From Fedora Project Wiki

Revision as of 03:22, 21 December 2008 by Wikibot (talk | contribs) (Packaging/Minutes20070807 moved to Packaging:Minutes20070807: Moving Packaging Pages to Packaging Namespace)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Fedora Packaging Committee Meeting of {2007-08-07}

Present

  • JasonTibbitts (tibbs)
  • JesseKeating (f13)
  • RalfCorsepius (racor)
  • TomCallaway (spot)
  • ToshioKuratomi (abadger1999)

Writeups

The following drafts have been accepted by FESCO and are to be written into the guidelines:

Votes

There were no votes this week.

Other Discussions

The following additional items were discussed; see the logs for full details.

IRC Logs

[12:03:43]       * abadger1999 yawns and looks around
[12:03:49]  Quit        bpepple|lt has left this server ("Ex-Chat").
[12:03:53]       * spot is here
[12:04:49]  <spot>      anyone else? :)
[12:05:13]       * jeremy is here, but is just rabble :)
[12:05:58]  <racor>     i am here but probably don't have more than 10 mins.
[12:06:21]       * tibbs here
[12:06:26]  Quit        JSchmitt has left this server (Client Quit).
[12:06:38]  <spot>      f13: i know you're here. wakey wakey
[12:06:59]  <tibbs>     Do we have anything to cover other than writeups?
[12:07:03]  <spot>      http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification
[12:07:08]  <spot>      thats the only item
[12:07:12]  <f13>       spot: yeah yeah
[12:07:22]  <f13>       wondering why my workstation didn't return after I got back.
[12:07:26]  <spot>      ville's already given it a +1
[12:07:37]  <tibbs>     I dislike that quite a bit, actually.
[12:07:46]  <spot>      okay... why?
[12:08:14]  <tibbs>     Because it's then rather difficult to figure out what the proper license tag value is.
[12:08:46]  <tibbs>     Instead of looking at the source and determining the license tag, you have to understand how all of the dependencies combine.
[12:09:13]  <jwb>       why?
[12:09:36]  <spot>      jwb: say, the code of a package is under GPL or BSD
[12:09:41]  <spot>      but it links to a GPL lib
[12:09:51]  <spot>      then, the work is GPL, theres no way it can be BSD
[12:10:41]  <tibbs>     And then you get to define "linking".  What if I depend on one perl module which is GPLv2+ but this module is "GPL+ or Artistic".
[12:10:45]  <tibbs>     What's the resulting license?
[12:11:03]  <tibbs>     Does it depend on whether the package is noarch or not?
[12:11:11]  <spot>      i'm not sure. i need to talk to RH legal and see what they think on that.
[12:11:13]  <jwb>       spot, so taking that same example, say a BSD licensed equivalent library comes along and you link against that.  now you have to change the spec to BSD?
[12:11:26]  <jwb>       i think it's a bit over-reaching
[12:11:28]  <spot>      jwb: no, because BSD is compatible with either
[12:11:30]  <jwb>       but i'm rabble
[12:11:51]  <tibbs>     And then we get upstreams saying "Fedora lies about the license of my software."
[12:11:53]  <spot>      GPL is a rather special case.
[12:12:05]  <jwb>       i don't see why such a package could not be labled as "GPL or BSD"
[12:12:36]  <abadger1999>       jwb, spot: But if the example package was Public Domain, for instance, it would flip flop between GPL and Public Domain depending on the library it linked to.
[12:12:39]  <tibbs>     The real issue is that I don't want a degree in IP law to become a prerequisite for reviewing packages.
[12:13:00]  <spot>      abadger1999: yes.
[12:13:13]  <spot>      ok, i withdraw the draft. i see the problem.
[12:13:33]  <abadger1999>       Do we need to clarify that we are looking at the source licenses, though?
[12:14:01]  <spot>      source licenses of the delivered works
[12:14:13]  <spot>      not necessarily all of the source licenses
[12:14:30]  <spot>      lots of upstream apps include code under licenses we don't end up packaging in the binary RPMS
