legal

legal@lists.fedoraproject.org

1391 discussions

GCC license compliance question
by Matthew Woehlke 24 Mar '25

24 Mar '25

Portions of GCC are distributed under the following license: ==================================================== Copyright (C) 1993 by Sun Microsystems, Inc. All rights reserved. Developed at SunPro, a Sun Microsystems, Inc. business. Permission to use, copy, modify, and distribute this software is freely granted, provided that this notice is preserved. ==================================================== However, this notice does not seem to exist anywhere in binary distributions. I suspect the *intent* was similar to a BSD-style license, and my impression is that corporate lawyers tend to argue for that interpretation; i.e. "preserved" means that the notice is present somewhere in derivative works. Upstream, however, seems to feel that the notice is "preserved" because it hasn't been removed from the source file, i.e. it is *not* necessary to include the notice in binary distributions or other derived works. If I ship compiled code which includes code under the above license, what are my obligations? Do I need to include the above notice? Can I omit it entirely? Something else? (See also https://bugzilla.redhat.com/show_bug.cgi?id=2353932.)

2 1

Requesting license review of 7zip (also: question about public domain review requirements)
by Michel Lind 21 Mar '25

21 Mar '25

Dear legal list, I just filed https://gitlab.com/fedora/legal/fedora-license-data/-/issues/640 requesting review request for 7zip's license. TL;DR - this is blocking the review of 7zip, which we want to have as a replacement for p7zip which is dead upstream (and is needed by e.g. the Fedora Asahi Remix) The specific worry is - the language dedicating this to the public domain is very spartan (all of them are one-liners, see the issue) - some of these are done by other people and not the main project author, with no reference to where the sources are obtained from Related question: as I understand it public domain dedications have to be vetted before use, but where is this requirement documented? e.g. https://docs.fedoraproject.org/en-US/legal/license-approval/#_overview does not specifically mention a special process for LicenseRef-Fedora- Public-Domain. Thanks, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: https://fedoraproject.org/wiki/User:Salimma#README

4 5

Fwd: Invitation from FSFE to Online Q&A Session about DMA & Free Software
by Richard Fontana 13 Mar '25

13 Mar '25

---------- Forwarded message --------- From: Dario Presutti <dario(a)fsfe.org> Date: Thu, Mar 13, 2025 at 11:06 AM Subject: Invitation from FSFE to Online Q&A Session about DMA & Free Software To: <rfontana(a)redhat.com> Cc: Lucas Lasota <lucas.lasota(a)fsfe.org> Dear Richard, I hope this email finds you well. My name is Dario, and I am a project manager at the Free Software Foundation Europe (FSFE). I received your contact from Matthias Kirschner - pleased to e-meet you! I am reaching out because my colleague Lucas (CC’d) and I are actively working on the implementation of the Digital Markets Act (DMA) and its implications for Free Software. Recently, we have received many questions from other Free Software organisations regarding this topic. To address these, at the FSFE, we have decided to host an online Q&A session specifically for representatives of FOSS organisations, We would be delighted if you could participate. We would also appreciated if you could post this invitation to the Fedora Legal Mailing List (https://docs.fedoraproject.org/en-US/legal/) because we think this might be of interest. Below, you’ll find key details about the event. Thank you in advance! --- # Online Q&A session – DMA & Free Software: what Free Software organisations need to know Date: 24 March 2025 Time: 17:30 CET Location: Online (FSFE’s instance) Registration required: https://share.fsfe.org/apps/forms/s/riaMwgdMcgTnpHTTX3g92bkk As you may already know, the DMA is a landmark regulation by the European Union, designed to limit the power of large technology companies acting as “gatekeepers” and to foster fairer competition. Among its key provisions, the DMA establishes obligations for these dominant platforms, including the right to install and uninstall software freely, access to third-party app stores, and enhanced interoperability measures. These provisions have the potential to create new opportunities for Free Software development, distribution, and adoption. This session will provide Free Software organisation representatives the opportunity to: - Gain a deeper understanding of how the DMA’s enforcement impacts the Free Software ecosystem and the FSFE’s role in this process - Learn about FSFE’s legal efforts, including its ongoing litigation against Apple at the Court of Justice of the European Union. (If you attended FOSDEM, you may have seen FSFE Legal Programme Manager Lucas Lasota’s keynote on this topic [1]) - Engage directly with the FSFE team working on these issues. Event page: https://fsfe.org/news/2025/news-20250306-01.en.html ---- If you have any questions or need further information, please don’t hesitate to reach out! Thank you again. Best regards, Dario [1] https://fosdem.org/2025/schedule/event/fosdem-2025-5084-how-we-are-defendin… -- Dario Presutti (he/him/none) | Project Manager Free Software Foundation Europe e.V. Schönhauser Allee 6/7, 10119 Berlin, Germany Matrix: @dario:fsfe.org | Email: dario(a)fsfe.org

