[Fedora-legal-list] New package license review proposal

Tom "spot" Callaway tcallawa at redhat.com
Sat Jan 16 22:46:00 UTC 2010 

On 01/16/2010 05:37 PM, Jason L Tibbitts III wrote:
> I figured I'd start with this list and broaden to devel@ if people think
> it's a good idea.
> 
> In doing (very) many package reviews, I've found one of the most
> time-consuming things to be doing a proper license review.  Even
> something simple with, say, an LGPLv2+ notice can get complicated when a
> single GPLv2 file sneaks in.  It's complicated enough that I suspect in
> many cases license review just isn't being done.  Plus the complexities
> of licensing coupled with the complexities of our packaging guidelines
> really poses a high barrier for anyone wanting to do proper license
> reviews.
> 
> So I'm proposing that we separate the roles of the package reviewer from
> the license reviewer, allowing someone who wants to concentrate on
> licensing do participate in the review process without having to deal
> with the complexities of the packaging guidelines (or even building the
> software).  This isn't intended to preclude someone from taking a new
> request and doing both packaging and licensing review, but simply to
> allow folks to go through the existing reviews and indicate that they've
> been checked for licensing issues so that someone could later go through
> and review the packaging without having to struggle over the licensing.
> 
> I propose to handle this with a simple entry in the whiteboard and a
> comment by the reviewer.  I can add a report under
> http://fedoraproject.org/PackageReviewStatus listing tickets which need
> license review, and am prepared to write a utility to facilitate things
> as much as possible.  When a license question comes up, FE-Legal would
> be blocked just as it is now.  (Apologies to spot.)  I would ask for
> help from others to document the license review process as much as
> possible.
> 
> I think in the end that with a dedicated team of folks doing license
> checks, we can get the review process moving a bit quicker and cut down
> on incidences of unwanted things leaking into the distro that have to be
> cleaned up later.

Seems reasonable. We might be able to do a FAD to train some people on
looking at licenses to jump start this process.

We might also consider deploying something like FOSSology (which I've
had on my todo list for ages). Not as a replacement for this, but as an
additional helper tool.

http://fossology.org/

~spot

More information about the legal mailing list