> On Apr 2, 2019, at 3:17 PM, Luis Villa <[email protected]> wrote: > > On Tue, Apr 2, 2019 at 1:20 PM Richard Fontana <[email protected] > <mailto:[email protected]>> wrote: > On Tue, Apr 2, 2019 at 1:57 PM J Lovejoy <[email protected] > <mailto:[email protected]>> wrote: > > > > regarding Tom’s comment on this topic: > > > > So this is the difficulty. We know of an order of magnitude of different > > variants of BSD and MIT (many of which are unclassified by the OSI and > > SPDX). They're all functionally identical. Are you volunteering to audit > > all the Fedora packages to correct the license tags? I'm not. :) > > > > > > I could be possible to come up with a correlation of the Fedora tags and > > SPDX ids (where Fedora groups licenses under one age, but SPDX uses > > different ones) and then automate updating the tags, no? > > One of the problems is that in effect Fedora has a different notion of > "matching" from that of SPDX. In general, and especially seen in the > Fedora use of "BSD" and "MIT", there isn't a one-to-one correspondence > between a Fedora license identifier and an SPDX one. That's not a > theoretical problem because it's common (especially with older > codebases) to have a package consisting of source files under various > materially different BSD-like licenses, or vaguely MIT-like licenses. > One scupulous solution would be to replace a given use of, say, "MIT" > with, in such a case, for example, "MIT-Variant-1 AND MIT-Variant-2 . > . . AND MIT-Variant-N" but no one seems to want to do that (this also > connects with the recent discussion in the SPDX community about the > potential advantages of having SPDX license identifier namespaces). A > nonscrupulous solution which seems similar in spirit to how many > developers are using SPDX identifiers today is to ignore the > complexity and decide arbitrarily, or for convenience, that you'll > describe the package in that case as "MIT", or "BSD-3-Clause", but > that is then pretty unfaithful to the SPDX system (or so it seems to > me). > > Seconding this problem (which I came across in the wild last week).
if you want to assist in getting more licenses on the SPDX License List - especially to enable more use of SPDX identifiers in source files or elsewhere, then that is a subject for discussion on that mailing list :) and we are happy to have the help! I don’t think aligning Fedora to use SPDX identifiers is insurmountable at all. It’s just a matter of putting heads and effort together on both sides of the coin. We could also create some kind of collaborative communication going forward to ensure new license Fedora comes upon are represented on the SPDX License List. > > Does SPDX have a notion of indicating confidence level of a scan? Or is that > just derived from the reputation of whoever creates the manifest? correct - it’s down to the reputation or your perceived level of trust of whoever created the BoM/manifest/SPDX document - like always. > > Luis
_______________________________________________ legal mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