1 0

Fwd: SPDX Statistics - 123 packages remaining
by Miroslav Suchý 22 Feb '25

22 Feb '25

-------- Přeposlaná zpráva -------- Hot news: - the review of licenses in queue has been stalled for several weeks Two weeks ago we had: > * 24347spec files in Fedora > > * 30986license tags in all spec files > > * 127 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2246tags have not been converted to SPDX yet > > * 15 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.48% ░░░░░░░░░█100% > > ELN subset: > > 57 out of 2317 packages are not converted yet (progress 97.54%) > Today we have: * 24379 spec files in Fedora * 31024license tags in all spec files * 123 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2220tags have not been converted to SPDX yet * 16 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.60% ░░░░░░░░░█100% ELN subset: 57 out of 2316 packages are not converted yet (progress 97.54%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 35 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. I released new version of fedora-license-data with one new license. 11 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

Properly releasing software to the public domain
by Jason L Tibbitts III 20 Feb '25

20 Feb '25

I have some pieces of software which I always intended to release to the public domain. I understand that it not possible in all jurisdictions, so in the past I would allow CC0 in this case and used the following license statement: # Originally written by Jason Tibbitts <j(a)tib.bs> in 2016. # Donated to the public domain. If you require a statement of license, please # consider this work to be licensed as "CC0 Universal", any version you choose. Now, if course Fedora decided a couple of years ago that we can't use CC0 for code. Is there a Fedora-approved method for disclaiming copyright? I would like to do this the right way (in part because this software is used by Fedora and I would like to package it for Fedora), but it seems contradictory to use something like MIT-0 because the first line is literally "Copyright <YEAR> <COPYRIGHT HOLDER>". Does 0BSD work? That's at https://opensource.org/license/0bsd

5 6

Fwd: SPDX Statistics - 127 packages remaining
by Miroslav Suchý 07 Feb '25

07 Feb '25

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 127 packages remaining Datum: Fri, 7 Feb 2025 06:42:03 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - the review of licenses in queue has been stalled for several weeks Two weeks ago we had: > * 24401spec files in Fedora > > * 31038license tags in all spec files > > * 142 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2289 tags have not been converted to SPDX yet > > * 16 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.48% ░░░░░░░░░█100% > > ELN subset: > > 61 out of 2316 packages are not converted yet (progress 97.41%) > Today we have: * 24347spec files in Fedora * 30986license tags in all spec files * 127 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2246tags have not been converted to SPDX yet * 15 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.48% ░░░░░░░░░█100% ELN subset: 57 out of 2317 packages are not converted yet (progress 97.54%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 35 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. There was no release of fedora-license-data. 12 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

[ANNOUNCE] Please join me for the 4th annual open source compliance tooling workshop FOSDEM fringe event, in Brussels, Belgium on January 31st, 2025
by Philippe Ombredanne 10 Jan '25

10 Jan '25

Hello everyone! Are you heading to FOSDEM? Join us for a one-day workshop for developers and users of open source SCA, SBOM, and license and security compliance tools. This is on Friday, January 31, 2025 in Brussels, just before FOSDEM 2025 https://workshop.aboutcode.org If you are involved with Fedora legal issues around open source license compliance, you are super welcome to join! The program will be a single track unconference with the day split in two: tools developers share their plans in the morning and users share their requirements in the afternoon. Then we will be trying to hopefully match requirements and plans, and hatch some plans for cross-project collaboration. This is the 4th time we have this event, and we expect a who-s-who in the space to join for the day, like last year where we were about 75 participants and had a blast! Registration is required. We have free tickets available for the community, but we encourage your contributions to help us pay for the event's expenses! Visit https://workshop.aboutcode.org We're also looking for generous sponsors to help fund the venue and catering - you can contribute online directly or email me directly at pombredanne(a)aboutcode.org I look forward to seeing you there. -- Cordially Philippe Ombredanne AboutCode.org AboutCode - Open source for open source - https://www.aboutcode.org VulnerableCode - the open code and open data vulnerability database ScanCode - scan your code, for origin/license/vulnerabilities, report SBOMs package-url - the mostly universal and essential SBOM identifier for packages DejaCode - What's in your code?!

