Hi everybody,

after discussion with jreznik, tcallawa and pchibon about licensing in
RPMs, I've decided to create a common package for licenses which allow
separate shipping from the sources/binaries.

Currently the developer needs to package each such license for each
(sub)package manually and the end user needs to read it through every
time new version is installed. Because the license mentioned in the tag
"License:" doesn't correspond to the real license present in the RPM
(e.g. GPLv3 with exceptions can refer to some customized version of
GPLv3 and therefore this license is indistinguishable from other "GPLv3
with exceptions"s in the Good Licenses matrix).

I'd like to address this issue like Arch Linux does. I.e. provide a
common set of licenses (allowed to be shipped separately) which could be
used by the maintainer on a voluntary basis to simplify things (for both
him and the end-user). Such package contains also properly formatted
licenses and serve as an official wording. Arch linux also solves the
problem of customized versions of licenses using "custom:" prefix before
each name of such license and in such case the maintainer is forced to
include the customized version and two licenses with the same identifier
and the "custom:" prefix are not comparable (i.e. end user can't assume
custom:X is the same as custom:X from another package). This also means
that rpmlint would need to be updated.

As a side-effect we'll also spare a few megabytes of bandwidth and disk
space :). Maintainers would need to check the license only once when
creating the first spec file and then just when some change to license
file(s) occur in upstream (this is easy and we do it already). But how
many maintainers could simplify their %files section in spec files? Some
statistics from f19 give us an answer:

repoquery --repoid fedora --repoid updates --qf='%{license}' '*' | sed
-r 's/ *(and|or) */\n/g' | sed -r 's| *[()]* *||g' | sort | uniq -c |
sort -n

I've matched those licenses present more than 100 times with licenses
present in the attached spec file and did comparison:

# non-aggregatable licenses (majority consists of MIT, BSD, (L)GPLx with
exceptions, ASL and Public Domain)
grep -Ev '^\* ' del/lic04.hand_checked | awk '{ x+=$1 }END{print x}'
27144
# aggregatable licenses
grep -E '^\* ' del/lic04.hand_checked | awk '{ x+=$2 }END{print x}'
43137

The aggregatable licenses make 61.4% out of all mostly used licenses
(100+). Please note, that it's much more difficult (for end user or
reviewer) to find out if the "License:" tag in spec file matches the
bundled LICENSE files than just having the tag and nothing in the %files
section. I've come across this issue when doing package reviews - on 7
reviews 1 such bug - that's probability 1/7 which is so high I'd rather
not know it.

In a few days I'm leaving for vacation, but I wanted to release this
package yet before I'm inaccessible.

Please share your experience and review the attached licenses package.
Feel free to add other possible licenses from
https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing .

Kind regards,

-- Jan Pacner

Attachment: licenses-1.0-1.fc20.src.rpm
Description: application/rpm

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Reply via email to