On Sunday, August 26, 2018 7:09:41 AM EDT Paweł Hajdan, Jr. wrote: > On 26/08/2018 12:53, Mart Raudsepp wrote: > > The common issue here is that upstream COPYING files really do only > > talk about one of the versions. And then you get to validate or source > > files to be sure that they do have a "or later" clause in them. And > > then on each bump you ideally should validate it again, etc, that no > > sources without "or later" allowance are in there... > > Yup, precise tracking of license metadata can be a pain. > > I'm not really sure if that level of it is worth for us as a distro. For > _importing_ other project's source code directly into one's project > precise license compatibility matters a lot. That's not the scenario > we're in. I see LICENSES as mostly a mechanism for end users to accept > or reject EULAs etc, and I'm curious what are other common scenarios. > > Michał, could you elaborate on why not distinguishing more precisely > between these GPL variants in LICENSES is a _problem_ ? I can certainly > see the information is not always accurate, but it's not obvious to me > how severe is the downside, what are the consequences in practice.
I can say that if the licenses are habitually misidentified, I could not use Gentoo's portage tree in my job without extensive and ongoing revalidation of the license metadata. There are, in fact, automated tools for advising about the license disposition of these types of things, examining source files for unfortunate edits and variants and flagging them, etc. It might be an interesting task at some point to point some of these tools at portage, look for incorrect metadata and file bug reports. Not suggesting this is a worthwhile approach up front, but it might be a useful tool in the future for dealing with license metadata quality as a chronic issue. (Which, in turn, is useful for commercial consumption and participation.)