1 0

Fwd: SPDX Statistics - 161 packages remaining
by Miroslav Suchý 10 Jan '25

10 Jan '25

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 161 packages remaining Datum: Fri, 10 Jan 2025 07:07:35 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - New version of upstream SPDX list has been released https://github.com/spdx/license-list-XML/releases/tag/v3.26.0 Most of the licenses were added due to Fedora. Three weeks (because of Christmas) ago we had: > * 24368spec files in Fedora > > * 31025license tags in all spec files > > * 224 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2475 tags have not been converted to SPDX yet > > * 21 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.28% ░░░░░░░░░█100% > > ELN subset: > > 62 out of 2314 packages are not converted yet (progress 97.32%) > Today we have: * 24379spec files in Fedora * 30988license tags in all spec files * 161 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2325 tags have not been converted to SPDX yet * 21 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.48% ░░░░░░░░░█100% ELN subset: 61 out of 2316 packages are not converted yet (progress 97.37%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 55 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. New version of fedora-license-data has been released. With: 3 new licenses and several public domain or ultrapermissive dedications 12 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

Fwd: SPDX Statistics - 224 packages remaining
by Miroslav Suchý 20 Dec '24

20 Dec '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - 224 packages remaining Datum: Fri, 20 Dec 2024 20:36:53 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: - All PRs for firmware packages are merged. - Small improvements to legal-doc has been done. If you want to dive into the changes see https://gitlab.com/fedora/legal/fedora-legal-docs/-/merge_requests/?sort=cl… Two weeks ago we had: > * 24366spec files in Fedora > > * 31018license tags in all spec files > > * 268 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) > > * 2542 tags have not been converted to SPDX yet > > * 29 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 99.14% ░░░░░░░░░█100% > Today we have: * 24368spec files in Fedora * 31025license tags in all spec files * 224 tags are not SPDX compliant (number from line bellow minus packages with LicenseRef-Callaway-*) * 2475 tags have not been converted to SPDX yet * 21 tags can be trivially converted using `license-fedora2spdx` * Progress: 99.28% ░░░░░░░░░█100% ELN subset: 62 out of 2314 packages are not converted yet (progress 97.32%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… Packages that are neither in SPDX nor in Callaway format (highest priority for now) - 55 packages: https://pagure.io/copr/license-validate/blob/main/f/neither-nor-remaining-p… Most of such packages has open issue in fedora-license-data. A lot of them are waiting for SPDX to approved the license and assign ID. I did NOT released new fedora-license-data as there were added a public domain dedication and an ultra permissive dedication. 11 licenses are waiting to be reviewed by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Miroslav

1 0

Usage of modified DUMB library with license patches
by Alexey Lunev 02 Dec '24

02 Dec '24

Hi everyone! I want to bring `zmusic` into Fedora, but there is some issues with licensing. ZMusic uses DUMB library, which has unusual DUMB-0.9.3 license[0], but it is basically zlib license with extra clauses which can restrict it to count as free and accepted license. Fedora already has `dumb ` package, it patches[1] license to make it equivalent to zlib, with permission from original authors[2]. It was 18 years ago. I cannot use this package, because DUMB library, which is bundled with ZMusic, is heavily modified[3]. Is it OK to do the same, or do i need to ask permission from authors again? [0]: https://github.com/kode54/dumb/blob/master/LICENSE [1]: https://src.fedoraproject.org/rpms/dumb/blob/rawhide/f/dumb-0.9.3-license-c… [2]: https://src.fedoraproject.org/rpms/dumb/blob/rawhide/f/license-clarificatio… [3]: https://github.com/ZDoom/ZMusic/blob/master/licenses/legal.txt#L15-L19

3 4

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal