Fwd: SPDX Statistics - Beginning of the year edition
by Miroslav Suchý
-------- Přeposlaná zpráva --------
Předmět: SPDX Statistics - Beginning of the year edition
Datum: Fri, 1 Mar 2024 09:27:48 +0100
Od: Miroslav Suchý <msuchy(a)redhat.com>
Společnost: Red Hat Czech, s.r.o.
Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org>
Hot news:
fedora-license-data has Copr project https://copr.fedorainfracloud.org/coprs/g/osci/fedora-license-data where new
package is built whenever new PR is merged
The last phase is ready for wrangler https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_4 and we will
proceed when approved with FESCO.
I corrected lots of SPDX formula where you used lowercase "and", "or". The specification allows only "AND", "OR".
This will likely change in specification version 3, but now the operator has to be upper case.
Two weeks ago we had:
> * 23737spec files in Fedora
>
> * 30335license tags in all spec files
>
> * 11314 tags have not been converted to SPDX yet
>
> * 5105 tags can be trivially converted using `license-fedora2spdx`
>
> * Progress: 62,70% ░░░░░░████ 100%
>
> ELN subset:
>
> 128 out of 2412 packages are not converted yet (progress 94.69%)
>
Today we have:
* 23786spec files in Fedora
* 30396license tags in all spec files
* 11182 tags have not been converted to SPDX yet
* 5044 tags can be trivially converted using `license-fedora2spdx`
* Progress: 63,21% ░░░░░░████ 100%
ELN subset:
112 out of 2411 packages are not converted yet (progress 95.35%)
Graph of these data with the burndown chart:
https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE80...
The list of packages needed to be converted is here:
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx...
List by package maintainers is here
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx...
List of packages from ELN subset that needs to be converted:
https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt
New version of fedora-license-data has been released. With:
7 new licenses (plus some public domain declarations).
17 licenses are waiting to be review by SPDX.org (and then to be added to fedora-license-data)
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%...
Legal docs and especially
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
was updated too.
License analysis of remaining packages: http://miroslav.suchy.cz/fedora/spdx-reports/
New projection when we will be finished is 2025-02-01 (+17 days from last report). Pure linear approximation.
If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license
tag matches SPDX formula, you can put your package on ignore list
https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt
Either pull-request or direct email to me is fine.
Why Beggining of the year? That should be January 1st, right? Before the advent of the Gregorian calendar, March 1st was
considered the beginning of the year. Hence Septemeber as the "seventh month" despite the fact it is 9th now. But in the
Republic of Venice, for example, March was considered the beginning of the year until 1797. So in Venice, March 1790 <
January 1790. For more interesting facts about time (and time zones) see this legendary video
https://www.youtube.com/watch?v=-5wpm-gesOY
Miroslav
1 month, 3 weeks
Re: Question about public domain file in dictd
by Carlos Rodriguez-Fernandez
Hi Jilayne,
I have created the MR [1].
Thank you.
[1] https://gitlab.com/fedora/legal/fedora-license-data/-/merge_requests/541
On 2/28/24 15:14, Jilayne Lovejoy wrote:
> Speaking as a member of the Fedora legal team: What Ben said below
> (thanks Ben!)
>
> I can confirm that this would be considered a public domain dedication
> and does not need an issue to review it, but you can make a MR to this
> file, see instructions at the top:
> https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-do...
>
> Thanks!
> Jilayne
>
> On 2/28/24 8:14 AM, Ben Beasley wrote:
>> Speaking as an experienced packager, not a member of the Fedora legal
>> team:
>>
>> Although some authors conflate it with “public domain,” CC0-1.0 is
>> just one type of ultra-permissive license. It is not-allowed for code
>> in Fedora due to concerns about patent-related language in the actual
>> CC0-1.0 license, not due to a general prohibition on public-domain
>> dedications or ultra-permissive licenses.
>>
>> The md5.c file you mention does not reference CC0-1.0 at all, and is
>> in fact under a simple “public-domain dedication” that would be
>> assigned the SPDX id LicenseRef-Fedora-PublicDomain.
