perl-Crypt-Argon2: CC0-1.0 OR Apache-2.0
by Chuck Anderson
Is a disjunctive license that includes CC0-1.0 as one of the options
acceptable for Fedora? I'm intending to submit perl-Crypt-Argon2 for
Fedora review and the C source code files [2] say:
"You may use this work under the terms of a Creative Commons CC0 1.0
License/Waiver or the Apache Public License 2.0, at your option."
But some of the files only mention CC0-1.0. In the github [2] only
dist.ini mentions CC0-1.0 without Apache-2.0, but on CPAN [1] this is
expanded to README, LICENSE, lib/Crypt/Argon2.pm and
script/argon2-calibrate.
I'd like to ask upstream to add a dual-license with Apache-2.0
everywhere CC0-1.0 is mentioned, but only if that would be an
acceptable result.
dist.ini:
name = Crypt-Argon2
author = Leon Timmermans <leont(a)cpan.org>
license = CC0_1_0
copyright_holder = Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, Samuel Neves, Thomas Pornin and Leon Timmermans
copyright_year = 2013
LICENSE:
"Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, Samuel Neves, Thomas Pornin and Leon Timmermans has dedicated the work to the Commons by waiving all of his
or her rights to the work worldwide under copyright law and all related or
neighboring legal rights he or she had in the work, to the extent allowable by law.
Works under CC0 do not require attribution. When citing the work, you should
not imply endorsement by the author.
Creative Commons Legal Code
CC0 1.0 Universal
[...trimmed full license text...]"
[1] https://metacpan.org/dist/Crypt-Argon2
[2] https://github.com/Leont/crypt-argon2
1 week
public domain dedication variants in the wild (found in Fedora)
by Jilayne Lovejoy
Hi SPDX-legal
Some time ago, I raised the issue of the possibility of finding a
proliferation of "public domain "dedication" texts in the course of
Fedora reviewing package license info to adopt SPDX ids. Please see
https://lists.spdx.org/g/Spdx-legal/topic/93048752#3202 for the background
Fedora has been "collecting" such texts here
https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-do...
and using a specific LicenseRef-Fedora-Public-Domain as a sort of
placeholder SPDX id.
The idea being, no assessment of how many of these types of dedications
exist has been collected in one place in order for the SPDX-legal
community to assess.
I estimate that Fedora has collected about 48 variations of public
domain statements that are not specifically identified on the SPDX
License List. I'm going to assume many of these packages also show up
in other major distros.
I'd like to raise the conversation as to:
1) Should each unique entry be added to the SPDX License List as a
standalone entry (like normal, in that one SPDX license id represents a
specific, identifiable license/set of text)?
2) Should SPDX consider a different approach by defining one SPDX id to
represent any one of a collection of specifically identified and vetted
texts?
I'd love to hear your yes or no answer to these questions and why you
answered as such :)
Also see for background:
https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_upd...
https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_pub...
We likely won't have time to discuss this on Thursday's call, but I
wanted to start the discussion here and perhaps we can dedicate some
time at an upcoming meeting.
Thanks,
Jilayne
(copying Fedora-legal for awareness)
2 weeks, 5 days
Re: Changing the License tag of python-rpm-generators from GPLv2+ to a monstrosity
by Richard Fontana
On Fri, May 5, 2023 at 9:56 AM Chris Kelley <ckelley(a)redhat.com> wrote:
>
> As a purely logical expression, this simplifies to "GPL-2.0-or-later AND LGPL-2.1-or-later". Is that sort of simplification not allowed?
The short answer is, these are not truly logical expressions and
therefore they shouldn't necessarily simplify. Of course you could
adopt some arbitrary convention for such simplification, which might
or might not be well-grounded in some interpretation of the licenses
at issue. In the past, there was no documented uniform set of
conventions and basically each package maintainer applied their own
assumptions about how license expressions could be simplified, leading
to general inconsistency across different packages. The general trend
in Fedora that I observed over many years was that license tags were
getting more specific, i.e. less "simplification" was being done (or
ignoring certain licenses was occurring less). This is actually shown
by the fact that the Callaway system had a "Public Domain" which was
widely used in packages with license tags containing references to
other licenses. So we aren't actually changing policy here.
Still, the cases involving public domain dedications are fairly
extreme in this regard. If we *were* to adopt some system of
simplification of license expressions that's probably where we'd
start.
Richard
>
> On Fri, 5 May 2023, 13:20 Miro Hrončok, <mhroncok(a)redhat.com> wrote:
>>
>> python-rpm-generators License tag changes from GPLv2+ to:
>>
>> GPL-2.0-or-later AND LGPL-2.1-or-later AND (LicenseRef-Fedora-Public-Domain OR
>> LGPL-2.1-or-later OR GPL-2.0-or-later)
>>
>> https://src.fedoraproject.org/rpms/python-rpm-generators/pull-request/67
>>
>> Funny thing is that the "(LicenseRef-Fedora-Public-Domain OR LGPL-2.1-or-later
>> OR GPL-2.0-or-later)" thing was originally chosen to keep the License tag of
>> the package simple while allowing others to grab the code from it without
>> obligations :/
>>
>> --
>> Miro Hrončok
>
3 weeks, 1 day