Dne 17. 07. 24 v 6:41 odp. Miro Hrončok napsal(a):

...

Done.

Hi Mirek, I am a bit confused.

I thought there was a clear nonconsensus about the *GPL conversion [1] which resulted to the FESCo ticket [2]. It is kinda surprising to see the "Done." comment here and in the LGPL thread as well.

[1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/... [2] https://pagure.io/fesco/issue/3230

Ouch, now I am confused too.

You are right that the final wording is:

!agreed FESCo is in favor of standardizing on the SPDX format and understands that not all licenses are ready for

direct conversion. Those licenses that are unreviewed or otherwise not yet fully compliant should be converted to SPDX licenses of the format LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier. (+8, 1, -0)

which means that I should stop doing that 1:1 (aka trivial) conversion and convert *everything* to LicenseRef-Callaway-*. But I was on that meeting - and if you read the log:

https://meetbot.fedoraproject.org/meeting_matrix_fedoraproject-org/2024-07-1...

There was:

<@sgallagh:fedora.im> 17:52:01 Proposal: FESCo is in favor of standardizing on the SPDX format and understands that not all licenses are ready for this. Those that are not should be converted to SPDX licenses to a format `LicenseRef-<something indicating Fedora legacy>-*` where "*" is the old format.

... <@msuchy:matrix.org> 17:52:24 Can I have a clear statement what to do with GPL* ? .... <@zbyszek:fedora.im> 17:54:04 The whole point is to convert everything. <@conan_kudo:matrix.org> 17:54:08 nirik: it'd be GPLv2 -> GPL-2.0-only, GPLv2+ -> GPL-2.0-or-later <@conan_kudo:matrix.org> 17:54:20 and so on <@zbyszek:fedora.im> 17:54:22 Otherwise, it's not syntactically valid. <@salimma:fedora.im> 17:54:26 sorry, I mixed up msuchy's question with Neal's original response <@nirik:matrix.scrye.com> 17:54:32 but then we have 0 way to tell what was converted? I guess we could look at commits <@conan_kudo:matrix.org> 17:54:56 after everything is said and done, audits still need to be done separately <@conan_kudo:matrix.org> 17:55:00 don't mistake conversions for audits <@salimma:fedora.im> 17:55:05 we might need a second vote to clarify what to do with ambiguous licenses .... <@salimma:fedora.im> 17:58:24 so Stephen's new proposal is quite clear that every legacy license we can't convert to SPDX would be marked as LicenseRef-<legacy>-* ... I think that addresses the ambiguity

So I'd say that Neal statement in 17:54:08 put me in mistake that I should continue with 1:1 but it is not in the final decision/statement.

On 17. 07. 24 22:15, Neal Gompa wrote:

On Wed, Jul 17, 2024 at 3:41 PM Miroslav Suchý msuchy@redhat.com wrote:

...

Dne 17. 07. 24 v 6:41 odp. Miro Hrončok napsal(a):

...

Done.

Hi Mirek, I am a bit confused.

I thought there was a clear nonconsensus about the *GPL conversion [1] which resulted to the FESCo ticket [2]. It is kinda surprising to see the "Done." comment here and in the LGPL thread as well.

[1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/... [2] https://pagure.io/fesco/issue/3230

Ouch, now I am confused too.

You are right that the final wording is:

...

!agreed FESCo is in favor of standardizing on the SPDX format and understands that not all licenses are ready for direct conversion. Those licenses that are unreviewed or otherwise not yet fully compliant should be converted to SPDX licenses of the format LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier. (+8, 1, -0)

which means that I should stop doing that 1:1 (aka trivial) conversion and convert *everything* to LicenseRef-Callaway-*. But I was on that meeting - and if you read the log:

https://meetbot.fedoraproject.org/meeting_matrix_fedoraproject-org/2024-07-1...

There was:

<@sgallagh:fedora.im> 17:52:01 Proposal: FESCo is in favor of standardizing on the SPDX format and understands that not all licenses are ready for this. Those that are not should be converted to SPDX licenses to a format `LicenseRef-<something indicating Fedora legacy>-*` where "*" is the old format.

