Gentoo Archives: gentoo-dev

From: Michael Mol <mikemol@×××××.com>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [RFC] Solving the problem of huge number of wrong LICENSES=*GPL-[23]
Date: Fri, 31 Aug 2018 21:54:35
Message-Id: 4004237.4pTCg0tAxr@saffron
In Reply to: Re: [gentoo-dev] [RFC] Solving the problem of huge number of wrong LICENSES=*GPL-[23] by "Paweł Hajdan
1 On Sunday, August 26, 2018 7:09:41 AM EDT Paweł Hajdan, Jr. wrote:
2 > On 26/08/2018 12:53, Mart Raudsepp wrote:
3 > > The common issue here is that upstream COPYING files really do only
4 > > talk about one of the versions. And then you get to validate or source
5 > > files to be sure that they do have a "or later" clause in them. And
6 > > then on each bump you ideally should validate it again, etc, that no
7 > > sources without "or later" allowance are in there...
8 >
9 > Yup, precise tracking of license metadata can be a pain.
10 >
11 > I'm not really sure if that level of it is worth for us as a distro. For
12 > _importing_ other project's source code directly into one's project
13 > precise license compatibility matters a lot. That's not the scenario
14 > we're in. I see LICENSES as mostly a mechanism for end users to accept
15 > or reject EULAs etc, and I'm curious what are other common scenarios.
16 >
17 > Michał, could you elaborate on why not distinguishing more precisely
18 > between these GPL variants in LICENSES is a _problem_ ? I can certainly
19 > see the information is not always accurate, but it's not obvious to me
20 > how severe is the downside, what are the consequences in practice.
22 I can say that if the licenses are habitually misidentified, I could not use
23 Gentoo's portage tree in my job without extensive and ongoing revalidation of
24 the license metadata.
26 There are, in fact, automated tools for advising about the license disposition
27 of these types of things, examining source files for unfortunate edits and
28 variants and flagging them, etc. It might be an interesting task at some point
29 to point some of these tools at portage, look for incorrect metadata and file
30 bug reports.
32 Not suggesting this is a worthwhile approach up front, but it might be a
33 useful tool in the future for dealing with license metadata quality as a
34 chronic issue. (Which, in turn, is useful for commercial consumption and
35 participation.)