Packaging:Minutes20070807

Present

 * JasonTibbitts
 * JesseKeating
 * RalfCorsepius
 * TomCallaway
 * ToshioKuratomi

Writeups
The following drafts have been accepted by FESCO and are to be written into the guidelines:


 * The license tag refinements requested by the board:
 * http://fedoraproject.org/wiki/PackagingDrafts/LicenseTag


 * Dynamic user and group creation policy:
 * http://fedoraproject.org/wiki/PackagingDrafts/UsersAndGroups

Votes
There were no votes this week.

Other Discussions
The following additional items were discussed; see the logs for full details.


 * Clarifying what the License: tag refers to (source or resulting binary):
 * http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification
 * There was plenty of interesting discussion here; it's a delicate issue but the current tendency is to let License: refer to the license on the source packages.

IRC Logs
[12:03:43]      * abadger1999 yawns and looks around [12:03:49] Quit        bpepple|lt has left this server ("Ex-Chat"). [12:03:53]      * spot is here [12:04:49]      anyone else? :) [12:05:13]      * jeremy is here, but is just rabble :) [12:05:58]     i am here but probably don't have more than 10 mins. [12:06:21]      * tibbs here [12:06:26] Quit        JSchmitt has left this server (Client Quit). [12:06:38]      f13: i know you're here. wakey wakey [12:06:59]     Do we have anything to cover other than writeups? [12:07:03]      http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification [12:07:08]      thats the only item [12:07:12]       spot: yeah yeah [12:07:22]       wondering why my workstation didn't return after I got back. [12:07:26]      ville's already given it a +1 [12:07:37]     I dislike that quite a bit, actually. [12:07:46]      okay... why? [12:08:14]     Because it's then rather difficult to figure out what the proper license tag value is. [12:08:46]     Instead of looking at the source and determining the license tag, you have to understand how all of the dependencies combine. [12:09:13]       why? [12:09:36]      jwb: say, the code of a package is under GPL or BSD [12:09:41]      but it links to a GPL lib [12:09:51]      then, the work is GPL, theres no way it can be BSD [12:10:41]     And then you get to define "linking". What if I depend on one perl module which is GPLv2+ but this module is "GPL+ or Artistic". [12:10:45]     What's the resulting license? [12:11:03]     Does it depend on whether the package is noarch or not? [12:11:11]      i'm not sure. i need to talk to RH legal and see what they think on that. [12:11:13]       spot, so taking that same example, say a BSD licensed equivalent library comes along and you link against that. now you have to change the spec to BSD? [12:11:26]       i think it's a bit over-reaching [12:11:28]      jwb: no, because BSD is compatible with either [12:11:30]       but i'm rabble [12:11:51]     And then we get upstreams saying "Fedora lies about the license of my software." [12:11:53]      GPL is a rather special case. [12:12:05]       i don't see why such a package could not be labled as "GPL or BSD" [12:12:36]       jwb, spot: But if the example package was Public Domain, for instance, it would flip flop between GPL and Public Domain depending on the library it linked to. [12:12:39]     The real issue is that I don't want a degree in IP law to become a prerequisite for reviewing packages. [12:13:00]      abadger1999: yes. [12:13:13]      ok, i withdraw the draft. i see the problem. [12:13:33]       Do we need to clarify that we are looking at the source licenses, though? [12:14:01]      source licenses of the delivered works [12:14:13]      not necessarily all of the source licenses [12:14:30]      lots of upstream apps include code under licenses we don't end up packaging in the binary RPMS [12:14:55]     In any case, wasn't the idea of making the license tags uniform and machine-parseable was so that something could actually derive the resulting binary licenses? [12:15:18]      tibbs: *nod* [12:16:06]       "Damn it Jim, I'm a computer, not a lawyer." :-) [12:16:15]       heh [12:16:38]       I think "source licenses of the delivered works" is the closest to the truth here. [12:16:39]      I really don't know what to do here.  