From Fedora Project Wiki
Fedora Packaging Committee Meeting of {2007-08-07}
Present
- JasonTibbitts (
tibbs) - JesseKeating (
f13) - RalfCorsepius (
racor) - TomCallaway (
spot) - ToshioKuratomi (
abadger1999)
Writeups
The following drafts have been accepted by FESCO and are to be written into the guidelines:
- The license tag refinements requested by the board:
- http://fedoraproject.org/wiki/PackagingDrafts/LicenseTag
- Dynamic user and group creation policy:
- http://fedoraproject.org/wiki/PackagingDrafts/UsersAndGroups
Votes
There were no votes this week.
Other Discussions
The following additional items were discussed; see the logs for full details.
- Clarifying what the License: tag refers to (source or resulting binary):
- http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification
- There was plenty of interesting discussion here; it's a delicate issue but the current tendency is to let License: refer to the license on the source packages.
IRC Logs
[12:03:43] * abadger1999 yawns and looks around
[12:03:49] Quit bpepple|lt has left this server ("Ex-Chat").
[12:03:53] * spot is here
[12:04:49] <spot> anyone else? :)
[12:05:13] * jeremy is here, but is just rabble :)
[12:05:58] <racor> i am here but probably don't have more than 10 mins.
[12:06:21] * tibbs here
[12:06:26] Quit JSchmitt has left this server (Client Quit).
[12:06:38] <spot> f13: i know you're here. wakey wakey
[12:06:59] <tibbs> Do we have anything to cover other than writeups?
[12:07:03] <spot> http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification
[12:07:08] <spot> thats the only item
[12:07:12] <f13> spot: yeah yeah
[12:07:22] <f13> wondering why my workstation didn't return after I got back.
[12:07:26] <spot> ville's already given it a +1
[12:07:37] <tibbs> I dislike that quite a bit, actually.
[12:07:46] <spot> okay... why?
[12:08:14] <tibbs> Because it's then rather difficult to figure out what the proper license tag value is.
[12:08:46] <tibbs> Instead of looking at the source and determining the license tag, you have to understand how all of the dependencies combine.
[12:09:13] <jwb> why?
[12:09:36] <spot> jwb: say, the code of a package is under GPL or BSD
[12:09:41] <spot> but it links to a GPL lib
[12:09:51] <spot> then, the work is GPL, theres no way it can be BSD
[12:10:41] <tibbs> And then you get to define "linking". What if I depend on one perl module which is GPLv2+ but this module is "GPL+ or Artistic".
[12:10:45] <tibbs> What's the resulting license?
[12:11:03] <tibbs> Does it depend on whether the package is noarch or not?
[12:11:11] <spot> i'm not sure. i need to talk to RH legal and see what they think on that.
[12:11:13] <jwb> spot, so taking that same example, say a BSD licensed equivalent library comes along and you link against that. now you have to change the spec to BSD?
[12:11:26] <jwb> i think it's a bit over-reaching
[12:11:28] <spot> jwb: no, because BSD is compatible with either
[12:11:30] <jwb> but i'm rabble
[12:11:51] <tibbs> And then we get upstreams saying "Fedora lies about the license of my software."
[12:11:53] <spot> GPL is a rather special case.
[12:12:05] <jwb> i don't see why such a package could not be labled as "GPL or BSD"
[12:12:36] <abadger1999> jwb, spot: But if the example package was Public Domain, for instance, it would flip flop between GPL and Public Domain depending on the library it linked to.
[12:12:39] <tibbs> The real issue is that I don't want a degree in IP law to become a prerequisite for reviewing packages.
[12:13:00] <spot> abadger1999: yes.
[12:13:13] <spot> ok, i withdraw the draft. i see the problem.
[12:13:33] <abadger1999> Do we need to clarify that we are looking at the source licenses, though?
[12:14:01] <spot> source licenses of the delivered works
[12:14:13] <spot> not necessarily all of the source licenses
[12:14:30] <spot> lots of upstream apps include code under licenses we don't end up packaging in the binary RPMS
[12:14:55] <tibbs> In any case, wasn't the idea of making the license tags uniform and machine-parseable was so that something could actually derive the resulting binary licenses?
