On 7/11/22 8:08 AM, Maxwell G wrote:
Jul 10, 2022 9:39:36 PM Richard Fontana <[email protected]>:
If I understand
correctly (I have passing familiarity with Go and close to zero
understanding of how Go projects are built and packaged for Fedora)
the yq rpm would contain a binary that is statically linked against
golang-github-timtadh-data-structures, but the source package of the
yq rpm will not itself contain the source code of
golang-github-timtadh-data-structures (i.e. it won't be "vendored"
[bleh]), which however will be separately packaged in Fedora. Is that
accurate or am I misunderstanding?
Yes, that is correct. There are some go packages in Fedora that use bundled
dependencies, but the package in question is not one of them.
I want to make sure I understand what we mean by "bundled" v.
"unbundled" (or that we are thinking of the same thing, in any case!)
1) when you say "some go packages in Fedora use bundled dependencies" -
dos that mean the dependency is bundled in the same (binary) RPM, in
which case determining what goes in the License field for that spec file
is a bit more straight forward.
v.
2) "nonbundled" (the case here) means that there is one package that is
dependent on another separate package via static linking, thus once
built it becomes one binary (I'm not sure I'm using all the right
terminology here, but hopefully that makes sense!)
In this case, the License field for each individual package is somewhat
straight forward, but how does one account for the license after static
linking, particularly due to the presence of GPL.
Surely this sort of question has
come up before for Fedora Go packages... or has it?
In general, I think packagers could use more guidance/documentation about this
issue, but here is the current situation:
I believe similar issues have been discussed on this ML, but more so related to
rust. (Rust binaries are also statically linked and built against unbundled
dependencies in Fedora.) The Rust Packaging Guidelines require that rust
binaries' License tags account for the licenses of their respective
dependencies. AFAIK, rust packages that contain binaries don't include the
license *files* for their dependencies[1], though.
Can you point me to the Rust Packaging Guidelines? It sounds like there
is something about licensing guidelines included there, but seems like
all licensing-related advice should be in one place, no?
[1]: The "dependencies" (rust crates) are only required at buildtime, again,
due to static linkage.
Most, if not all, unbundled go packages only account for the license of the
code contained in that SRPM.
that would be like my second scenario above, right?
Thanks,
Jilayne
---
I just saw that a package that claims to be MIT-licensed includes GPL'd code,
and my alarm bells went off. This is a bit of an unusal situation, as most go
libraries are permissively licensed.
--
Maxwell G
Pronouns: He/Him/His
[email protected]
_______________________________________________
legal mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
legal mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
