notes that the licensing issues have been resolved. I hadn't looked at this deeply initially -- I'm just trying to get Scratch to work -- but now I wonder if it needs a second check. (For example, I see that the GPLv2+ code is still there.)
(There *is* now a Debian package, by the way, and it looks like they've done some investigation: http://packages.debian.org/changelogs/pool/main/s/squeak-vm/squeak-vm_4.4.7.... )
On Sun, Sep 30, 2012 at 10:20:15PM -0400, Matthew Miller wrote:
The Squeak VM package in Fedora includes the upstream source code for MP3 support, but disables actually building it. Is that okay, or does the tarball need to be sanitized?
https://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohib...
Right, I saw that, but it's not clear if MP3 falls under "not allowed to ship even as source code". If that's the case, shouldn't we just say so?
Oh, cool -- just got a message from upstream noting that there is an mp3-free source tarball at
http://squeakvm.org/unix/release/Squeak-4.10.2.2614-src-no-mp3.tar.gz
which at least resolves that issue.
On Sun, 30 Sep 2012 22:20:15 -0400, Matthew Miller wrote:
The Squeak VM package in Fedora includes the upstream source code for MP3 support, but disables actually building it. Is that okay, or does the tarball need to be sanitized?
https://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohib...
Right, I saw that, but it's not clear if MP3 falls under "not allowed to ship even as source code". If that's the case, shouldn't we just say so?
Then you would need to explain what you're thinking. You've pointed at
https://fedoraproject.org/wiki/Forbidden_items?rd=ForbiddenItems#MP3_Support
| MP3 encoding and decoding support is not included in any Fedora | application because MP3 is heavily patented in several regions | including the United States. The patent holder is unwilling to give an | unrestricted patent grant, as required by the GPL. [...]
and in turn I've pointed at
https://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohib...
| Some upstream packages include patents or trademarks that we are not | allowed to ship even as source code. In these cases you have to modify | the source tarball to remove this code before you even upload it to | the build system. [...]
so all you ask for is to be even more explicit in connecting these two?
On Mon, Oct 01, 2012 at 01:20:47PM +0200, Michael Schwendt wrote:
Right, I saw that, but it's not clear if MP3 falls under "not allowed to ship even as source code". If that's the case, shouldn't we just say so?
Then you would need to explain what you're thinking.
If a package includes MP3 source code but does not enable it, that literally complies with "MP3 encoding and decoding support is not included in any Fedora application", which is the directive in the Forbidden Items section.
It's my understanding that at least one open source MP3 implementation operates under this theory. The question is whether that's actually good enough, or whether MP3 actually falls under "patents or trademarks that we are not allowed to ship even as source code".
Following the logic of the-exception-proves-the-rule, that last statement implies that *is* source code which includes patents which we *are* able to ship in that form. Again, is MP3 included?
My impression had been that it is not, and that we always patch it out, but then I came across this reviewed, accepted package which has been in Fedora for three and a half years, so I wanted to check if that was a mistake or if my attitude had been over-zealous.
On Mon, Oct 1, 2012 at 7:58 AM, Matthew Miller mattdm@fedoraproject.org wrote:
On Mon, Oct 01, 2012 at 01:20:47PM +0200, Michael Schwendt wrote:
Right, I saw that, but it's not clear if MP3 falls under "not allowed to ship even as source code". If that's the case, shouldn't we just say so?
Then you would need to explain what you're thinking.
If a package includes MP3 source code but does not enable it, that literally complies with "MP3 encoding and decoding support is not included in any Fedora application", which is the directive in the Forbidden Items section.
It's my understanding that at least one open source MP3 implementation operates under this theory. The question is whether that's actually good enough, or whether MP3 actually falls under "patents or trademarks that we are not allowed to ship even as source code".
Following the logic of the-exception-proves-the-rule, that last statement implies that *is* source code which includes patents which we *are* able to ship in that form. Again, is MP3 included?