... <@msuchy:matrix.org> 17:52:24 Can I have a clear statement what to do with GPL* ? .... <@zbyszek:fedora.im> 17:54:04 The whole point is to convert everything. <@conan_kudo:matrix.org> 17:54:08 nirik: it'd be GPLv2 -> GPL-2.0-only, GPLv2+ -> GPL-2.0-or-later <@conan_kudo:matrix.org> 17:54:20 and so on <@zbyszek:fedora.im> 17:54:22 Otherwise, it's not syntactically valid. <@salimma:fedora.im> 17:54:26 sorry, I mixed up msuchy's question with Neal's original response <@nirik:matrix.scrye.com> 17:54:32 but then we have 0 way to tell what was converted? I guess we could look at commits <@conan_kudo:matrix.org> 17:54:56 after everything is said and done, audits still need to be done separately <@conan_kudo:matrix.org> 17:55:00 don't mistake conversions for audits <@salimma:fedora.im> 17:55:05 we might need a second vote to clarify what to do with ambiguous licenses .... <@salimma:fedora.im> 17:58:24 so Stephen's new proposal is quite clear that every legacy license we can't convert to SPDX would be marked as LicenseRef-<legacy>-* ... I think that addresses the ambiguity

So I'd say that Neal statement in 17:54:08 put me in mistake that I should continue with 1:1 but it is not in the final decision/statement.

What you're doing is what we expected in FESCo. GNU license identifiers *are* trivial conversions. The main ones that aren't are the older "BSD" and "MIT" ones, which have no meaningful analogue in SPDX.

That is your opinion. My opinion differs:

The *GPL conversions *are not* trivial because they may hide several other "weaker" licenses in them following the old rules, which is no longer allowed by the new rules that were created when we approved the entire SPDX thing.

---

The disagreement on this is what spawned the discussion and the FESCo ticket in the first place.

If FESCo wanted to autoconvert all the old "*GPL" licenses to the new SPDX GPL identifiers, it should have been proposed and voted upon. That did not happen.

FESCo approved what to do with the ones that are not trivial, but it did not say which are trivial.

On 18. 07. 24 1:30, Neal Gompa wrote:

You are conflating license tag conversion with a license audit. Tag conversion is explicitly*not* an audit exercise.

No, I state the old GPL tags and the new GPL identifiers have different meanings.

This is not an audit, and we have never offered a guarantee of accuracy. If you want the tags to be accurate, you need to evaluate the package every time it is updated. And I know you do it for your stuff, but we know not everyone does. And we do not have tooling to help people audit their packages properly. We also do not have tooling to validate audits in place either. The change to SPDX identifiers is *not* coupled to the "no effective licensing" thing. Those were separate updates that happened at roughly the same time, but are *still* not coupled to each other.

I don't want to have this conversation here again. I won't change your mind.

However, I say that what FESCo approved is not what you are acting as-if FESCo approved. Do you at least see that?

On Thu, Jul 18, 2024 at 11:33:13AM GMT, Fabio Valentini wrote:

On Thu, Jul 18, 2024 at 9:40 AM Miro Hrončok mhroncok@redhat.com wrote:

...

On 18. 07. 24 1:30, Neal Gompa wrote:

...

You are conflating license tag conversion with a license audit. Tag conversion is explicitly*not* an audit exercise.

No, I state the old GPL tags and the new GPL identifiers have different meanings.

...

This is not an audit, and we have never offered a guarantee of accuracy. If you want the tags to be accurate, you need to evaluate the package every time it is updated. And I know you do it for your stuff, but we know not everyone does. And we do not have tooling to help people audit their packages properly. We also do not have tooling to validate audits in place either. The change to SPDX identifiers is *not* coupled to the "no effective licensing" thing. Those were separate updates that happened at roughly the same time, but are *still* not coupled to each other.

I don't want to have this conversation here again. I won't change your mind.

However, I say that what FESCo approved is not what you are acting as-if FESCo approved. Do you at least see that?

I agree that the conversation in the meeting and what was finally approved was slightly confusing, and I already feared that we were not thinking it meant the same thing when we approved it (one of the reasons why I voted 0).

Some FESCo members seem to think that we approved "trivial license conversions to SPDX are OK", others seem to think that we approved "licenses that cannot be trivially converted to SPDX must use LicenseRef-<whatever>-<old-identifier>". The proposal voted on matches the latter statement, but it does *not*, IMO, imply the first statement.

