Hey all,
As part of the discussion going on about Mesa on devel@, the situation
around OpenSSL was brought up, and Adam Williamson brought up that we
might not need to hobble OpenSSL anymore[1]. A quick check seems to
indicate we no longer do it for GnuTLS either, and haven't for many
years[2].
Could we just drop all this stuff and use pristine OpenSSL sources?
All the crypto algorithm usability stuff is controlled through
crypto-policies, so I don't think it makes sense to do this anymore
for OpenSSL since all the patents indicated in the script have expired
for a couple of years now[3].
Dropping this will eliminate a chunk of cruft that nobody needs around
anymore and simplify OpenSSL maintenance.
[1]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…
[2]: https://src.fedoraproject.org/rpms/gnutls/c/46d865d8451be0f4576dcc56841175a…
[3]: https://src.fedoraproject.org/rpms/openssl//blob/rawhide/f/hobble-openssl
--
真実はいつも一つ!/ Always, there's only one truth!
These questions came up in a FESCo ticket [1] recently and the primary purpose of this thread is to have some public record of the conversation around the handling of pre-trained weights for AI/ML models as packaged for Fedora.
[1] https://pagure.io/fesco/issue/3175
Intro and Definitions
=====================
Previous conversations have involved a decent amount of confusion around terminology and I want to be clear about what I'm asking so I'm starting with a few definitions in the context of my questions.
Artificial Neural Network (ANN) - effectively structured data consisting of neurons (nodes containing some value) organized into layers with various connections between the neurons. There are connections between neurons which control the flow of data through the entire network. The exact value of how the connections affect flow through the network is found through the training process and these values are generally referred to as weights.
Model - A model by itself is a description of a specific ANN - how layers are configured, how they interact with each other, how model training is done, how data needs to be structured for using a trained model and so on. A model by itself is rarely, if ever useful. Models generally need to be trained on data before they can be used but many models offer a mechanism through which weights can be loaded from a model which has already been trained. An untrained model without pre-trained weights or training is pretty much code.
Pre-Trined Weights - Pre-trained weights are essentially the data contained in a model after training the model on some input data. Training modern ANN models is a very expensive and time consuming process; pre-trained weights allow people to use models without having to train the model locally or even have access to data needed to train the model.
Questions
=========
1. Are pre-trained weights considered to be normal non-code content/data or do they require special handling?
2. If an upstream offers pre-trained weights and indicates that those weights are available under a license which is acceptable for non-code content in Fedora, can those pre-trained weights be included in Fedora packages?
3. Extending question 2, is it considered sufficient for an upstream to have a license on pre-trained weights or would a packager/reviewer need to verify that the data used to train those weights is acceptable?
4. Is it acceptable to package code which downloads pre-trained weights from a non-Fedora source upon first use post-installation by a user if that model and its associated weights are
a. For a specific model?
b. For a user-defined model which may or may not exist at the time of packaging?
I can provide examples of any of these situations if that would be helpful.
Thanks,
Tim
Hi,
I have been preparing a new update to dictd, and while doing it, I ran
the licensecheck to double-check and cleanup the license tag.
I found out that the licenses involved in the source code for the new
1.13.1 are more than originally specified in 1.12.x. There is a COPYING
file with GPL-2.0-only, but the source code files have more. The final
list is:
GPL-2.0-only AND GPL-1.0-or-later AND GPL-3.0-or-later
AND MIT AND GPL-2.0-or-later AND BSD-3-Clause
There is one file in the source code that claims to be "public domain" [1]:
This code was written by Colin Plumb in 1993, no copyright is claimed.
This code is in the public domain; do with it what you wish
This file is indeed code, so the allowed content exception for CC0-1.0
doesn't apply. The file is not written by the upstream maintainer but
appears to be authored by someone else not in the maintainer list. I'm
not sure how to proceed here. I could request the upstream developer to
see if he can change the license but not sure will be able since it is
not his. Would this be a valid case for Unlicense?
[1] https://github.com/cheusov/dictd/blob/1.13.1/md5.c
Thank you,
Carlos R.F.
Hi,
I would like to ask for some help determining the correct licenses and SPDX
tags for "scummvm". Please see my three questions further down the mail.
I'm currently updating the scummvm package to a new upstream version (which
introduced a new license) and additionally I'm attempting to migrate the
license tags to SPDX.