[12:14:55]  <tibbs>     In any case, wasn't the idea of making the license tags uniform and machine-parseable was so that something could actually derive the resulting binary licenses?
[12:15:18]  <spot>      tibbs: *nod*
[12:16:06]  <abadger1999>       "Damn it Jim, I'm a computer, not a lawyer." :-)
[12:16:15]  <jwb>       heh
[12:16:38]  <spot>      I think "source licenses of the delivered works" is the closest to the truth here.
[12:16:39]  <tibbs>     I really don't know what to do here.  The idea that spot was proposing is very valid.
[12:17:01]  <tibbs>     But the complexity is unpleasant.
[12:17:22]  <jwb>       and (sorry) unmanagable
[12:17:23]  <abadger1999>       spot: I would go for that.
[12:17:33]  <spot>      hopefully, it is a one time pain per package.
[12:17:37]  <tibbs>     Is anyone in the distro universe paying attention to things at this level?
[12:17:48]  <jwb>       debian i think
[12:17:53]  <spot>      mandriva is watching us very closely.
[12:18:05]  <tibbs>     spot: The problem is that one change can cascade through a whole set of packages.
[12:18:07]  <spot>      debian is similar to us
[12:19:10]  <tibbs>     Deriving licenses from buildrequires isn't useful in general, I guess.
[12:19:20]  <tibbs>     Is it possible to do it from runtime dependencies?
[12:19:42]  <spot>      theoretically.
[12:19:50]  <tibbs>     I guess not, because we have no way to quantify what links against something versus using it in some other way.
[12:19:56]  <spot>      you'd have to cascade all the way down
[12:20:58]  <tibbs>     I simply don't understand how "linking" is defined for interpreted code, either.
[12:21:01]  <abadger1999>       But you run into corner cases where  package foo contains /usr/lib/libfoo under LGPL and /usr/bin/foo-tiny-util under GPL so you need a human or a file by file tag.
[12:21:42]  <tibbs>     We already flag complex licenses with "and",
[12:21:57]  <tibbs>     so if doing a full review you'd know you needed to inspect more closely.
[12:22:07]  <spot>      tibbs: i need to talk to RH Legal and see what they define as linking
[12:22:38]  <tibbs>     But you'd still require manual inspection to determine "use" versus "linking", regardless of the definition of linking.
[12:22:47]  <abadger1999>       I'm just saying that automated derivation from runtime dependencies would have issues on those licenses.
[12:22:47]  <spot>      http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification
[12:22:51]  <spot>      thats a rewording
[12:23:46]  <tibbs>     Frankly I don't know which version we want.
[12:23:48]  <jwb>       sane, but confusing
[12:23:52]  <racor>     you'll have to distinguish run-time licenses, licenses of source files being used and licenses of sources files inside of a source tarball. All can be different.
[12:23:53]  <spot>      http://www.fsf.org/licensing/licenses/gpl-faq.html#MereAggregation
[12:24:28]  <spot>      (short answer: they don't know either)
[12:25:28]  <spot>      racor: i think "licenses of source files being used" is the closest to what we want
[12:25:33]  <tibbs>     I think we'd be safe with "License: is the source license" until we and the rest of the world understands the issues more thoroughly.
[12:26:32]  <spot>      tibbs: just: "The value of the License tag represents the copyright/license info of the source code of the delivered works only."
[12:26:36]  <spot>      ?
[12:27:16]  <racor>     spot: But you have been banning unused sources from tarballs, in the past
[12:27:48]  <spot>      racor: yes, but that's never been documented policy
[12:28:05]  <tibbs>     Well, if we can't legally distribute the srpm then we don't really have much choice.
[12:28:19]  <spot>      and its not so much banning unused sources as getting people to remove code that is under proprietary licenses
[12:28:25]  <spot>      which we can't distribute
[12:28:39]  <spot>      the fact that it is unused makes it possible to remove