The idea that spot was proposing is very valid. [12:17:01]      But the complexity is unpleasant. [12:17:22]        and (sorry) unmanagable [12:17:23]        spot: I would go for that. [12:17:33]       hopefully, it is a one time pain per package. [12:17:37]      Is anyone in the distro universe paying attention to things at this level? [12:17:48]        debian i think [12:17:53]       mandriva is watching us very closely. [12:18:05]      spot: The problem is that one change can cascade through a whole set of packages. [12:18:07]       debian is similar to us [12:19:10]      Deriving licenses from buildrequires isn't useful in general, I guess. [12:19:20]      Is it possible to do it from runtime dependencies? [12:19:42]      theoretically. [12:19:50]     I guess not, because we have no way to quantify what links against something versus using it in some other way. [12:19:56]      you'd have to cascade all the way down [12:20:58]     I simply don't understand how "linking" is defined for interpreted code, either. [12:21:01]       But you run into corner cases where  package foo contains /usr/lib/libfoo under LGPL and /usr/bin/foo-tiny-util under GPL so you need a human or a file by file tag. [12:21:42]     We already flag complex licenses with "and", [12:21:57]     so if doing a full review you'd know you needed to inspect more closely. [12:22:07]      tibbs: i need to talk to RH Legal and see what they define as linking [12:22:38]     But you'd still require manual inspection to determine "use" versus "linking", regardless of the definition of linking. [12:22:47]       I'm just saying that automated derivation from runtime dependencies would have issues on those licenses. [12:22:47]      http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification [12:22:51]      thats a rewording [12:23:46]     Frankly I don't know which version we want. [12:23:48]       sane, but confusing [12:23:52]     you'll have to distinguish run-time licenses, licenses of source files being used and licenses of sources files inside of a source tarball. All can be different. [12:23:53]      http://www.fsf.org/licensing/licenses/gpl-faq.html#MereAggregation [12:24:28]      (short answer: they don't know either) [12:25:28]      racor: i think "licenses of source files being used" is the closest to what we want [12:25:33]     I think we'd be safe with "License: is the source license" until we and the rest of the world understands the issues more thoroughly. [12:26:32]      tibbs: just: "The value of the License tag represents the copyright/license info of the source code of the delivered works only." [12:26:36]      ? [12:27:16]      spot: But you have been banning unused sources from tarballs, in the past [12:27:48]      racor: yes, but that's never been documented policy [12:28:05]     Well, if we can't legally distribute the srpm then we don't really have much choice. [12:28:19]      and its not so much banning unused sources as getting people to remove code that is under proprietary licenses [12:28:25]      which we can't distribute [12:28:39]      the fact that it is unused makes it possible to remove [12:28:43]     spot: which is not a legal issue, but a religious one. [12:28:52]      no, it is a legal issue. [12:29:02]      if we don't have permission to redistribute, it can't go in the SRPM [12:29:34]     "non-free" is a religious issue. [12:29:49]      * spot wonders where he said "non-free" in that [12:29:59]       Right. This is more along the lines of, foo includes a copy of zlib but we use the system zlib. Do not list the license of zlib. [12:30:07]      exactly. [12:30:41]      ntp includes a copy of ElectricFence, but we don't list GPLv2+ there [12:30:52]      because it doesn't use it at all [12:31:03]      * jwb scratches head [12:31:15]      jwb: don't look too closely at ntp or you will go blind [12:31:41]       aside: are we asking upstream wtf they are doing in cases like that? [12:31:59]      in all the cases that have been brought to me so far, absolutely [12:32:09]      several upstreams have already cleaned up their act [12:32:59]     jwb: You can ask, but often they can't change the license, ... [12:33:27]       i wasn't talking about the license [12:33:34]       but it was an aside, so move on :) [12:34:08]      sorry, my time's up, I've got to go ... [12:34:26]       ok, with racor gone, we don't have quorum anymore [12:35:21]       we could leave the licensing as is, and let the packagers and the fedora licensing team (aka me) come to an agreement [12:35:48]       since its not legally binding, it is only included as a useful baseline for auditing [12:36:15]        I think it's valid to clarify this. [12:36:42]      I as well, but only after we've had some of the grey areas cleaned up. [12:36:54]       ok, lets highlight the grey areas [12:36:57]      Because right now we don't fully understand the implications of such a change. [12:37:03]       so i can make sure i hit them all with the lawyers [12:37:33]      Well "define linking", especially in regards to interpreted languages. [12:38:00]       yup, got that one [12:38:15]      Also, if Artistic is a bad license, why do we still list it? [12:38:32]     (I note that rpmlint kicked "Artistic" back at me today.) [12:39:39]     Also, are we supposed to be blocking package reviews that don't have proper license tags