- current license tag for scummvm-2.7.1
"License: GPLv3+ and LGPLv2+ and BSD and OFL and MIT and ISC"
- scummvm-2.8.0 lists now the following licenses in its source:
- main license file
https://github.com/scummvm/scummvm/blob/v2.8.0/COPYING
- additional licenses in
https://github.com/scummvm/scummvm/tree/v2.8.0/LICENSES/
- here is my attempt to map the old license tags to the license files and
the new SPDX tags:
GPLv3+:
- COPYING
- COPYING.FREEFONT
-> SPDX: GPL-3.0-or-later
LGPLv2+:
- COPYING.LGPL
-> SPDX: LGPL-2.0-or-later
BSD:
- COPYING.BSD
- COPYING.MKV
-> SPDX: BSD-3-Clause
MIT:
- COPYING.MIT
- COPYING.TINYGL
-> SPDX: MIT
ISC:
- COPYING.ISC
-> SPDX: ISC
OFL:
- COPYING.OFL
-> SPDX: OFL-1.1-RFN
COPYING.GLAD contains:
- an MIT license (although "Software" is substituted with "materials")
- an Apache 2.0 license
- another MIT license
-> SPDX: MIT AND Apache-2.0
COPYING.LUA
- not the standard MIT license
- however, LUA homepage (https://www.lua.org/license.html) explicitly
states that old lua versions can be used under MIT
-> SPDX: MIT
QUESTION 1: Are my findings so far correct?
QUESTION 2: As far as I understand, there is no need to do any "effective
license" analysis, so can I just use these tags concatenated with AND?
new in scummvm-2.8.0: CatharonLicense.txt
- seems to be previously used for the auto-hinter in FreeType
- it looks like it is considered compatible to the FreeType license:
- http://www.fifi.org/doc/libfreetype6/ft2faq.html#autohint-license
- additional information:
- https://directory.fsf.org/wiki/Freetype#tab=Details
-
https://changelogs.ubuntu.com/changelogs/pool/main/f/freetype/freetype_2.6.…
- it is not listed in
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
- the FreeType license is listed as allowed license
QUESTION 3: How to proceed with that license?
Sorry for the long mail and thank you very much in advance for your help!
Best regards,
Christian
Hi,
valgrind as a whole is licensed under the GPLv2+, but has a couple of
development headers, all separately packaged in the valgrind-devel
subpackage) with a lax-permissive license. Since they are meant to
embed valgrind specific (code) annotations into other
programs/libraries they carry an explicit exception from the GPL.
There are 7 such files, all exactly the same, except for the embedded
file name, "This file is part of..." description and Copyright notice.
See below for the exact text and variants.
It would be nice to give this binary subpackage its own License tag.
But I have some trouble figuring out which (SPDX) tag to use.
The closest seems to be what SPDX calls "bzip2-1.0.6" (which kind of
makes sense since Julian Seward started both the bzip2 and valgrind
projects). https://spdx.org/licenses/bzip2-1.0.6.html
I could use that identifier. But it seems to be an oddly specific
identifier, for an older version of bzip2. And the Fedora bzip2 package
just uses BSD-4-Clause. I could also use BSD-4-Clause since that is
more generic. But the text of what SPDX calls BSD-4-Clause doesn't
really match (so maybe the Fedora bzip2 package got that wrong?)
What would be to best license tag to use here?
They all look as follows:
/* -*- c -*-
----------------------------------------------------------------
Notice that the following BSD-style license applies to this one
file (valgrind.h) only. The rest of Valgrind is licensed under the
terms of the GNU General Public License, version 2, unless
otherwise indicated. See the COPYING file in the source
distribution for details.
----------------------------------------------------------------
This file is part of Valgrind, a dynamic binary instrumentation
framework.
Copyright (C) 2000-2017 Julian Seward. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. The origin of this software must not be misrepresented; you must
not claim that you wrote the original software. If you use this
software in a product, an acknowledgment in the product
documentation would be appreciated but is not required.
3. Altered source versions must be plainly marked as such, and must
not be misrepresented as being the original software.
4. The name of the author may not be used to endorse or promote
products derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
----------------------------------------------------------------
Notice that the above BSD-style license applies to this one file
(valgrind.h) only. The entire rest of Valgrind is licensed under
the terms of the GNU General Public License, version 2. See the
COPYING file in the source distribution for details.
----------------------------------------------------------------
*/
They only differ in "this one file
([valgrind|cachegrind|callgrind|drd|helgrind|memcheck|dhat].h) only" at
the top and the bottom. And the description and Copyright notice.
