Hi,
I am trying to package .NET 7 in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=2142178
(This is a new package, though it's "just" an updated version of the .NET 6 package that we already include in Fedora.)
The reviewer has helped identify that the source code archive includes a few files that include notes about Creative Commons. I am looking on advice on how to handle it.
I found basically these 7 non-content files that have a pointer to creativecommons.org:
https://github.com/dotnet/runtime/tree/main/src/libraries/System.Private.Cor... https://github.com/dotnet/runtime/tree/main/src/libraries/System.Private.Cor...
These two files have an MIT license header in addition to the comment that the code is based on an algorithm originally licensed under CC0. These files are a critical part of .NET that we absolutely need to build and include in Fedora.
Can I ignore the comment about CC0 because of the MIT license header in the file? Is it safe to treat these files as under MIT only? If not, what are my options to handle this piece of code?
https://github.com/dotnet/fsharp/tree/main/tests/benchmarks/CompiledCodeBenc... https://github.com/dotnet/fsharp/tree/main/tests/FSharp.Core.UnitTests/FShar... https://github.com/dotnet/fsharp/tree/main/tests/FSharp.Core.UnitTests/FShar...
These 3 don't have an MIT or Apache header. Only a Creative Commons header.
Given that these files are benchmarks and unit tests that we don't run during the build, I suppose I can just delete these files? Do I need to delete them from the source archive or can I delete them in %prep?
Are other/easier options on the table here?
https://github.com/dotnet/runtime/tree/main/src/mono/mono/utils/dlmalloc.c https://github.com/dotnet/runtime/tree/main/src/mono/mono/utils/dlmalloc.h
These are under CC-PDDC and hence acceptable without any issues, right?
It looks like newer versions of dlmalloc use CC0 and so are unacceptable to Fedora? Is there any guidance I can share with .NET upstream in terms of the impact of eventually switching to the newer version of dlmalloc?
Thanks, Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
Hi,
I have been working on moving the (still in review) .NET 7 package to the new SPDX identifiers in the License field and I had some additional questions that I could use some guidance on.
1. What, if anything, do I need to do about the "MS Patent Promise"?
Full text here: https://github.com/dotnet/runtime/blob/main/PATENTS.TXT
Is this something that needs to be tracked as a license?
2. What to do about code that uses answers from StackOverflow?
StackOverflow answers are licensed under some variant of CC: https://stackoverflow.com/help/licensing
.NET has some code that's adapted from there. For example, https://github.com/dotnet/runtime/blob/ac03fbd184b182a6632a50bbe70bc733e4872...
CC-BY-SA-4.0 is in the "allowed content" list in Fedora, but not in the "allowed-for-code" list. What should I do here?
3. Some code seems to have warranty disclaimers
Example: https://github.com/dotnet/fsharp/blob/main/tests/fsharp/typecheck/sigs/neg70...
How should I handle this? Would this file be covered under the license at the root of the repository (MIT), or would this be a separate license?
4. What license is this file under?
https://github.com/dotnet/runtime/blob/main/src/libraries/System.Text.Regula...
Should I treat it as under MIT, like the license header at the top of the file says, or under the separate license text on line 4 and later? Or both? Does anyone know what's the SPDX identifier for the license text on line 4 and later?
5. Is there an SPDX identifier for "Unicode Mappings License"?
An example of this license is also at https://android.googlesource.com/platform/external/unicode/+/49008729606a2dc...
6. Is there an SPDX identifier for this MIT variant?
https://fedoraproject.org/wiki/Licensing:MIT?rd=Licensing/MIT#HP_Variant
Internally, I have seen Red Hat refer to this as OSF-1990.
7. Is there a known SPDX identifier for the IETF license?
License text available at bottom of https://datatracker.ietf.org/doc/rfc3492/
Internally, Red Hat refers to this as just "ietf".
8. Is there a SPDX identifier for this variant of MIT:
http://www-cs-students.stanford.edu/~tjw/jsbn/LICENSE
Internally, I have seen this referred to as "mit-addition".