My impression had been that it is not, and that we always patch it out, but then I came across this reviewed, accepted package which has been in Fedora for three and a half years, so I wanted to check if that was a mistake or if my attitude had been over-zealous.
I'd say it was a mistake, and you were correct. No reviewer is infallible, myself included.
-J
-- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ mattdm@fedoraproject.org -- packaging mailing list packaging@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/packaging
On Mon, 1 Oct 2012 08:58:38 -0400, Matthew Miller wrote:
Right, I saw that, but it's not clear if MP3 falls under "not allowed to ship even as source code". If that's the case, shouldn't we just say so?
Then you would need to explain what you're thinking.
If a package includes MP3 source code but does not enable it, that literally complies with "MP3 encoding and decoding support is not included in any Fedora application", which is the directive in the Forbidden Items section.
It's my understanding that at least one open source MP3 implementation operates under this theory. The question is whether that's actually good enough, or whether MP3 actually falls under "patents or trademarks that we are not allowed to ship even as source code".
The MP3 codec is patented => we must not ship it at all => not even as source code.
Following the logic of the-exception-proves-the-rule, that last statement implies that *is* source code which includes patents which we *are* able to ship in that form. Again, is MP3 included?
Same as above.
My impression had been that it is not, and that we always patch it out, but then I came across this reviewed, accepted package which has been in Fedora for three and a half years, so I wanted to check if that was a mistake or if my attitude had been over-zealous.
Doing reviews isn't easy.
On Mon, Oct 01, 2012 at 07:31:39PM +0200, Michael Schwendt wrote:
It's my understanding that at least one open source MP3 implementation operates under this theory. The question is whether that's actually good enough, or whether MP3 actually falls under "patents or trademarks that we are not allowed to ship even as source code".
The MP3 codec is patented => we must not ship it at all => not even as source code.
Following the logic of the-exception-proves-the-rule, that last statement implies that *is* source code which includes patents which we *are* able to ship in that form. Again, is MP3 included?
Same as above.
I'm really not trying to be difficult. I think one can reasonably see how what you're saying doesn't necessarily follow from what's written. The section on MP3 should be changed to make this more clear, to make things easier for both packagers and reviewers.
but then I came across this reviewed, accepted package which has been in Fedora for three and a half years, so I wanted to check if that was a mistake or if my attitude had been over-zealous.
Doing reviews isn't easy.
I didn't mean to imply that it was, or either ineptitude or maliciousness. Just lack of clarity.
On Mon, Oct 1, 2012 at 1:07 PM, Matthew Miller mattdm@fedoraproject.org wrote:
On Mon, Oct 01, 2012 at 07:31:39PM +0200, Michael Schwendt wrote:
It's my understanding that at least one open source MP3 implementation operates under this theory. The question is whether that's actually good enough, or whether MP3 actually falls under "patents or trademarks that we are not allowed to ship even as source code".
The MP3 codec is patented => we must not ship it at all => not even as source code.
Following the logic of the-exception-proves-the-rule, that last statement implies that *is* source code which includes patents which we *are* able to ship in that form. Again, is MP3 included?
Same as above.
I'm really not trying to be difficult. I think one can reasonably see how what you're saying doesn't necessarily follow from what's written. The section on MP3 should be changed to make this more clear, to make things easier for both packagers and reviewers.
but then I came across this reviewed, accepted package which has been in Fedora for three and a half years, so I wanted to check if that was a mistake or if my attitude had been over-zealous.
Doing reviews isn't easy.
I didn't mean to imply that it was, or either ineptitude or maliciousness. Just lack of clarity.
How about filing a Trac for the FPC with clarified wording for one or both sections?