>>
>> You do need to submit the text for review and tracking under the
>> process outlined in
>> https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_pub..., but I have no doubt that it will be approved; this is a straightforward public-domain dedication, and this particular md5 implementation is very widespread and well-known and already bundled in many of packages in Fedora. In fact, under the old rules for bundling that required explicit exceptions, this MD5 implementation was one of the documented “copylibs,” https://fedoraproject.org/wiki/Bundled_Libraries_Virtual_Provides#cite_no....
>>
>> On 2/28/24 9:57 AM, Carlos Rodriguez-Fernandez wrote:
>>> Hi,
>>>
>>> I have been preparing a new update to dictd, and while doing it, I
>>> ran the licensecheck to double-check and cleanup the license tag.
>>>
>>> I found out that the licenses involved in the source code for the new
>>> 1.13.1 are more than originally specified in 1.12.x. There is a
>>> COPYING file with GPL-2.0-only, but the source code files have more.
>>> The final list is:
>>>
>>> GPL-2.0-only AND GPL-1.0-or-later AND GPL-3.0-or-later
>>> AND MIT AND GPL-2.0-or-later AND BSD-3-Clause
>>>
>>> There is one file in the source code that claims to be "public
>>> domain" [1]:
>>>
>>>
>>> This code was written by Colin Plumb in 1993, no copyright is claimed.
>>> This code is in the public domain; do with it what you wish
>>>
>>>
>>> This file is indeed code, so the allowed content exception for
>>> CC0-1.0 doesn't apply. The file is not written by the upstream
>>> maintainer but appears to be authored by someone else not in the
>>> maintainer list. I'm not sure how to proceed here. I could request
>>> the upstream developer to see if he can change the license but not
>>> sure will be able since it is not his. Would this be a valid case for
>>> Unlicense?
>>>
>>>
>>> [1] https://github.com/cheusov/dictd/blob/1.13.1/md5.c
>>>
>>>
>>>
>>>
>>> Thank you,
>>> Carlos R.F.
>>>
>>> --
>>> _______________________________________________
>>> legal mailing list -- legal(a)lists.fedoraproject.org
>>> To unsubscribe send an email to legal-leave(a)lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
>>> Do not reply to spam, report it:
>>> https://pagure.io/fedora-infrastructure/new_issue
>> --
>> _______________________________________________
>> legal mailing list -- legal(a)lists.fedoraproject.org
>> To unsubscribe send an email to legal-leave(a)lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>
>
> --
> _______________________________________________
> legal mailing list -- legal(a)lists.fedoraproject.org
> To unsubscribe send an email to legal-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
1 month, 3 weeks
Re: Question about public domain file in dictd
by Carlos Rodriguez-Fernandez
Ben, and Jilayne,
Thank you for the guidance on this.
Best Regards,
Carlos R.F.
On 2/28/24 15:14, Jilayne Lovejoy wrote:
> Speaking as a member of the Fedora legal team: What Ben said below
> (thanks Ben!)
>
> I can confirm that this would be considered a public domain dedication
> and does not need an issue to review it, but you can make a MR to this
> file, see instructions at the top:
> https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-do...
>
> Thanks!
> Jilayne
>
> On 2/28/24 8:14 AM, Ben Beasley wrote:
>> Speaking as an experienced packager, not a member of the Fedora legal
>> team:
>>
>> Although some authors conflate it with “public domain,” CC0-1.0 is
>> just one type of ultra-permissive license. It is not-allowed for code
>> in Fedora due to concerns about patent-related language in the actual
>> CC0-1.0 license, not due to a general prohibition on public-domain
>> dedications or ultra-permissive licenses.
>>
>> The md5.c file you mention does not reference CC0-1.0 at all, and is
>> in fact under a simple “public-domain dedication” that would be
>> assigned the SPDX id LicenseRef-Fedora-PublicDomain.
>>
>> You do need to submit the text for review and tracking under the
>> process outlined in
>> https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_pub..., but I have no doubt that it will be approved; this is a straightforward public-domain dedication, and this particular md5 implementation is very widespread and well-known and already bundled in many of packages in Fedora. In fact, under the old rules for bundling that required explicit exceptions, this MD5 implementation was one of the documented “copylibs,” https://fedoraproject.org/wiki/Bundled_Libraries_Virtual_Provides#cite_no....
>>
>> On 2/28/24 9:57 AM, Carlos Rodriguez-Fernandez wrote:
>>> Hi,
>>>
>>> I have been preparing a new update to dictd, and while doing it, I
>>> ran the licensecheck to double-check and cleanup the license tag.
