On Tue, Apr 2, 2019 at 1:20 PM Richard Fontana <[email protected]> wrote:
> On Tue, Apr 2, 2019 at 1:57 PM J Lovejoy <[email protected]> wrote: > > > > regarding Tom’s comment on this topic: > > > > So this is the difficulty. We know of an order of magnitude of different > variants of BSD and MIT (many of which are unclassified by the OSI and > SPDX). They're all functionally identical. Are you volunteering to audit > all the Fedora packages to correct the license tags? I'm not. :) > > > > > > I could be possible to come up with a correlation of the Fedora tags and > SPDX ids (where Fedora groups licenses under one age, but SPDX uses > different ones) and then automate updating the tags, no? > > One of the problems is that in effect Fedora has a different notion of > "matching" from that of SPDX. In general, and especially seen in the > Fedora use of "BSD" and "MIT", there isn't a one-to-one correspondence > between a Fedora license identifier and an SPDX one. That's not a > theoretical problem because it's common (especially with older > codebases) to have a package consisting of source files under various > materially different BSD-like licenses, or vaguely MIT-like licenses. > One scupulous solution would be to replace a given use of, say, "MIT" > with, in such a case, for example, "MIT-Variant-1 AND MIT-Variant-2 . > . . AND MIT-Variant-N" but no one seems to want to do that (this also > connects with the recent discussion in the SPDX community about the > potential advantages of having SPDX license identifier namespaces). A > nonscrupulous solution which seems similar in spirit to how many > developers are using SPDX identifiers today is to ignore the > complexity and decide arbitrarily, or for convenience, that you'll > describe the package in that case as "MIT", or "BSD-3-Clause", but > that is then pretty unfaithful to the SPDX system (or so it seems to > me). > Seconding this problem (which I came across in the wild last week). Does SPDX have a notion of indicating confidence level of a scan? Or is that just derived from the reputation of whoever creates the manifest? Luis
_______________________________________________ legal mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