9. Is there anything that I need to do about these public domain disclaimers? Can I just refer to these as CC-PDDC?
- https://github.com/dotnet/runtime/blob/de84cf9f723f5d4342e95c692d088ed2af63f... - https://github.com/dotnet/fsharp/blob/23e22eadf193cdd7e38ea4fa68c0f76d1b14ca... - https://github.com/dotnet/fsharp/blob/23e22eadf193cdd7e38ea4fa68c0f76d1b14ca...
Thanks, Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
On Thu, Nov 24, 2022 at 1:07 PM Omair Majid omajid@redhat.com wrote:
Is there a SPDX identifier for this variant of MIT:
http://www-cs-students.stanford.edu/~tjw/jsbn/LICENSE
Internally, I have seen this referred to as "mit-addition".
I believe this is the same as the license I recently submitted to SPDX as "MIT-Wu", which was motivated by something other than a Fedora package maintainer request/inquiry: https://github.com/spdx/license-list-XML/issues/1652 SPDX hasn't acted on this yet but I think we could request higher prioritization given that it has now come up in a specific Fedora packaging matter. If it's no trouble, please submit an issue to fedora-license-data proposing this as a new license.
Richard
Hi,
Richard Fontana rfontana@redhat.com writes:
If it's no trouble, please submit an issue to fedora-license-data proposing this as a new license.
Done: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/102
Thanks!
Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
On Thu, Nov 24, 2022 at 1:07 PM Omair Majid omajid@redhat.com wrote:
What license is this file under?
https://github.com/dotnet/runtime/blob/main/src/libraries/System.Text.Regula...
Should I treat it as under MIT, like the license header at the top of the file says, or under the separate license text on line 4 and later? Or both? Does anyone know what's the SPDX identifier for the license text on line 4 and later?
I'd probably conclude 'both' based on limited information. Also, I think the separate license text is something that ought to match to SPDX "MIT" but doesn't, so I think the best thing to do here is to submit an issue to https://github.com/spdx/license-list-XML proposing a change to the XML file (https://github.com/spdx/license-list-XML/blob/main/src/MIT.xml) that specifies what "MIT" means as an SPDX identifier. Jilayne can probably provide more helpful guidance here.
Richard
Hi Jilayne,
Richard Fontana rfontana@redhat.com writes:
On Thu, Nov 24, 2022 at 1:07 PM Omair Majid omajid@redhat.com wrote:
What license is this file under?
https://github.com/dotnet/runtime/blob/main/src/libraries/System.Text.Regula...
Should I treat it as under MIT, like the license header at the top of the file says, or under the separate license text on line 4 and later? Or both? Does anyone know what's the SPDX identifier for the license text on line 4 and later?
I'd probably conclude 'both' based on limited information. Also, I think the separate license text is something that ought to match to SPDX "MIT" but doesn't, so I think the best thing to do here is to submit an issue to https://github.com/spdx/license-list-XML proposing a change to the XML file (https://github.com/spdx/license-list-XML/blob/main/src/MIT.xml) that specifies what "MIT" means as an SPDX identifier. Jilayne can probably provide more helpful guidance here.
Any advice here? The wording in the second half of the license has several textual differences from MIT. How should I handle this?
Thanks, Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
On Mon, Dec 5, 2022 at 11:57 AM Omair Majid omajid@redhat.com wrote:
Hi Jilayne,
Richard Fontana rfontana@redhat.com writes:
On Thu, Nov 24, 2022 at 1:07 PM Omair Majid omajid@redhat.com wrote:
What license is this file under?
https://github.com/dotnet/runtime/blob/main/src/libraries/System.Text.Regula...
Should I treat it as under MIT, like the license header at the top of the file says, or under the separate license text on line 4 and later? Or both? Does anyone know what's the SPDX identifier for the license text on line 4 and later?
I'd probably conclude 'both' based on limited information. Also, I think the separate license text is something that ought to match to SPDX "MIT" but doesn't, so I think the best thing to do here is to submit an issue to https://github.com/spdx/license-list-XML proposing a change to the XML file (https://github.com/spdx/license-list-XML/blob/main/src/MIT.xml) that specifies what "MIT" means as an SPDX identifier. Jilayne can probably provide more helpful guidance here.
Any advice here? The wording in the second half of the license has several textual differences from MIT. How should I handle this?
MIT is a category license in SPDX (for now), like how MIT and BSD are in Fedora identifiers. It's an odd deviation, but I'm not sure what we're supposed to do here either.