>>>
>>> I found out that the licenses involved in the source code for the new
>>> 1.13.1 are more than originally specified in 1.12.x. There is a
>>> COPYING file with GPL-2.0-only, but the source code files have more.
>>> The final list is:
>>>
>>> GPL-2.0-only AND GPL-1.0-or-later AND GPL-3.0-or-later
>>> AND MIT AND GPL-2.0-or-later AND BSD-3-Clause
>>>
>>> There is one file in the source code that claims to be "public
>>> domain" [1]:
>>>
>>>
>>> This code was written by Colin Plumb in 1993, no copyright is claimed.
>>> This code is in the public domain; do with it what you wish
>>>
>>>
>>> This file is indeed code, so the allowed content exception for
>>> CC0-1.0 doesn't apply. The file is not written by the upstream
>>> maintainer but appears to be authored by someone else not in the
>>> maintainer list. I'm not sure how to proceed here. I could request
>>> the upstream developer to see if he can change the license but not
>>> sure will be able since it is not his. Would this be a valid case for
>>> Unlicense?
>>>
>>>
>>> [1] https://github.com/cheusov/dictd/blob/1.13.1/md5.c
>>>
>>>
>>>
>>>
>>> Thank you,
>>> Carlos R.F.
>>>
>>> --
>>> _______________________________________________
>>> legal mailing list -- legal(a)lists.fedoraproject.org
>>> To unsubscribe send an email to legal-leave(a)lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
>>> Do not reply to spam, report it:
>>> https://pagure.io/fedora-infrastructure/new_issue
>> --
>> _______________________________________________
>> legal mailing list -- legal(a)lists.fedoraproject.org
>> To unsubscribe send an email to legal-leave(a)lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>
>
> --
> _______________________________________________
> legal mailing list -- legal(a)lists.fedoraproject.org
> To unsubscribe send an email to legal-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
1 month, 3 weeks
Re: Question about public domain file in dictd
by Jilayne Lovejoy
Speaking as a member of the Fedora legal team: What Ben said below
(thanks Ben!)
I can confirm that this would be considered a public domain dedication
and does not need an issue to review it, but you can make a MR to this
file, see instructions at the top:
https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-do...
Thanks!
Jilayne
On 2/28/24 8:14 AM, Ben Beasley wrote:
> Speaking as an experienced packager, not a member of the Fedora legal
> team:
>
> Although some authors conflate it with “public domain,” CC0-1.0 is
> just one type of ultra-permissive license. It is not-allowed for code
> in Fedora due to concerns about patent-related language in the actual
> CC0-1.0 license, not due to a general prohibition on public-domain
> dedications or ultra-permissive licenses.
>
> The md5.c file you mention does not reference CC0-1.0 at all, and is
> in fact under a simple “public-domain dedication” that would be
> assigned the SPDX id LicenseRef-Fedora-PublicDomain.
>
> You do need to submit the text for review and tracking under the
> process outlined in
> https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_pub...,
> but I have no doubt that it will be approved; this is a
> straightforward public-domain dedication, and this particular md5
> implementation is very widespread and well-known and already bundled
> in many of packages in Fedora. In fact, under the old rules for
> bundling that required explicit exceptions, this MD5 implementation
> was one of the documented “copylibs,”
> https://fedoraproject.org/wiki/Bundled_Libraries_Virtual_Provides#cite_no....
>
> On 2/28/24 9:57 AM, Carlos Rodriguez-Fernandez wrote:
>> Hi,
>>
>> I have been preparing a new update to dictd, and while doing it, I
>> ran the licensecheck to double-check and cleanup the license tag.
>>
>> I found out that the licenses involved in the source code for the new
>> 1.13.1 are more than originally specified in 1.12.x. There is a
>> COPYING file with GPL-2.0-only, but the source code files have more.
>> The final list is:
>>
>> GPL-2.0-only AND GPL-1.0-or-later AND GPL-3.0-or-later
>> AND MIT AND GPL-2.0-or-later AND BSD-3-Clause
>>
>> There is one file in the source code that claims to be "public
>> domain" [1]:
>>
>>
>> This code was written by Colin Plumb in 1993, no copyright is claimed.
