Gentoo Archives: gentoo-dev

From: Richard Yao <ryao@g.o>
To: gentoo-dev@l.g.o
Cc: licenses <licenses@g.o>
Subject: Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing
Date: Sun, 22 Sep 2019 16:36:52
Message-Id: E5D5AC38-D626-489C-9608-7037B0F35EDC@gentoo.org
In Reply to: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing by "Michał Górny"
1 > On Sep 21, 2019, at 12:09 PM, Michał Górny <mgorny@g.o> wrote:
2 >
3 > Hi,
4 >
5 > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
6 > the former trigger QA warning asking the dev to double-check if it's
7 > 'GPL-2-only' or 'GPL-2+'.
8 >
9 >
10 > GNU Licenses currently don't carry an upgrade clause -- instead, authors
11 > are expected to decide whether they permit upgrade to newer versions of
12 > the license in question, or require users to stick with their version of
13 > choice.
14 >
15 > Their decision is normally indicated in copyright notices on top
16 > of source files. Those that permit upgrade usually state 'either
17 > version N of the License, or (at your option) any later version.', while
18 > others remove the 'or...' or even replace with 'only' (sometimes
19 > removing 'either', sometimes leaving it ;-)).
20 >
21 > The truth is, many developers don't go that far to verify it. Instead,
22 > they usually look at 'COPYING' or 'LICENSE', read the version there
23 > and put 'GPL-2', 'GPL-3' etc. in the ebuild. It doesn't help that
24 > GitHub does the same and shows the result as easy-to-read note on top of
25 > repo.
26 >
27 >
28 > For some time I've been reviewing packages I'm (co-)maintaining, as well
29 > as proxy-maint submissions for this particular problem. However,
30 > surprisingly many projects actually go the 'version N only' route, even
31 > in middle of environments that are 'N+' like Xfce. As a result, I've
32 > ended up rechecking the same packages over and over again to the point
33 > of starting to add comments saying 'yes, this is GPL-2 only'.
34 >
35 > I'd like to propose to employ a more systematic method of resolving this
36 > problem. I would like to add additional explicit 'GPL-n-only' licenses,
37 > and discourage using short 'GPL-n' in favor of them. The end result
38 > would be three licenses per every version/variant, e.g.:
39 >
40 > GPL-2-only -- version 2 only
41 > GPL-2+ -- version 2 or newer
42 > GPL-2 -- might be either, audit necessary
43 >
44 > The main idea is that we'd be able to easily find 'non-audited' packages
45 > with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only
46 > after auditing. While technically it would still be possible for people
47 > to wrongly set LICENSE to GPL-2-only, I think this explicit distinction
48 > will help people notice that there actually is a deeper difference,
49 > and it will still catch people who just type 'GPL-n' without looking
50 > into the license directory.
51 My read of this and the comments is that it boils down to getting people to do the right thing and ensuring that they did. If anyone does not already understand this, we need to have a talk with them about it.
52
53 Also, for things like the Linux kernel where some files lack the or later version clause, this is going to end up with us doing GPL-2-only and GPL-2+ at the same time. Is this really what we want to do there?
54 >
55 >
56 > For a start, I'd only go for adding the '-only' variants to the most
57 > common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some
58 > FDL versions. I don't think we need this for the long 'exception'
59 > variants -- I suspect that if someone did research enough to notice
60 > the exception, then most likely he would also notice the 'or newer'.
61 >
62 >
63 > WDYT?
64 >
65 > --
66 > Best regards,
67 > Michał Górny
68 >