On 1/2/23 11:49, Miroslav Suchý wrote:
> Dne 02. 01. 23 v 6:34 Benson Muite napsal(a):
>> available in a package. However, not all licenses are compliant with
>> each other. A chart indicating which licenses can be included with other
>> licenses is available at:
>>
https://dwheeler.com/essays/floss-license-slide.html
>> Would it be possible to create a similar chart for all SPDX identifiers
>> that can be used in Fedora? This would enable adding such a check to
>> fedora-review.
>
> IANAL but this can be hardly applied to package. This graph can be
> applied on the same or derived work. But not on the collection of work.
> Which package is.
>
> E.g., I can have a package which contains tools:
>
> /usr/bin/foo
>
> /usr/bin/bar
>
> foo is licensed as LGPLv2.1 and bar is licensed as MPL 1.1. Although
> these two licenses are not compatible, I see no problem to have these
> two separate tools in the same package. And package to have license
> LGPL-2.1-or-later AND MPL 1.1 (or what is the SPDX id).
It is reasonable to have the tools as separate binaries within the same
package. At present, license check will indicate which license
declarations have been made. Having reviewer guidance on license
compatibility would be helpful. A full automatic check maybe difficult,
but warnings would be helpful for reviewers to check licensing and seek
clarification if necessary. As there is an ever growing number of open
source licenses, automating some of this process is helpful. Motivation
for this is a review of a package that contains files under GPL2+, but
intention of developers is to use Apache 2.0.
https://bugzilla.redhat.com/show_bug.cgi?id=2157252
There is some work on this. In particular the Open Source Automation
Development lab [1] publishes a compatibility matrix in Json format.
This information is available in a Python library [2], though can also
build something specifically for Fedora. Creative commons licenses [3]
also have compatibility requirements.
1)