>> This code is in the public domain; do with it what you wish
>>
>>
>> This file is indeed code, so the allowed content exception for
>> CC0-1.0 doesn't apply. The file is not written by the upstream
>> maintainer but appears to be authored by someone else not in the
>> maintainer list. I'm not sure how to proceed here. I could request
>> the upstream developer to see if he can change the license but not
>> sure will be able since it is not his. Would this be a valid case for
>> Unlicense?
>>
>>
>> [1] https://github.com/cheusov/dictd/blob/1.13.1/md5.c
>>
>>
>>
>>
>> Thank you,
>> Carlos R.F.
>>
>> --
>> _______________________________________________
>> legal mailing list -- legal(a)lists.fedoraproject.org
>> To unsubscribe send an email to legal-leave(a)lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
> --
> _______________________________________________
> legal mailing list -- legal(a)lists.fedoraproject.org
> To unsubscribe send an email to legal-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
1 month, 3 weeks
Re: Question about public domain file in dictd
by Ben Beasley
Speaking as an experienced packager, not a member of the Fedora legal team:
Although some authors conflate it with “public domain,” CC0-1.0 is just
one type of ultra-permissive license. It is not-allowed for code in
Fedora due to concerns about patent-related language in the actual
CC0-1.0 license, not due to a general prohibition on public-domain
dedications or ultra-permissive licenses.
The md5.c file you mention does not reference CC0-1.0 at all, and is in
fact under a simple “public-domain dedication” that would be assigned
the SPDX id LicenseRef-Fedora-PublicDomain.
You do need to submit the text for review and tracking under the process
outlined in
https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_pub...,
but I have no doubt that it will be approved; this is a straightforward
public-domain dedication, and this particular md5 implementation is very
widespread and well-known and already bundled in many of packages in
Fedora. In fact, under the old rules for bundling that required explicit
exceptions, this MD5 implementation was one of the documented
“copylibs,”
https://fedoraproject.org/wiki/Bundled_Libraries_Virtual_Provides#cite_no....
On 2/28/24 9:57 AM, Carlos Rodriguez-Fernandez wrote:
> Hi,
>
> I have been preparing a new update to dictd, and while doing it, I ran
> the licensecheck to double-check and cleanup the license tag.
>
> I found out that the licenses involved in the source code for the new
> 1.13.1 are more than originally specified in 1.12.x. There is a
> COPYING file with GPL-2.0-only, but the source code files have more.
> The final list is:
>
> GPL-2.0-only AND GPL-1.0-or-later AND GPL-3.0-or-later
> AND MIT AND GPL-2.0-or-later AND BSD-3-Clause
>
> There is one file in the source code that claims to be "public domain"
> [1]:
>
>
> This code was written by Colin Plumb in 1993, no copyright is claimed.
> This code is in the public domain; do with it what you wish
>
>
> This file is indeed code, so the allowed content exception for CC0-1.0
> doesn't apply. The file is not written by the upstream maintainer but
> appears to be authored by someone else not in the maintainer list. I'm
> not sure how to proceed here. I could request the upstream developer
> to see if he can change the license but not sure will be able since it
> is not his. Would this be a valid case for Unlicense?
>
>
> [1] https://github.com/cheusov/dictd/blob/1.13.1/md5.c
>
>
>
>
> Thank you,
> Carlos R.F.
>
> --
> _______________________________________________
> legal mailing list -- legal(a)lists.fedoraproject.org
> To unsubscribe send an email to legal-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
1 month, 3 weeks
Re: License review for package scummvm
by Miroslav Suchý
Dne 20. 02. 24 v 1:21 Jilayne Lovejoy napsal(a):
> wow, that's a long list ;)
It is not so long. You only need to go through first table and last table. The middle one just contains list of files.
> - do you have a way to de-dupe?
No. I go manually over that and usually stop on first license that I do not have in a list and review if it is false or
positive match and go to next one. Skipping licenses that already on list.
> what tooling are you using?
This report was generated using this command:
~/.local/bin/scancode --license --html /tmp/spdx.html --license-references -n6 scummvm-2.8.0
--
Miroslav Suchy, RHCA
Red Hat, Manager, Packit and CPT, #brno, #fedora-buildsys
2 months