legal July 2024

legal@lists.fedoraproject.org

10 participants
7 discussions

Request to stop hobbling crypto libraries
by Neal Gompa 12 Sep '24

12 Sep '24

Hey all, As part of the discussion going on about Mesa on devel@, the situation around OpenSSL was brought up, and Adam Williamson brought up that we might not need to hobble OpenSSL anymore[1]. A quick check seems to indicate we no longer do it for GnuTLS either, and haven't for many years[2]. Could we just drop all this stuff and use pristine OpenSSL sources? All the crypto algorithm usability stuff is controlled through crypto-policies, so I don't think it makes sense to do this anymore for OpenSSL since all the patents indicated in the script have expired for a couple of years now[3]. Dropping this will eliminate a chunk of cruft that nobody needs around anymore and simplify OpenSSL maintenance. [1]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org… [2]: https://src.fedoraproject.org/rpms/gnutls/c/46d865d8451be0f4576dcc56841175a… [3]: https://src.fedoraproject.org/rpms/openssl//blob/rawhide/f/hobble-openssl -- 真実はいつも一つ！/ Always, there's only one truth!

7 16

License acceptability check for py-sdl
by Sandro 25 Jul '24

25 Jul '24

Hi, During package review [1] the license terms of py-sdl [2] were flagged as problematic. Therefore I'm passing this on to Fedora Legal for deciding on a) Does py-sdl2 come with an acceptable license? b) If so, which license should be specified? For the opposing views on the matter, please see comment 1 and 2 in the Bugzilla ticket. [1] https://bugzilla.redhat.com/show_bug.cgi?id=2283541 [2] https://github.com/py-sdl/py-sdl2/blob/master/doc/copying.rst Cheers, -- Sandro FAS: gui1ty Matrix: Penguinpee Elsewhere: [Pp]enguinpee

2 2

Fwd: SPDX Statistics - House Sign Edition
by Miroslav Suchý 19 Jul '24

19 Jul '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - House Sign Edition Datum: Fri, 19 Jul 2024 12:05:31 +0200 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: * FESCO agreed on decision about conversions. But there was a confusion about the wording, so the ticket is reopened https://pagure.io/fesco/issue/3230 * The confusion is just about "trivial" conversions. All others will be converted to LicenseRef-Callaway-$OLDID before Change Completation deadline (mid of August). * Richard reviewed all Nmap licenses. All of them were declined. Blocking new releases on Nmap in Fedora. Old version is allowed in Fedora under exception. https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?sort=updated_… * We (stakeholders of this Change) resumed our investigation on what tooling we should use to detect changes in new upstream releases. Two weeks ago we had: > * 24117spec files in Fedora > > * 30788license tags in all spec files > > * 10271 tags have not been converted to SPDX yet > > * 4460 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 66,64% ░░░░░░████ 100% > > ELN subset: > > 84 out of 2354 packages are not converted yet (progress 96.43%) > Today we have: * 24223spec files in Fedora * 30899license tags in all spec files * 10114 tags have not been converted to SPDX yet * 4325 tags can be trivially converted using `license-fedora2spdx` * Progress: 67,27% ░░░░░░████ 100% ELN subset: 80 out of 2354 packages are not converted yet (progress 96.59%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… New version of fedora-license-data has been released. With: 5 new licenses. 5 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. New projection when we will be finished is 2025-07-16 (+12 days from last report). Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Why Hause sign edition? Because on today's date at 1770 my hometown (Brno) introduced house numbering. BTW House numbering has various implementation over the word and it is big rabbit hole. [1]. I was wondering what was used before the house numbers? Outside of the cities plain names of families were used to identifies houses. But in big cities hause signs were used. So we have House of Two Suns, House of White Swan etc. Here are some pictures of house signs from Prague where they are still present in old city. http://www.notasthecrowsflies.com/2014/09/prague-house-signs-of-nerudova-st… [1] https://en.wikipedia.org/wiki/House_numbering Miroslav

1 0

Review and Guidance needed - licenses transforming based on time
by Michal Schorm 17 Jul '24

17 Jul '24

Hello, I'd like a review of 'MariaDB Business Source License (BSL)'. Here is a specific instance of the license: https://github.com/mariadb-corporation/MaxScale/blob/24.02/licenses/LICENSE… Here is FAQ about it: https://mariadb.com/bsl-faq-mariadb/ TL;DR: the license says it's non-free, but it becomes free (GPL in this case) after a specific time. -- Apart from this specific case, I'd like to hear your guidance in similar cases in general - whether they are mostly accepted or rather avoided (by Fedora), as more licenses with this idea exists, e.g.: https://github.com/getsentry/sentry/blob/master/LICENSE.md -- Michal Schorm Software Engineer Core Services - Databases Team Red Hat --