This file is part of Cachegrind, a high-precision tracing profiler
built with Valgrind.
Copyright (C) 2023-2023 Nicholas Nethercote. All rights reserved.
--
This file is part of callgrind, a valgrind tool for cache simulation
and call tree tracing.
Copyright (C) 2003-2017 Josef Weidendorfer. All rights reserved.
--
This file is part of DRD, a Valgrind tool for verification of
multithreaded programs.
Copyright (C) 2006-2020 Bart Van Assche <bvanassche(a)acm.org>.
All rights reserved.
--
This file is part of Helgrind, a Valgrind tool for detecting errors
in threaded programs.
Copyright (C) 2007-2017 OpenWorks LLP
info(a)open-works.co.uk
--
This file is part of MemCheck, a heavyweight Valgrind tool for
detecting memory errors.
Copyright (C) 2000-2017 Julian Seward. All rights reserved.
--
This file is part of DHAT, a Valgrind tool for profiling the
heap usage of programs.
Copyright (C) 2020 Nicholas Nethercote. All rights reserved.
--
Thanks,
Mark
Could someone check my work here:
https://src.fedoraproject.org/fork/orion/rpms/ccache/tree/unbundle
If I need to list the remaining bundled code, I think I have:
# See LICENSE.adoc for licenses of bundled codes
# blake3 is Apache-2.0
# minitrace.h is MIT
# span.hpp is BSL-1.0
# url.cpp/hpp is MIT
License: GPL-3.0-or-later AND Apache-2.0 AND BSL-1.0 AND MIT
Thank you!
--
Orion Poplawski
he/him/his - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
Hello, all.
I'm about to package the Perl distribution Throwable-SugarFactory[0]
which one of my packages now depends on.
The "Copyright and License" section of the page[0] reads:
"Christian Walde has dedicated the work to the Commons by waiving all
of his or her rights to the work worldwide under copyright law and all
related or neighboring legal rights he or she had in the work, to the
extent allowable by law.
Works under CC0 do not require attribution. When citing the work, you
should not imply endorsement by the author."
Can I package this ? How do I express this in Fedora conventions?
Regards,
Emmanuel
[0] https://metacpan.org/dist/Throwable-SugarFactory
[1] https://metacpan.org/pod/Throwable::SugarFactory#COPYRIGHT-AND-LICENSE
-------- Přeposlaná zpráva --------
Předmět: SPDX Statistics - Selkirk edition
Datum: Fri, 2 Feb 2024 10:51:35 +0100
Od: Miroslav Suchý <msuchy(a)redhat.com>
Společnost: Red Hat Czech, s.r.o.
Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org>
Hot news:
Richard and I had several days PTOs, so the progress of MR in fedora-license-data was affected by this.
Now lets dive into numbers:
Two weeks ago we had:
> * 23681 spec files in Fedora
>
> * 30232license tags in all spec files
>
> * 11697 tags have not been converted to SPDX yet
>
> * 5264tags can be trivially converted using `license-fedora2spdx`
>
> * Progress: 61,31% ░░░░░░████ 100%
>
> ELN subset:
>
> 250 out of 2439 packages are not converted yet (progress 89.75%)
>
Today we have:
* 23711spec files in Fedora
* 30306license tags in all spec files
* 11542 tags have not been converted to SPDX yet
* 5193 tags can be trivially converted using `license-fedora2spdx`
* Progress: 61,92% ░░░░░░████ 100%
ELN subset:
217 out of 2766 packages are not converted yet (progress 92.15%)
Graph of these data with the burndown chart:
https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r…
The list of packages needed to be converted is here:
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
List by package maintainers is here
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
List of packages from ELN subset that needs to be converted:
https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt
New version of fedora-license-data has been released. With 3 new licenses (plus some public domain declarations). 28
licenses are waiting to be review by SPDX.org (and then to be added to fedora-license-data)
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B…
Legal docs and especially
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
was updated too.
License analysis of remaining packages: http://miroslav.suchy.cz/fedora/spdx-reports/
New projection when we will be finished is 2025-01-05 (+15 days from last report). Pure linear approximation.
If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license
tag matches SPDX formula, you can put your package on ignore list
https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt
Either pull-request or direct email to me is fine.
Why Selkirk edition? On this day, in 1709 Alexander Selkirk was rescued after living as a castaway for four years and
four months. His story heavily inspired Daniel Defoe to write Robinson Crusoe.
https://en.wikipedia.org/wiki/Alexander_Selkirk
Miroslav