[12:28:43]  <racor>     spot: which is not a legal issue, but a religious one.
[12:28:52]  <spot>      no, it is a legal issue.
[12:29:02]  <spot>      if we don't have permission to redistribute, it can't go in the SRPM
[12:29:34]  <racor>     "non-free" is a religious issue.
[12:29:49]       * spot wonders where he said "non-free" in that
[12:29:59]  <abadger1999>       Right.  This is more along the lines of, foo includes a copy of zlib but we use the system zlib.  Do not list the license of zlib.
[12:30:07]  <spot>      exactly.
[12:30:41]  <spot>      ntp includes a copy of ElectricFence, but we don't list GPLv2+ there
[12:30:52]  <spot>      because it doesn't use it at all
[12:31:03]       * jwb scratches head
[12:31:15]  <spot>      jwb: don't look too closely at ntp or you will go blind
[12:31:41]  <jwb>       aside: are we asking upstream wtf they are doing in cases like that?
[12:31:59]  <spot>      in all the cases that have been brought to me so far, absolutely
[12:32:09]  <spot>      several upstreams have already cleaned up their act
[12:32:59]  <racor>     jwb: You can ask, but often they can't change the license, ...
[12:33:27]  <jwb>       i wasn't talking about the license
[12:33:34]  <jwb>       but it was an aside, so move on :)
[12:34:08]  <racor>     sorry, my time's up, I've got to go ...
[12:34:26]  <spot>      ok, with racor gone, we don't have quorum anymore
[12:35:21]  <spot>      we could leave the licensing as is, and let the packagers and the fedora licensing team (aka me) come to an agreement
[12:35:48]  <spot>      since its not legally binding, it is only included as a useful baseline for auditing
[12:36:15]  <abadger1999>       I think it's valid to clarify this.
[12:36:42]  <tibbs>     I as well, but only after we've had some of the grey areas cleaned up.
[12:36:54]  <spot>      ok, lets highlight the grey areas
[12:36:57]  <tibbs>     Because right now we don't fully understand the implications of such a change.
[12:37:03]  <spot>      so i can make sure i hit them all with the lawyers
[12:37:33]  <tibbs>     Well "define linking", especially in regards to interpreted languages.
[12:38:00]  <spot>      yup, got that one
[12:38:15]  <tibbs>     Also, if Artistic is a bad license, why do we still list it?
[12:38:32]  <tibbs>     (I note that rpmlint kicked "Artistic" back at me today.)
[12:39:39]  <tibbs>     Also, are we supposed to be blocking package reviews that don't have proper license tags now?
[12:40:26]  <spot>      yep.
[12:40:37]  <spot>      (on the last one, as its in the reviewguidelines now)
[12:41:21]  <tibbs>     My real concerns about not understanding the implications of today's proposal aren't really legal, though.
[12:41:40]  <spot>      So, the question is:
[12:41:57]  <spot>      does the License: tag refer to the final, derived license for the bits in the binary rpm
[12:42:01]  <spot>      ?
[12:42:19]  <tibbs>     Yes, that's the fundamental issue as I see it.
[12:42:46]  <abadger1999>       tibbs: +1.  The nightmare is more about determining what license is in effect at review time and keeping it updated as changes to other packages take place.
[12:42:48]  <spot>      And, what I'm hearing is that it should not be, because figuring that out is too much of a burden on the packager in complicated cases.
[12:43:20]  <tibbs>     Well, I'm ambivalent.
[12:44:15]  <tibbs>     It would be a massive pain, and there is at least one complicated legal question that has bearing on a couple thousand packages.
[12:44:29]  <tibbs>     But it also makes plenty of sense.
[12:44:32]  <tibbs>     SO I don't know.
[12:44:42]  <spot>      fwiw, all of the packagers emailing me for clarification have been assuming that the License tag does refer to the derived license of the bits in the binary rpm
[12:44:56]  <abadger1999>       I think it depends on which audience we're addressing.
