Hi, TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having the former trigger QA warning asking the dev to double-check if it's 'GPL-2-only' or 'GPL-2+'.
GNU Licenses currently don't carry an upgrade clause -- instead, authors are expected to decide whether they permit upgrade to newer versions of the license in question, or require users to stick with their version of choice. Their decision is normally indicated in copyright notices on top of source files. Those that permit upgrade usually state 'either version N of the License, or (at your option) any later version.', while others remove the 'or...' or even replace with 'only' (sometimes removing 'either', sometimes leaving it ;-)). The truth is, many developers don't go that far to verify it. Instead, they usually look at 'COPYING' or 'LICENSE', read the version there and put 'GPL-2', 'GPL-3' etc. in the ebuild. It doesn't help that GitHub does the same and shows the result as easy-to-read note on top of repo. For some time I've been reviewing packages I'm (co-)maintaining, as well as proxy-maint submissions for this particular problem. However, surprisingly many projects actually go the 'version N only' route, even in middle of environments that are 'N+' like Xfce. As a result, I've ended up rechecking the same packages over and over again to the point of starting to add comments saying 'yes, this is GPL-2 only'. I'd like to propose to employ a more systematic method of resolving this problem. I would like to add additional explicit 'GPL-n-only' licenses, and discourage using short 'GPL-n' in favor of them. The end result would be three licenses per every version/variant, e.g.: GPL-2-only -- version 2 only GPL-2+ -- version 2 or newer GPL-2 -- might be either, audit necessary The main idea is that we'd be able to easily find 'non-audited' packages with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only after auditing. While technically it would still be possible for people to wrongly set LICENSE to GPL-2-only, I think this explicit distinction will help people notice that there actually is a deeper difference, and it will still catch people who just type 'GPL-n' without looking into the license directory. For a start, I'd only go for adding the '-only' variants to the most common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some FDL versions. I don't think we need this for the long 'exception' variants -- I suspect that if someone did research enough to notice the exception, then most likely he would also notice the 'or newer'. WDYT? -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