-- 真実はいつも一つ!/ Always, there's only one truth!
On Thu, Nov 24, 2022 at 1:07 PM Omair Majid omajid@redhat.com wrote:
Hi,
I have been working on moving the (still in review) .NET 7 package to the new SPDX identifiers in the License field and I had some additional questions that I could use some guidance on.
What, if anything, do I need to do about the "MS Patent Promise"?
Full text here: https://github.com/dotnet/runtime/blob/main/PATENTS.TXT
Is this something that needs to be tracked as a license?
There's no current explicit policy on this but (1) such standalone patent statements of this sort should be reviewed for conformance with Fedora legal standards, much as non-patent-specific software licenses should be reviewed, and (2) my current inclination is that they should be documented in the license tag. If you could submit an issue about the Microsoft patent promise to fedora-license-data we can proceed from there.
What to do about code that uses answers from StackOverflow?
StackOverflow answers are licensed under some variant of CC: https://stackoverflow.com/help/licensing
.NET has some code that's adapted from there. For example, https://github.com/dotnet/runtime/blob/ac03fbd184b182a6632a50bbe70bc733e4872...
CC-BY-SA-4.0 is in the "allowed content" list in Fedora, but not in the "allowed-for-code" list. What should I do here?
Ah, yes, this is an unfortunate problem that Stack Exchange has created, though I'm not sure it's explicitly come up in a Fedora context before. CC BY-SA cannot generally be "allowed" (e.g. for code) in Fedora for the same reason that CC0 now isn't, namely, it has a "no patent licenses" clause, which is less annoying in the CC BY-SA case because, leaving aside this Stack Overflow license policy, it is very uncommon to see CC BY-SA used for code. It seems appropriate to create an exception (documented in a "usage" note) that would permit reasonable cases involving efforts to comply with the StackOverflow policy. If you could submit an issue about this at fedora-license-data we can proceed from there.
Some code seems to have warranty disclaimers
Example: https://github.com/dotnet/fsharp/blob/main/tests/fsharp/typecheck/sigs/neg70...
How should I handle this? Would this file be covered under the license at the root of the repository (MIT), or would this be a separate license?
I don't think I can give a general answer but looking at this particular case (and this would also apply to other F# tests in that repository using the same boilerplate language, if any), I would just assume that the license is the MIT license (the intention was probably more like a no-conditions broad permission grant).
Is there an SPDX identifier for "Unicode Mappings License"?
An example of this license is also at https://android.googlesource.com/platform/external/unicode/+/49008729606a2dc...
This license was recently determined to be not allowed: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/69
As noted there, a similar Unicode license was treated as "good" in the past, for unclear reasons, and I speculated that this UTF conversion code probably appeared in a number of Fedora packages. You are welcome to submit an issue about this at fedora-license-data. The best result here, long term at least, would be to either get the upstream to replace this code with something under a FOSS license or to see whether a more recent FOSS Unicode license might cover the same code (which might require finding someone at the Unicode Consortium).
Is there an SPDX identifier for this MIT variant?
https://fedoraproject.org/wiki/Licensing:MIT?rd=Licensing/MIT#HP_Variant
Internally, I have seen Red Hat refer to this as OSF-1990.
I don't believe so. Jilayne would know whether there was any past attempt to submit this to SPDX.
Is there a known SPDX identifier for the IETF license?
License text available at bottom of https://datatracker.ietf.org/doc/rfc3492/
Internally, Red Hat refers to this as just "ietf".
I don't think so. Please submit an issue to fedora-license-data. Note, I created an issue at fedora-legal-docs not too long ago about the same license, suggesting that RFC documents should be classified as "content" rather than "documentation" for Fedora license standards purposes. See: https://gitlab.com/fedora/legal/fedora-legal-docs/-/issues/26
BTW, just to clarify, whether a license encountered in a package has an SPDX identifier is a secondary issue; the primary question is whether the license meets Fedora licensing standards (https://docs.fedoraproject.org/en-US/legal/license-approval/). Many licenses with SPDX identifiers are not allowed in Fedora; there are also licenses allowed in Fedora that do not have SPDX identifiers, though we are aiming to get SPDX identifiers assigned for any license that is included in an RPM license tag.