[12:45:38]  <abadger1999>       Developers looking for code to use in their projects care about source licenses.  Distros care about binary bits.
[12:46:27]  <tibbs>     Maybe we just need to bite the bullet and provide different tags for different uses.
[12:46:46]  <tibbs>     Have License: remain as is and add a DerivedLicense: tag.
[12:47:17]  <tibbs>     which could be optional, indicating that nobody has done a full license review yet.
[12:47:24]  <spot>      well...
[12:47:37]  <spot>      i think that developers looking for code to use will be using source to determine this
[12:47:38]  <abadger1999>       Developers who are using libraries (not looking to grab code) care about all the possible licenses of the binary bits.
[12:48:09]  <spot>      abadger1999: but we don't want to confuse them into thinking that something in Fedora is ok to link to as BSD when its GPL as built.
[12:48:17]  <abadger1999>       whereas the distro cares about one license that may trump all the others.
[12:48:34]  <spot>      the License tag is for the distro to do auditing
[12:48:43]  <spot>      it is not in any way legally binding
[12:48:43]  <abadger1999>       spot: But from a developer perspective it is BSD.
[12:48:58]  <abadger1999>       Even if it means they include their own copy of the library :-(
[12:49:02]  <spot>      developers will need to look at the license and decide it for themselves
[12:49:19]  <spot>      if rpm let us differentiate "SourceLicense" and "License", then... maybe.
[12:50:18]  <spot>      lemme talk to Panu and see what he thinks about this
[12:51:02]  <abadger1999>       So, since it's for us to do auditing, I think we actually do care about the most complicated case: end result considering linking.
[12:51:57]       * spot nods
[12:52:31]  <abadger1999>       Here's another legal grey area raised on list:  if foo provides libfoo.so.1 under GPL and bar provides libfoo.so.1 under BSD, how do we decide what the license of foo-util is?
[12:52:56]  <spot>      the same library, with the same filename?
[12:53:07]  <spot>      just a different license?
[12:53:21]  <spot>      I suppose it would be whichever was in the BR for that package
[12:53:23]  <abadger1999>       spot drop in replacements of each other under different license.
[12:53:35]  <abadger1999>       But it shouldn't matter.
[12:53:40]  <abadger1999>       It's a runtime issue, yes?
[12:53:50]  <spot>      abadger1999: only if it dlopens the .so
[12:54:08]  <spot>      if it actually links to the headers of one...
[12:54:23]  <spot>      which is almost always how libraries link in. you've got to know what to call. :)
[12:55:09]  <abadger1999>       spot: Okay -- but then if I BR the BSd one but on my system I have the GPL library installed, the BSD license still takes effect?
[12:55:14]  <spot>      abadger1999: yes
[12:55:19]  <spot>      because you didn't link to GPL code
[12:55:34]  <spot>      the fact that the GPL has the exact same api is a pleasant coincidence
[12:55:38]  <spot>      but not your intention.
[12:55:39]  <abadger1999>       So all I need to do to work around the GPL on readline is reimplement the headers and enough of a stub to compile and link?
[12:55:46]  <spot>      abadger1999: technically, yes.
[12:55:59]  <spot>      but you'd likely need to never have looked at the GPL code
[12:56:24]  <abadger1999>       But I could look at the documentation for readline.
[12:56:24]  <spot>      do it entirely cleanroom
[12:56:29]  <spot>      absolutely
[12:56:47]  <spot>      as long as it didn't include GPL code in the docs
[12:57:38]  <spot>      this is why the license is only wholly binding when it is in the code files itself
[13:01:09]  <spot>      since we don't have quorum, we're done for now.
[13:01:14]  <spot>      we can revisit this later. :)
[13:01:17]  <spot>      thanks all.
[13:01:34]  <abadger1999>       thanks spot.  I'm glad I'm not a lawyer :-)
[13:01:56]  <spot>      me too. i just play one on tv.