Yeah, I was confused by some of the proposals and asked to clarify and I thought we had, but I guess not. ;)

First, the ticket says it's about "Mass license change GPLv2 to GPL-2.0-only", so I assumed that was the scope here, not all mass license changes, but I guess that was not the case.

What I (thought) I voted on was to convert packages with GPLv2 to Licenseref-Fedoraoldwhatever-GPL-2.0-Only. This would allow the tooling to work on those things and still allow everyone to see it needs to be audited.

In any case, please don't do any more changes and we should revisit this

kevin

On Thu, Jul 18, 2024 at 3:39 AM Miro Hrončok mhroncok@redhat.com wrote:

On 18. 07. 24 1:30, Neal Gompa wrote:

...

You are conflating license tag conversion with a license audit. Tag conversion is explicitly*not* an audit exercise.

No, I state the old GPL tags and the new GPL identifiers have different meanings.

This is not the case. Even going back to the beginning when the case was first made and all the identifiers were being categorized, all the GNU license tags we had for the Fedora system were matched 1:1 to the SPDX ones. They do not have different meanings.

That the form of how GNU license identifiers differ from how we did it before is why I *explicitly* asked and got confirmation about when it happened. Everyone was forced to deal with it when SPDX deprecated the "+" modifier and the associated GNU license tags that used it.

The *only* actual difference between "time of Fedora identifiers" and "time of now" is that we have this quest to use SPDX identifiers everywhere and our ability to simplify *informational* license tags has been removed.

On Thu, Jul 18, 2024 at 4:48 PM Neal Gompa ngompa13@gmail.com wrote:

On Thu, Jul 18, 2024 at 3:39 AM Miro Hrončok mhroncok@redhat.com wrote:

...

On 18. 07. 24 1:30, Neal Gompa wrote:

...

You are conflating license tag conversion with a license audit. Tag conversion is explicitly*not* an audit exercise.

No, I state the old GPL tags and the new GPL identifiers have different meanings.

This is not the case. Even going back to the beginning when the case was first made and all the identifiers were being categorized, all the GNU license tags we had for the Fedora system were matched 1:1 to the SPDX ones. They do not have different meanings.

FWIW, I do not think they have entirely the same meaning. SPDX identifiers carry with them the baggage of how they are partially defined in the SPDX spec, and (unlike most projects using SPDX identifiers) Fedora, in the legal docs anyway, places a lot of emphasis on relying on the SPDX definition, as suboptimal as it is, for example the relevance of the SPDX XML files and the SPDX matching guidelines. The GPL identifiers are a special case also because of how the FSF persuaded SPDX to replace "+" with "-or-later" and standalone identifiers with "-only" without really explaining if there was a difference and what it was (and I don't get the sense the FSF itself was clear on this). As for the Callaway license abbreviations, they were never really explicitly or formally defined. I'm not sure how much this matters for the various GPL identifiers. I'd rather focus on "correct" use of SPDX expressions going forward, and wrt the GPL cases I'm not sure if conversion from AGPLv3 to "LicenseRef-Callaway-AGPLv3" or "AGPL-3.0-only" gets us closer to that goal. I actually have a slight preference for "LicenseRef-Callaway-AGPLv3" I guess, but I don't care that much, as long as Fedora package maintainers are open to continual gradual improvement in quality of license tags.

That the form of how GNU license identifiers differ from how we did it before is why I *explicitly* asked and got confirmation about when it happened. Everyone was forced to deal with it when SPDX deprecated the "+" modifier and the associated GNU license tags that used it.

The *only* actual difference between "time of Fedora identifiers" and "time of now" is that we have this quest to use SPDX identifiers everywhere and our ability to simplify *informational* license tags has been removed.

In the Callaway era, official Fedora documentation was at best contradictory on whether and to what extent it was appropriate to simplify license tags. Many packages from the latter ~10-15 years of that era that had fairly complex license tags (GCC is an example that comes to mind) that can't be explained if there were a general simplification practice going on. I believed and still believe that the general tendency was to discourage simplification as Fedora (and particularly Mr. Callaway himself, I think) got increasingly sophisticated about free software licensing stuff, though this was widely ignored or was not well known to the extent it was documented. Sorry to harp on this but it bothers me that people think the post-SPDX-adoption Fedora legal invented a rule against simplification of license tags.

Richard