- Is there anything that I need to do about these public domain disclaimers? Can I just refer to these as CC-PDDC?
So as to the third one there, see my response above about the other F# test/sample code.
Regarding the other two: Back in the Callaway era, there was an expectation that public domain dedications would be documented in the license tag using the "Public Domain" name. We currently don't have a great post-Callaway solution (and how best to deal with this remains uncertain) but what we are doing for the time being is using "LicenseRef-Fedora-Public-Domain" as the SPDX expression (https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/data/License...) and we are asking package maintainers to add the public domain dedication language to this file: https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-domai... basically so that we can get a better sense of the range of permission statements at issue here.
Richard
On Fri, Nov 25, 2022 at 11:14 PM Richard Fontana rfontana@redhat.com wrote:
On Thu, Nov 24, 2022 at 1:07 PM Omair Majid omajid@redhat.com wrote:
Is there an SPDX identifier for "Unicode Mappings License"?
An example of this license is also at
https://android.googlesource.com/platform/external/unicode/+/49008729606a2dc...
This license was recently determined to be not allowed: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/69
As noted there, a similar Unicode license was treated as "good" in the past, for unclear reasons, and I speculated that this UTF conversion code probably appeared in a number of Fedora packages. You are welcome to submit an issue about this at fedora-license-data. The best result here, long term at least, would be to either get the upstream to replace this code with something under a FOSS license or to see whether a more recent FOSS Unicode license might cover the same code (which might require finding someone at the Unicode Consortium).
I know the General Counsel at the Unicode Consortium, Anne Gundelfinger,
I'd be happy to make an introduction if you like. Many, many years ago she was the trademark lawyer for Intel.
Pam Chestek
Hi,
Thanks for the detailed response! I am still working through most of this, but want to get some clarification on this one:
Richard Fontana rfontana@redhat.com writes:
On Thu, Nov 24, 2022 at 1:07 PM Omair Majid omajid@redhat.com wrote:
Is there an SPDX identifier for "Unicode Mappings License"?
An example of this license is also at https://android.googlesource.com/platform/external/unicode/+/49008729606a2dc...
This license was recently determined to be not allowed: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/69
Does that mean any code under this license is firmly not allowed?
As noted there, a similar Unicode license was treated as "good" in the past, for unclear reasons, and I speculated that this UTF conversion code probably appeared in a number of Fedora packages.
Is there anything that I need to do to find such packages and/or handle them in some way?
You are welcome to submit an issue about this at fedora-license-data.
Would this request be to re-consider and treat this license as acceptable ? If not, can you clarify what the issue should be about?
The best result here, long term at least, would be to either get the upstream to replace this code with something under a FOSS license
Okay, we can probably start some conversations to look at this for .NET 8. What are my options for .NET 7 in the short term?
or to see whether a more recent FOSS Unicode license might cover the same code (which might require finding someone at the Unicode Consortium).
I see Pamela's response later in the thread about a contact. Is there anything I can do to help move this conversation along?
Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
Hi,
Omair Majid omajid@redhat.com writes:
Richard Fontana rfontana@redhat.com writes:
On Thu, Nov 24, 2022 at 1:07 PM Omair Majid omajid@redhat.com wrote:
Is there an SPDX identifier for "Unicode Mappings License"?
An example of this license is also at https://android.googlesource.com/platform/external/unicode/+/49008729606a2dc...
This license was recently determined to be not allowed: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/69
Does that mean any code under this license is firmly not allowed?
Nevermind. I took another look and it's another case of a phantom license (same as [0]). There's a file that contains a list of third-party licenses and notices [1]. That file isn't valid on Linux and refers to components that are only downloaded/built/bundled on Windows.
Sorry for the noise.
[0] https://gitlab.com/fedora/legal/fedora-license-data/-/issues/99 [1] https://github.com/NuGet/NuGet.Client/blob/be87c9ee11149780ce7de5fe35fe2653d...
Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
Hi
Thanks to everyone, especially Richard, for their advice and suggestions.
As far as I can tell, these are the remaining licensing questions before we are ready to include .NET 7 in Fedora:
1. How to define the MS Patent Promise [1] in Fedora?
The discussion is continuing at https://gitlab.com/fedora/legal/fedora-license-data/-/issues/103 but there hasn't been much movement recently.
