| (11 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | ||
= SPDX License Phase 4 <!-- The name of your change proposal --> = | = SPDX License Phase 4 (The last one) <!-- The name of your change proposal --> = | ||
| Line 24: | Line 24: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAcceptedF41]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
| Line 42: | Line 42: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/T7D7O5JUOYYZICS23CCRNVJNQWUIREOM/ Announced] | |||
* [https://discussion.fedoraproject.org/t/f41-change-proposal-spdx-license-phase-4-system-wide/107517 Discussion Thread] | |||
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/CXASGCNBQOWXFFA2X5KNCI2GF6RXQGHL/ devel thread] | * [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/CXASGCNBQOWXFFA2X5KNCI2GF6RXQGHL/ devel thread] | ||
* FESCo issue: | * FESCo issue: [https://pagure.io/fesco/issue/3180 #3180] | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2270363 #2270363] | ||
* Release notes tracker: to be filled by the wrangler | * Release notes tracker: to be filled by the wrangler | ||
* [https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807rpCjus-8s/edit#gid=0 Burndow chart] | * [https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807rpCjus-8s/edit#gid=0 Burndow chart] | ||
At the time of mass rebuild 10114 license tags (about 33%) license tags had not been converted before the mass rebuild. :( | |||
We will have to add one more phase. | |||
== Detailed Description == | == Detailed Description == | ||
| Line 69: | Line 74: | ||
* license-fedora2spdx tool uses mapping of legacy Fedora short names to SPDX identifiers using the [https://gitlab.com/fedora/legal/fedora-license-data/-/tree/main fedora-license-data] to suggest SPDX identifiers. Where there is an apparent one-to-one mapping, the package maintainer could simply update the License field: and move on. | * license-fedora2spdx tool uses mapping of legacy Fedora short names to SPDX identifiers using the [https://gitlab.com/fedora/legal/fedora-license-data/-/tree/main fedora-license-data] to suggest SPDX identifiers. Where there is an apparent one-to-one mapping, the package maintainer could simply update the License field: and move on. | ||
* for many packages, particularly packages that use "umbrella" legacy short names that may refer to a large set of unrelated or loosely-related licenses, further inspection will be needed. Currently, Fedora documentation provides sparse advice on how to do this inspection and thus, a range of methods are used. | * for many packages, particularly packages that use "umbrella" legacy short names that may refer to a large set of unrelated or loosely-related licenses, further inspection will be needed. Currently, Fedora documentation provides sparse advice on how to do this inspection and thus, a range of methods are used. | ||
During phase 4 there was discussion how to finish the mass conversion. Miroslav opened [https://pagure.io/fesco/issue/3230 FESCO ticket] and it was agreed that: | |||
AGREED: All old license strings shall be converted to SPDX format. For licenses where a 1:1 mapping exists from the legacy Fedora tag to SPDX, the normal SPDX tag shall be used. For licenses where the old license tag maps to more than one possible license in the SPDX database, a tag in the form of LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier shall be used. In both cases, a comment shall be included in the spec file to indicate that the conversion was done automatically and review is warranted. For the second case, the comment should also indicate that the maintainers should update to normal SPDX tags after review. (+7, 0, 0) | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
| Line 196: | Line 205: | ||
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | ||
--> | --> | ||
In Fedora 41, all RPM packages use SPDX identifiers as a standard. | In Fedora 41, all RPM packages use SPDX license identifiers as a standard. | ||
Latest revision as of 21:33, 12 August 2024
SPDX License Phase 4 (The last one)
Summary
The fourth phase of transition from using Fedora's short names for licenses to SPDX identifiers in the License: field of Fedora package spec files. This phase focuses on migrating the remaining packages.
Owner
- Email: msuchy@redhat.com, dcantrell@redhat.com, jlovejoy@redhat.com, rfontana@redhat.com
Current status
- Targeted release: Fedora Linux 41
- Last updated: 2024-08-12
- Announced
- Discussion Thread
- devel thread
- FESCo issue: #3180
- Tracker bug: #2270363
- Release notes tracker: to be filled by the wrangler
At the time of mass rebuild 10114 license tags (about 33%) license tags had not been converted before the mass rebuild. :( We will have to add one more phase.
Detailed Description
This is follow-up of Phase 3. During this phase, all remaining packages should be migrated to use SPDX license identifiers in the License: field of the package spec file.
So far, package maintainers have been updating their packages in accordance with the guidance provided at https://docs.fedoraproject.org/en-US/legal/update-existing-packages/ and filing issues in the fedora-license-data repo. Miroslav has been tracking how many packages that have been updated. Given the large number of packages in Fedora, this progress is good, but slow.
In this phase, all remaining packages will be converted automatically when possible. When human analysis is required then Bugzilla entry will be created. All these Bugzillas will block tracking bug to easily find these issues.
Feedback
See feedback section of Phase 1
Discussions on mailing list:
Challenges:
- license-fedora2spdx tool uses mapping of legacy Fedora short names to SPDX identifiers using the fedora-license-data to suggest SPDX identifiers. Where there is an apparent one-to-one mapping, the package maintainer could simply update the License field: and move on.
- for many packages, particularly packages that use "umbrella" legacy short names that may refer to a large set of unrelated or loosely-related licenses, further inspection will be needed. Currently, Fedora documentation provides sparse advice on how to do this inspection and thus, a range of methods are used.
During phase 4 there was discussion how to finish the mass conversion. Miroslav opened FESCO ticket and it was agreed that:
AGREED: All old license strings shall be converted to SPDX format. For licenses where a 1:1 mapping exists from the legacy Fedora tag to SPDX, the normal SPDX tag shall be used. For licenses where the old license tag maps to more than one possible license in the SPDX database, a tag in the form of LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier shall be used. In both cases, a comment shall be included in the spec file to indicate that the conversion was done automatically and review is warranted. For the second case, the comment should also indicate that the maintainers should update to normal SPDX tags after review. (+7, 0, 0)
Benefit to Fedora
The use of standardized identifiers for licenses will align Fedora with other distributions and facilitates efficient and reliable identification of licenses. Depending on the level of diligence done in this transition, Fedora could be positioned as a leader and contributor to better license information upstream (of Fedora).
Scope
- Change Owners:
- Continue adding newly found licenses to fedora-license-data and to SPDX.org list.
- Continue to report progress
- Automatically convert packages in several bulks using proven packager rights. These changes will be announced in advance on devel mailing list.
- When the automatic conversion is impossible, Change Owners will create Bugzilla entry asking package maintainers to migrate the package.
- Other developers:
- All packages (during the package review) should use the SPDX expression. - this is redundant as this has already been approved since Phase 1, but it should be reminded.
- Migrate the existing License tag from a short name to an SPDX expression.
- Release engineering: nothing
- Policies and guidelines: all done in previous phases
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
License strings are not used anything in run time. This change will not affect the upgrade or runtime of Fedora.
During the transition period, developer tools like rpminspect, licensecheck, etc. may produce false negatives. And we have to define a date where we flip these tools from old Fedora's short names to the SPDX formula.
How To Test
See How to test section of Phase 1
User Experience
Users should be able to use standard software tools that audit licenses. E.g. for Software Bills of Materials.
Dependencies
No other dependencies.
Contingency Plan
- Contingency mechanism: There will be no way back. We are already beyond of point to return. We are heading to explore strange new worlds... to boldly go where no man has gone before.
- Contingency deadline: Beta freeze. But it is expected that not all packages will be converted by that time and the change will continue in the next release.
- Blocks release? No. This change has no impact on runtime of any package.
Documentation
Release Notes
In Fedora 41, all RPM packages use SPDX license identifiers as a standard.