5 12

OpenAL docs redistribution / modification?
by Marián Konček 17 Jul '24

17 Jul '24

Hi, does the license at the beginning of the document https://www.openal.org/documentation/openal-1.1-specification.pdf allow distribution of versions with the same content but in a different form (HTML) and with some formatting changes? Unfortunately, the other documents like https://www.openal.org/documentation/OpenAL_Programmers_Guide.pdf pretty clearly state "All Rights Reserved", which means no such distribution is legal? -- Marián Konček

2 1

Update on Fedora treatment of Nmap licensing
by Richard Fontana 12 Jul '24

12 Jul '24

I've done a long overdue review of the various Nmap licenses and have updated fedora-license-data accordingly. 1. LicenseRef-Nmap: not-allowed Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/543 This is Callaway "Nmap", i.e. the GPLv2-incompatible GPLv2 gloss commented on here: https://fedoraproject.org/wiki/Licensing/Nmap This license was classified as "good" but on a new review, that assessment seems unjustified and inconsistent with the analysis of the subsequent licenses. While we should be very reluctant to overturn a past "good" classification I don't see any other option here. But there is a usage exception that says versions of Nmap covered by this license can continue to be included in Fedora Linux indefinitely. (I thought of limiting it to a couple of releases.) 2. LicenseRef-NPSL-0.92: not-allowed Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/542 This was "NPSL" (on the "bad" list) prior to the migration to SPDX identifiers. See: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org… It was mistakenly imported into fedora-license-data as `LicenseRef-NPSL-0.94`. 3. LicenseRef-NPSL-0.93: not-allowed Related issues: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/541 https://gitlab.com/fedora/legal/fedora-license-data/-/issues/540 This covers the multiple versions of Nmap licenses labeled as "Version 0.93" and "Version 0.94" 4. LicenseRef-NPSL-0.95: not-allowed Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/539 This covers the multiple versions of Nmap licenses labeled as "Version 0.95". Other relevant issues: https://github.com/nmap/nmap/issues/2199 https://gitlab.com/fedora/legal/fedora-license-data/-/issues/147 https://bugs.gentoo.org/749390 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972216 https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html https://github.com/NixOS/nixpkgs/issues/105119 https://labs.parabola.nu/issues/2966 https://bugzilla.opensuse.org/show_bug.cgi?id=1211571 Richard

4 9

Fwd: SPDX Statistics - Alice Edition
by Miroslav Suchý 04 Jul '24

04 Jul '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - Alice Edition Datum: Thu, 4 Jul 2024 07:09:55 +0200 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: * Discussion about trivial conversion did not have consensus. I opened FESCO ticket https://pagure.io/fesco/issue/3230 * Scancode-toolkit is present in Fedora 40 too. If you want to play with it - here is the command line that gives *me* the best result: scancode --license --license-references -n6 --html /tmp/scan.html $DIR_WITH_UNPACKED_TARGZ * Package fedora-license-data now contains License Policy for scancode. The file is /usr/share/fedora-license-data/scancode-license-policy.yaml Or you can download it from https://gitlab.com/fedora/legal/fedora-license-data#artifact I still did not found out how to use it, so if you find it helpful I am eager to hear your success stories. * license-validate now accepts lowercase "and","or" according to SPDX v3. Two weeks ago we had: > * 24113spec files in Fedora > > * 30804license tags in all spec files > > * 10348 tags have not been converted to SPDX yet > > * 4503 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 66,41% ░░░░░░████ 100% > > ELN subset: > > 101 out of 2397 packages are not converted yet (progress 95.79%) > Today we have: * 24117spec files in Fedora * 30788license tags in all spec files * 10271 tags have not been converted to SPDX yet * 4460 tags can be trivially converted using `license-fedora2spdx` * Progress: 66,64% ░░░░░░████ 100% ELN subset: 84 out of 2354 packages are not converted yet (progress 96.43%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… New version of fedora-license-data has been released. With: 5 new licenses. 6 licenses are waiting to be review by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. New projection when we will be finished is 2025-07-04 (+17 days from last report). Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Why Alice edition? Because today's date has *two* relation to Alice in Wonderland: Lorina Charlotte Liddell, Alice Pleasance Liddell, Edith Mary Liddell. Three teenage girls, sisters. On 4th July 1862, Lewis Carroll travelled with them by boat on the River Thames from Oxford to Godstow. During the voyage, Alice asked Carroll to tell them a story - a fairy tale. And so Carroll put down roots for a phenomenal story, with a gesture of assent - beginning by telling the story of Alice, whose fall down the rabbit hole introduced bizarrely fantastic elements into her fairy tale life. Alice begged several times for Carroll to write the story for her to read whenever she wanted, until finally Carroll gave in to the child's wishes and actually produced the writing and gave it to Alice (he titled it: Alice's Adventures Under Ground). Then, at Christmas 1864, Alice received a gift from Carroll - a revised and expanded narrative, complete with illustrations. The following year - on 4th July 1865 - the file was then published with professional illustrations by John Tenniel. https://en.wikipedia.org/wiki/Alice%27s_Adventures_in_Wonderland#Background Miroslav

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal July 2024