Hi Richard,
On Sun, 2023-12-10 at 12:23 -0500, Richard Fontana wrote:
On Sat, Dec 9, 2023 at 6:48 PM Mark Wielaard <mark(a)klomp.org>
wrote:
> > SPDX is community-driven project. Under Linux Foundation. With all
> > materials open and all decisions done in public.
>
> Even if it is, then it is still problematic to request Fedora
> contributors to file issues in these external third-pary proprietary
> trackers.
I agree that this is problematic though we are already using a
third-party proprietary system (
gitlab.com) to host the Fedora License
Data repository, so does the fact that SPDX is hosted on GitHub really
make things materially worse? (Surely the fact that gitlab is open
core shouldn't make much of a difference for use of their hosted
version, though I get the sense that
some people feel this way.) I personally wouldn't be opposed to
hosting Fedora License Data on pagure.io (or finding some other FOSS
solution) but I think some others on the team would. :)
If anyone objects to direct use of GitHub, we can file issues on their
behalf. Same goes for anyone who objects to
gitlab.com. I'll make a
note to put this in the Fedora legal documentation.
I do think it is problematic (ironic?) for Fedora legal to use these
proprietary platforms. The only reason I even could use the
gitlab.com
thing was because I happen to have a corporate account created for me.
I got the impression the discussion on the mailinglist was stuck so did
use the discussion going. But in my normal setup I couldn't even access
it because there is some kind of Cloudflare block.
But this is a concern I had too - when we started this I was worried
about SPDX taking too long to review issues coming from Fedora. This
has actually not turned out to be a significant problem in practice.
The delays in the process have had more to do with things on our side.
> Fedora always reviewed
> more licenses than either of them, and I doubt the SPDX project will
> either.
Over the past year and a half, I believe SPDX has made an
unprecedented expansion of the SPDX license list and this is mostly
due to SPDX accommodating issues from Fedora.
That is good to hear. Sorry for my skepticism. But I still think this
double indirection isn't a good thing. It would be so much better if
the spdx team just engaged on the fedora legal list. Now we have
various outstanding questions which first have to go through
gitlab.com
and then through
github.com causing a lot of noise/confusion imho.
Also, SPDX is a standard that does not lock us in to the SPDX
license
list. We can bypass the SPDX license list inclusion process by using
Fedora-defined `LicenseRef-` identifiers, and indeed we have done this
in quite a few cases (including for allowed licenses). The current
policy is to aim for SPDX license list inclusion at least for all
Fedora-allowed FOSS licenses. This is less a benefit for Fedora than
it is for SPDX and the larger community that is likely to make
increasing use of SPDX identifiers. Also, in an extreme scenario (for
example, if the SPDX project dies out or becomes impossible to work
with) we can fork SPDX, or more precisely the limited aspects of SPDX
that are relevant to Fedora.
I think there is at least some confusion (at least for myself) how we
are matching these license lists, or more specifically how to map
licenses to identifiers. We have tooling, but that seems either too
strict or too inexact. And different people seem to interpret different
kind of notices as part of a license and/or requiring new identifiers
(at least the AND/OR/WITH language seems too weak to express some
things). It isn't totally clear to me who is expected to make these
determinations, the packager, the Fedora legal team or the SPDX team.
And if being too nitpicking (which I might be) is actually in the
interest of the Fedora project/users.
Will reply to your comments in the gitlab issue with specifics for the
case of the Hybrid-BSD (variants?) in valgrind.
Cheers,
Mark