2. What to do about code that uses from StackOverflow?
It seems like someone just needs to craft the wording for an exception and add it to the CC licenses in Fedora? More at https://gitlab.com/fedora/legal/fedora-license-data/-/issues/104
Is there anyone who can help craft this wording?
3. What to do about the following licenses:
https://github.com/dotnet/runtime/blob/main/src/libraries/System.Text.Regula... https://fedoraproject.org/wiki/Licensing:MIT?rd=Licensing/MIT#HP_Variant
Both seem look like variants of MIT [2][3]. As folks in this thread have helped me understand, MIT is a category under SPDX, not a single license. Neither of these are part of the MIT SPDX identifier yet. Is it okay to use them under the 'MIT' identifier in Fedora while they are still being worked on the SPDX and fedora-license-data side?
[1] https://github.com/dotnet/corefx/blob/master/PATENTS.TXT [2] https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/... [3] https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/...
Thanks, Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
Hi,
Omair Majid omajid@redhat.com writes:
As far as I can tell, these are the remaining licensing questions before we are ready to include .NET 7 in Fedora:
How to define the MS Patent Promise [1] in Fedora?
The discussion is continuing at https://gitlab.com/fedora/legal/fedora-license-data/-/issues/103 but there hasn't been much movement recently.
What to do about code that uses from StackOverflow?
It seems like someone just needs to craft the wording for an exception and add it to the CC licenses in Fedora? More at https://gitlab.com/fedora/legal/fedora-license-data/-/issues/104
Both issues above have now been resolved. Thanks, everyone!
What to do about the following licenses:
https://github.com/dotnet/runtime/blob/main/src/libraries/System.Text.Regula... https://fedoraproject.org/wiki/Licensing:MIT?rd=Licensing/MIT#HP_Variant
Both seem look like variants of MIT [2][3]. As folks in this thread have helped me understand, MIT is a category under SPDX, not a single license. Neither of these are part of the MIT SPDX identifier yet. Is it okay to use them under the 'MIT' identifier in Fedora while they are still being worked on the SPDX and fedora-license-data side?
There's still no progress here, but I am going to run with using the MIT identifier for .NET, even if this exact license texts aren't in fedora-license-data, yet.
Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
On 12/23/22 2:03 PM, Omair Majid wrote:
Hi,
Omair Majid omajid@redhat.com writes:
What to do about the following licenses:
https://github.com/dotnet/runtime/blob/main/src/libraries/System.Text.Regula... https://fedoraproject.org/wiki/Licensing:MIT?rd=Licensing/MIT#HP_Variant
Both seem look like variants of MIT [2][3]. As folks in this thread have helped me understand, MIT is a category under SPDX, not a single license. Neither of these are part of the MIT SPDX identifier yet. Is it okay to use them under the 'MIT' identifier in Fedora while they are still being worked on the SPDX and fedora-license-data side?
There's still no progress here, but I am going to run with using the MIT identifier for .NET, even if this exact license texts aren't in fedora-license-data, yet.
Omair
Hi Omair,
Just following up on this: the two licenses above that you say have no progress, so they have issues in the Fedora-license-list Gitlab repo, and, if applicable, SPDX?
Thanks! Jilayne
Jilayne Lovejoy jlovejoy@redhat.com writes:
Just following up on this: the two licenses above that you say have no progress, so they have issues in the Fedora-license-list Gitlab repo, and, if applicable, SPDX?
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/138 https://gitlab.com/fedora/legal/fedora-license-data/-/issues/139
I wasn't sure of the next steps, so I didn't file anything against SPDX yet.
Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
Hi Richard,
Sorry to bother you, but any advice on this?
Omair Majid omajid@redhat.com writes:
I am trying to package .NET 7 in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=2142178
(This is a new package, though it's "just" an updated version of the .NET 6 package that we already include in Fedora.)
The reviewer has helped identify that the source code archive includes a few files that include notes about Creative Commons. I am looking on advice on how to handle it.
I found basically these 7 non-content files that have a pointer to creativecommons.org:
https://github.com/dotnet/runtime/tree/main/src/libraries/System.Private.Cor... https://github.com/dotnet/runtime/tree/main/src/libraries/System.Private.Cor...
