Hello,
I wanted to send a pull request to the python-dateutil package to change:
License: BSD-3-Clause and Apache-2.0
To:
License: BSD-3-Clause AND Apache-2.0
However, the comment above the License tag made me curious:
# According to the LICENSE file:
# - BSD License applies to all code, even that also covered by ASL 2.0
# - ASL 2.0 applies to all contributions after 2017-12-01,
The license file:
https://github.com/dateutil/dateutil/blob/2.8.2/LICENSE
tl;dr:
> ...snip Apache-2.0...
>
> The above license applies to all contributions after 2017-12-01, as well as
> all contributions that have been re-licensed (see AUTHORS file for the list of
> contributors who have re-licensed their code).
>
> ...snip BSD-3-Clause...
>
> The above BSD License Applies to all code, even that also covered by Apache 2.0.
In other words. There is a subset of the code which is covered by Apache-2.0
and *at the same time* all of the code is covered by BSD-3-Clause.
Is that an OR case?
Should the license tag be:
License: (Apache-2.0 AND BSD-3-Clause) OR BSD-3-Clause
(We can either pick BSD-3-Clause for everything OR a combination of both.)
Or should it be:
License: (Apache-2.0 OR BSD-3-Clause) AND BSD-3-Clause
(Some code is BSD-3-Clause and for the rest we can pick either one of them.)
Or is it an AND case (the code is covered by both license "together" (whatever
that means)? In that case, should it be:
License: (Apache-2.0 AND BSD-3-Clause) AND BSD-3-Clause
Or is the current license tag more or less correct:
License: Apache-2.0 AND BSD-3-Clause
?
Thanks
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
Hi Legal
The 'sgx-sdk' package is currently open for review with a view to
adding to Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=2085444
One of the last stumbling blocks is that it includes a copy of the
"dlmalloc" code under the CC0 license, which is now a forbidden
code license for packages being newly added to Fedora.
The authors of sgx-sdk have contacted the original author of
dlmalloc, and he apparently suggested that since CC0 is a public
domain license, they can just add a second license header of their
choosing to the source files and Fedora can then ignore the orignial
CC0 license.
This smells fishy to me, as I can't come with rationale for why
adding a second "BSD" license header to the source file and justify
Fedora ignoring the original CC0. The original code would still
explicitly not have a patent grant, and an extra license doesn't
seem to alter that fact.
It was pointed out that this approach has already been taken by
OpenJDK, where they took CC0 code and added a GPL-v2-only header:
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java…
OpenJDK though would be grandfathered in, since it existed in
Fedora before CC0 was forbidden, so I'm not sure that can be
relied on as a precedent.
I am not a lawyer, so I want an expert opinion on this suggestion
that adding a 2nd license header allows Fedora to ignore the
original CC0 license. If it is true, then it would appear to
make the whole exercise of banning CC0 effectively pointless.
I had also suggested downgrading to an older version of dlmalloc
which had the CC Public Domain license, rather than CC0, but the
sgx-sdk maintainers rejected that as they're concerned it has
security relevant flaws.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|