now? [12:40:26]      yep. [12:40:37]      (on the last one, as its in the reviewguidelines now) [12:41:21]     My real concerns about not understanding the implications of today's proposal aren't really legal, though. [12:41:40]      So, the question is: [12:41:57]      does the License: tag refer to the final, derived license for the bits in the binary rpm [12:42:01]      ? [12:42:19]      Yes, that's the fundamental issue as I see it. [12:42:46]       tibbs: +1. The nightmare is more about determining what license is in effect at review time and keeping it updated as changes to other packages take place. [12:42:48]      And, what I'm hearing is that it should not be, because figuring that out is too much of a burden on the packager in complicated cases. [12:43:20]     Well, I'm ambivalent. [12:44:15]     It would be a massive pain, and there is at least one complicated legal question that has bearing on a couple thousand packages. [12:44:29]     But it also makes plenty of sense. [12:44:32]     SO I don't know. [12:44:42]      fwiw, all of the packagers emailing me for clarification have been assuming that the License tag does refer to the derived license of the bits in the binary rpm [12:44:56]       I think it depends on which audience we're addressing. [12:45:38]       Developers looking for code to use in their projects care about source licenses. Distros care about binary bits. [12:46:27]     Maybe we just need to bite the bullet and provide different tags for different uses. [12:46:46]     Have License: remain as is and add a DerivedLicense: tag. [12:47:17]     which could be optional, indicating that nobody has done a full license review yet. [12:47:24]      well... [12:47:37]      i think that developers looking for code to use will be using source to determine this [12:47:38]       Developers who are using libraries (not looking to grab code) care about all the possible licenses of the binary bits. [12:48:09]      abadger1999: but we don't want to confuse them into thinking that something in Fedora is ok to link to as BSD when its GPL as built. [12:48:17]       whereas the distro cares about one license that may trump all the others. [12:48:34]      the License tag is for the distro to do auditing [12:48:43]      it is not in any way legally binding [12:48:43]       spot: But from a developer perspective it is BSD. [12:48:58]       Even if it means they include their own copy of the library :-( [12:49:02]       developers will need to look at the license and decide it for themselves [12:49:19]       if rpm let us differentiate "SourceLicense" and "License", then... maybe. [12:50:18]       lemme talk to Panu and see what he thinks about this [12:51:02]        So, since it's for us to do auditing, I think we actually do care about the most complicated case: end result considering linking. [12:51:57]       * spot nods [12:52:31]        Here's another legal grey area raised on list:  if foo provides libfoo.so.1 under GPL and bar provides libfoo.so.1 under BSD, how do we decide what the license of foo-util is? [12:52:56]       the same library, with the same filename? [12:53:07]       just a different license? [12:53:21]       I suppose it would be whichever was in the BR for that package [12:53:23]        spot drop in replacements of each other under different license. [12:53:35]       But it shouldn't matter. [12:53:40]       It's a runtime issue, yes? [12:53:50]      abadger1999: only if it dlopens the .so [12:54:08]       if it actually links to the headers of one... [12:54:23]      which is almost always how libraries link in. you've got to know what to call. :) [12:55:09]       spot: Okay -- but then if I BR the BSd one but on my system I have the GPL library installed, the BSD license still takes effect? [12:55:14]       abadger1999: yes [12:55:19]       because you didn't link to GPL code [12:55:34]       the fact that the GPL has the exact same api is a pleasant coincidence [12:55:38]       but not your intention. [12:55:39]        So all I need to do to work around the GPL on readline is reimplement the headers and enough of a stub to compile and link? [12:55:46]       abadger1999: technically, yes. [12:55:59]       but you'd likely need to never have looked at the GPL code [12:56:24]        But I could look at the documentation for readline. [12:56:24]       do it entirely cleanroom [12:56:29]       absolutely [12:56:47]       as long as it didn't include GPL code in the docs [12:57:38]       this is why the license is only wholly binding when it is in the code files itself [13:01:09]      since we don't have quorum, we're done for now. [13:01:14]      we can revisit this later. :) [13:01:17]      thanks all. [13:01:34]        thanks spot.  I'm glad I'm not a lawyer :-) [13:01:56]      me too. i just play one on tv.