These two files have an MIT license header in addition to the comment that the code is based on an algorithm originally licensed under CC0. These files are a critical part of .NET that we absolutely need to build and include in Fedora.
Can I ignore the comment about CC0 because of the MIT license header in the file? Is it safe to treat these files as under MIT only? If not, what are my options to handle this piece of code?
Can I simply say this file is under both MIT and CC0 and the implied patent clauses in MIT are good enough to serve as an exception to the general no-CC0 usage policy in Fedora?
https://github.com/dotnet/fsharp/tree/main/tests/benchmarks/CompiledCodeBenc... https://github.com/dotnet/fsharp/tree/main/tests/FSharp.Core.UnitTests/FShar... https://github.com/dotnet/fsharp/tree/main/tests/FSharp.Core.UnitTests/FShar...
These 3 don't have an MIT or Apache header. Only a Creative Commons header.
Given that these files are benchmarks and unit tests that we don't run during the build, I suppose I can just delete these files? Do I need to delete them from the source archive or can I delete them in %prep?
Are other/easier options on the table here?
https://github.com/dotnet/runtime/tree/main/src/mono/mono/utils/dlmalloc.c https://github.com/dotnet/runtime/tree/main/src/mono/mono/utils/dlmalloc.h
These are under CC-PDDC and hence acceptable without any issues, right?
It looks like newer versions of dlmalloc use CC0 and so are unacceptable to Fedora? Is there any guidance I can share with .NET upstream in terms of the impact of eventually switching to the newer version of dlmalloc?
Thanks, Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
On Thu, Dec 1, 2022 at 2:53 PM Omair Majid omajid@redhat.com wrote:
Hi Richard,
Sorry to bother you, but any advice on this?
[ . . . ]
I am trying to package .NET 7 in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=2142178
(This is a new package, though it's "just" an updated version of the .NET 6 package that we already include in Fedora.)
The reviewer has helped identify that the source code archive includes a few files that include notes about Creative Commons. I am looking on advice on how to handle it.
I found basically these 7 non-content files that have a pointer to creativecommons.org:
https://github.com/dotnet/runtime/tree/main/src/libraries/System.Private.Cor... https://github.com/dotnet/runtime/tree/main/src/libraries/System.Private.Cor...
These two files have an MIT license header in addition to the comment that the code is based on an algorithm originally licensed under CC0. These files are a critical part of .NET that we absolutely need to build and include in Fedora.
Can I ignore the comment about CC0 because of the MIT license header in the file? Is it safe to treat these files as under MIT only? If not, what are my options to handle this piece of code?
Wouldn't these be covered by the existing carveout stated here: https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/data/CC0-1.0...
https://github.com/dotnet/fsharp/tree/main/tests/benchmarks/CompiledCodeBenc... https://github.com/dotnet/fsharp/tree/main/tests/FSharp.Core.UnitTests/FShar... https://github.com/dotnet/fsharp/tree/main/tests/FSharp.Core.UnitTests/FShar...
These 3 don't have an MIT or Apache header. Only a Creative Commons header.
Given that these files are benchmarks and unit tests that we don't run during the build, I suppose I can just delete these files? Do I need to delete them from the source archive or can I delete them in %prep? Are other/easier options on the table here?
Same question about: https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/data/CC0-1.0...
Richard
On Thu, Dec 1, 2022 at 2:53 PM Omair Majid omajid@redhat.com wrote:
https://github.com/dotnet/runtime/tree/main/src/mono/mono/utils/dlmalloc.c https://github.com/dotnet/runtime/tree/main/src/mono/mono/utils/dlmalloc.h
These are under CC-PDDC and hence acceptable without any issues, right?
Yes, CC-PDDC is allowed in Fedora: https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/data/CC-PDDC...
(note, the 'fedora' block is incorrect there because this was decided upon after the migration from Callaway to SPDX expressions and from the Fedora wiki to Gitlab)
It looks like newer versions of dlmalloc use CC0 and so are unacceptable to Fedora? Is there any guidance I can share with .NET upstream in terms of the impact of eventually switching to the newer version of dlmalloc?
Maybe point them to the Fedora policy on CC0, which was (relatively) widely covered in the press?
Richard