[opensuse-project] On package licensing
Only recently, our legal team started to cleanup the package License header, especially when multiple licenses are present in the source tarball. As they're rather shy in communicating this, this post is intended to clarify what's going on and to start a public discussion on it. Usually, the main case are dual-licensed (or multi-licensed) packages. For instance, most Perl packages now contain a license tag like "GPL+ or Artistic", which is rather clear. Things become more complicated when parts of the (upstream) source code contain several (different) license headers. While this situation is rather messy and best be avoided, we do have such software and thus we have to threat that somehow. Unfortunately, this can lead to rather difficult to interpret license tags like the following (for perl-Tk): (GPL+ or Artistic) and zlib Or even worse (recent digikam): GPLv2+ and LGPLv2.1+ and GFDL and X11 (BSD like) and BSD3c (or similar) While the intent is honorable, I doubt that this is still useful for the general public. Also, it lacks specific information which source file (or sub- tree) is licensed under which of the above. The spec file license tag clearly isn't meant for that. I'm no lawyer, but to me it seems like the only proper way is like Debian does it. They add an extra file to their packages which lists all the licenses that apply. Also it allows to clearly state that in-tree libraries are licensed differently. Based on that, the spec file License header could then contain only the most prominent license. However, this increases packagers work but seems more useful to me. What do you think? -- Mit freundlichen Grüßen, Sascha Peilicke http://saschpe.wordpress.com
On Monday 21 Mar 2011 11:22:40 Sascha Peilicke wrote:
The spec file license tag clearly isn't meant for that. I'm no lawyer, but to me it seems like the only proper way is like Debian does it. They add an extra file to their packages which lists all the licenses that apply. Also it allows to clearly state that in-tree libraries are licensed differently. Based on that, the spec file License header could then contain only the most prominent license. However, this increases packagers work but seems more useful to me. What do you think?
Pursuant to a quite prolonged discussion on opensuse-factory and to a separate but related enterprise-related discussion on the spdx mailing lists we decided to start using the same syntax that Fedora has been successfully using for a number of years (RHEL too). The Linux Foundation workgroup of which Red Hat and SUSE had representatives have prepared a specification which will state how licenses are to be declared for a package (including e.g. multiple licensing and dual licensing scenarios). On further discussion with the Fedora representative we concluded that the spdx format will be largely enterprise oriented and that the list of licenses/short-names will probably not suffice to cover the needs of an open source distribution such as openSUSE or Fedora. Pursuant to the aforementioned discussion on opensuse-factory we imported Fedora's list of licenses to http://en.opensuse.org/openSUSE:Accepted_licences With the intend of syncing up with even more distribtions we also (with vuntz's help) are trying to have a face-to-face meeting with the various legal representative of e.g. Ubuntu, Debian, openSUSE, Fedora, Mandriva/Mageia and Gentoo (I possibly left out some) to try to work something out which will be more permanent. As we don't yet know what will come of this, I think it would be premature to resort to a far-reaching step like requiring packagers to produce a copyright file in the way that Debian does (I'm not against the idea per se, but it introducts a substantial margin-of-error and the job should really be done by the _upstream_ developers - if at all - as they are the only ones who can truly and authoritatively state what the license(s) should be). As to the RPM %license field - it was _never_ meant to reflect the entire licensing state of a package. As you identified, we could certainly try to attain more accurary by having packages use subpackages for libraries etc and to add the proper %license for the executable and for the library - this is often overlooked at the moment. Thus, I suggest that we stick with the Fedora-style RPM syntax for now - pending what happens with the cross-distro effort. At least that way we will have some degree of consistency - up to now we had none. Ciaran -- Ciaran Farrell __o cfarrell@suse.de _`\<,_ Phone: +49 (0)911 74053 262 (_)/ (_) SUSE Linux Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstrasse 5, 90409, Nuremberg, Germany /ˈkiː.ræn/
Le 21/03/2011 11:40, Ciaran Farrell a écrit :
With the intend of syncing up with even more distribtions we also (with vuntz's help) are trying to have a face-to-face meeting with the various legal representative of e.g. Ubuntu, Debian, openSUSE, Fedora, Mandriva/Mageia and Gentoo (I possibly left out some) to try to work something out which will be more permanent.
great idea. I support this! jdd -- http://www.dodin.net http://www.dailymotion.com/video/xgxog7_clip-l-ombre-et-la-lumiere-3-bad-pig... http://www.youtube.com/watch?v=FGgv_ZFtV14 -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
Thanks for posting that in-depth explanation. Even if there has been a discussion elsewhere (which me and some others seem to have missed), I think this was needed to raise packagers awareness on the issue. Legal is no black box and such decisions should always communicated in public (preferably before they are enforced). -- Mit freundlichen Grüßen, Sascha Peilicke http://saschpe.wordpress.com
participants (3)
-
Ciaran Farrell
-
jdd
-
Sascha Peilicke