-J
-- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ mattdm@fedoraproject.org -- packaging mailing list packaging@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/packaging
On Mon, Oct 01, 2012 at 01:12:00PM -0500, Jon Ciesla wrote:
How about filing a Trac for the FPC with clarified wording for one or both sections?
https://fedorahosted.org/fpc/ticket/214
On Mon, 1 Oct 2012 14:07:07 -0400, Matthew Miller wrote:
I'm really not trying to be difficult. I think one can reasonably see how what you're saying doesn't necessarily follow from what's written. The section on MP3 should be changed to make this more clear, to make things easier for both packagers and reviewers.
Well, I even quoted it for you.
[...] MP3 is heavily patented [...] Some upstream packages include patents or trademarks that we are not allowed to ship even as source code. [...]
IMO, it's leading nowhere if you're reading inbetween the lines. I fail to see why we would ship something "heavily patented".
but then I came across this reviewed, accepted package which has been in Fedora for three and a half years, so I wanted to check if that was a mistake or if my attitude had been over-zealous.
Doing reviews isn't easy.
I didn't mean to imply that it was, or either ineptitude or maliciousness. Just lack of clarity.
Would that help? One reviewer would skim over the contents of a large source code archive, another would not. One reviewer would miss a subfolder deep in the tree even with "MP3" in its name, another one would notice it but not realize that it's an implementation of a codec and not just some frame/ID3 parsing or similar. More fun you'd get if it the source contains problematic code other than MP3. ;)
On Mon, Oct 01, 2012 at 20:25:31 +0200, Michael Schwendt mschwendt@gmail.com wrote:
IMO, it's leading nowhere if you're reading inbetween the lines. I fail to see why we would ship something "heavily patented".
One might think that using pristine sources in the source rpm is better than using one with the patented code stripped out. And it isn't clear the patents are violated if the code is shipped in an srpm, but is not in the binaries we ship.
On Mon, 1 Oct 2012 14:39:41 -0500, Bruno Wolff III wrote:
IMO, it's leading nowhere if you're reading inbetween the lines. I fail to see why we would ship something "heavily patented".
One might think that using pristine sources in the source rpm is better than using one with the patented code stripped out.
Why "better"? Stripped source code cannot be compiled accidentally. That would be something for the lawyers. Imagine a repo contained an audio application that supported MP3 for several weeks.
And it isn't clear the patents are violated if the code is shipped in an srpm, but is not in the binaries we ship.
Can't tell. Related to MP3 is a longer list of patents, and "free" MP3 encoders - afaik - haven't been targeted by patent holders.
Removing legally problematic source code goes back to the Red Hat Linux era, some time around 8.0 or so. That is, Red Hat has done it. 3rd party contributors to Red Hat Linux (such as old Fedora) have continued doing so.
On Mon, Oct 01, 2012 at 22:26:42 +0200, Michael Schwendt mschwendt@gmail.com wrote:
On Mon, 1 Oct 2012 14:39:41 -0500, Bruno Wolff III wrote:
IMO, it's leading nowhere if you're reading inbetween the lines. I fail to see why we would ship something "heavily patented".
One might think that using pristine sources in the source rpm is better than using one with the patented code stripped out.
Why "better"? Stripped source code cannot be compiled accidentally. That would be something for the lawyers. Imagine a repo contained an audio application that supported MP3 for several weeks.
Easier for downstream to check against upstream to see that it matches. the packager doesn't need to create stripped down archives.
On Mon, 1 Oct 2012 15:28:24 -0500, Bruno Wolff III wrote:
One might think that using pristine sources in the source rpm is better than using one with the patented code stripped out.
Why "better"? Stripped source code cannot be compiled accidentally. That would be something for the lawyers. Imagine a repo contained an audio application that supported MP3 for several weeks.
Easier for downstream to check against upstream to see that it matches. the packager doesn't need to create stripped down archives.
Hmm, that's more of a matter of convenience or laziness (as it may be non-trivial to remove a component from a build framework). How many downstreams perform checks of sources? (also don't forget snapshot checkouts) There are not many upstream projects who offer detached signatures for their source archives, so that's seldomly an issue.
packaging@lists.fedoraproject.org