[Fedora-legal-list] New package license review proposal

[Luis Villa]

On Sat, Jan 16, 2010 at 7:53 PM, Jason L Tibbitts III <tibbs at math.uh.edu> wrote:
>>>>>> "LV" == Luis Villa <luis at tieguy.org> writes:
>
> LV> I know lack of reviewers is already a serious bottleneck in the
> LV> process; would having a separate cadre of license reviewers mean
> LV> more delays?
>
> How could it possibly be so, unless a separate license review was
> somehow made a blocker to the process?

> That's not what's being
> proposed.  At worse, nobody would do separate license reviews and the
> regular package reviewers would continue as they do now.  At best, all
> packages would be checked for license issues before the regular package
> review happens, and package reviewers can avoid worrying about license
> issues.  Reality will probably be somewhere in between.  Any separate
> license review takes work off of the already far overworked package
> reviewers; I can't imagine how that could hurt.

Ah, I understand better now- you mean this as an alternative; if the
license reviewers don't have bandwidth, the regular reviewers would
still have it on their plate before the package got submitted?

> I don't know how fossology works, but if there's any way I can automate
> calling it then I'll be happy to look into it.  Currently automation
> would be limited to a tool that would pick a ticket which needs license
> review, pull down the most recent posted srpm, unpack it and drop you
> into a shell to look around, and automatically updating bugzilla.
> Plenty of possibility to hang other tools off of that, except that I
> don't really know of any that could be run.

Fossology is just a pile of scripts (perl maybe? I don't recall) that
basically grep the hell out of a package and build licensing data
based on what it finds; for large codebases the reports can get fairly
elaborate. It has a large library of known license patterns, etc. So
it should be able to tell you with fairly high certainty 'this package
is licensed under license A, with a smattering of license X, Y and Z.'

What I suspect it won't do (and maybe someone should either talk with
the fossology folks to confirm) is deal with the cases of bizarre or
one-off licenses that seem to be stumbled upon fairly often here.
Perhaps they could (or already do) flag files that contain keywords
like 'copyright' or 'license' but don't contain a recognized license,
for further inspection. (I imagine they also don't have as broad a
database of licenses as Fedora does, but that is easier to fix.) If
they can be talked into adding that (or someone from fedora can hack
it in) then my guess is that it would prove a fairly efficient way to
vet packages for licensing conditions.

Luis