As most of you will be painfully aware - our process for legal reviews is at its limits.
This is nothing new, but meanwhile the situation is so bad, that a new package requires months to pass Factory review and this is just nothing I could stand watching.
So I'm in the process of redefining the legal process and the tools used for it - and it will mean some changes for packages. Some for the better, but some for the worse.
The legal-auto bot so far only checked one thing: does it know the package name with the same license. If not, it would redirect the review to legal-team, which was overwhelmed by the stupid bot.
So what we needed was a more clever bot. So this is what we're working on - but it will not happen in days. The problem deserves too much care to rush it.
But we will introduce new features step by step - and it will mean for now that reviews of legal-auto will stay open longer than what you are used to. And we also check different things as legal-auto actually checks the licenses itself and no longer redirects blindly.
One of the consequences is that we now check something automatically that was checked only manually so far: if sub-packages have sub-licenses.
Take ant-antlr.spec - its source rpm has License: Apache-2.0, but it has a ant-javamail sub-package with CDDL-1.0. So the bot will not accept this package, because the sub-package has a license not part of the sources license.
The proper fix is to have License: Apache-2.0 AND CDDL-1.0
Right now we're not declining requests - but we will shortly. So don't be surprised!
I hope to have good news too soonish ;)