[12:15:18] <spot> tibbs: *nod*
[12:16:06] <abadger1999> "Damn it Jim, I'm a computer, not a lawyer." :-)
[12:16:15] <jwb> heh
[12:16:38] <spot> I think "source licenses of the delivered works" is the closest to the truth here.
[12:16:39] <tibbs> I really don't know what to do here. The idea that spot was proposing is very valid.
[12:17:01] <tibbs> But the complexity is unpleasant.
[12:17:22] <jwb> and (sorry) unmanagable
[12:17:23] <abadger1999> spot: I would go for that.
[12:17:33] <spot> hopefully, it is a one time pain per package.
[12:17:37] <tibbs> Is anyone in the distro universe paying attention to things at this level?
[12:17:48] <jwb> debian i think
[12:17:53] <spot> mandriva is watching us very closely.
[12:18:05] <tibbs> spot: The problem is that one change can cascade through a whole set of packages.
[12:18:07] <spot> debian is similar to us
[12:19:10] <tibbs> Deriving licenses from buildrequires isn't useful in general, I guess.
[12:19:20] <tibbs> Is it possible to do it from runtime dependencies?
[12:19:42] <spot> theoretically.
[12:19:50] <tibbs> I guess not, because we have no way to quantify what links against something versus using it in some other way.
[12:19:56] <spot> you'd have to cascade all the way down
[12:20:58] <tibbs> I simply don't understand how "linking" is defined for interpreted code, either.
[12:21:01] <abadger1999> But you run into corner cases where package foo contains /usr/lib/libfoo under LGPL and /usr/bin/foo-tiny-util under GPL so you need a human or a file by file tag.
[12:21:42] <tibbs> We already flag complex licenses with "and",
[12:21:57] <tibbs> so if doing a full review you'd know you needed to inspect more closely.
[12:22:07] <spot> tibbs: i need to talk to RH Legal and see what they define as linking
[12:22:38] <tibbs> But you'd still require manual inspection to determine "use" versus "linking", regardless of the definition of linking.
[12:22:47] <abadger1999> I'm just saying that automated derivation from runtime dependencies would have issues on those licenses.
[12:22:47] <spot> http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification
[12:22:51] <spot> thats a rewording
[12:23:46] <tibbs> Frankly I don't know which version we want.
[12:23:48] <jwb> sane, but confusing
[12:23:52] <racor> you'll have to distinguish run-time licenses, licenses of source files being used and licenses of sources files inside of a source tarball. All can be different.
[12:23:53] <spot> http://www.fsf.org/licensing/licenses/gpl-faq.html#MereAggregation
[12:24:28] <spot> (short answer: they don't know either)
[12:25:28] <spot> racor: i think "licenses of source files being used" is the closest to what we want
[12:25:33] <tibbs> I think we'd be safe with "License: is the source license" until we and the rest of the world understands the issues more thoroughly.
[12:26:32] <spot> tibbs: just: "The value of the License tag represents the copyright/license info of the source code of the delivered works only."
[12:26:36] <spot> ?
[12:27:16] <racor> spot: But you have been banning unused sources from tarballs, in the past
[12:27:48] <spot> racor: yes, but that's never been documented policy
[12:28:05] <tibbs> Well, if we can't legally distribute the srpm then we don't really have much choice.
[12:28:19] <spot> and its not so much banning unused sources as getting people to remove code that is under proprietary licenses
[12:28:25] <spot> which we can't distribute
[12:28:39] <spot> the fact that it is unused makes it possible to remove
[12:28:43] <racor> spot: which is not a legal issue, but a religious one.
[12:28:52] <spot> no, it is a legal issue.
[12:29:02] <spot> if we don't have permission to redistribute, it can't go in the SRPM
[12:29:34] <racor> "non-free" is a religious issue.
[12:29:49] * spot wonders where he said "non-free" in that
[12:29:59] <abadger1999> Right. This is more along the lines of, foo includes a copy of zlib but we use the system zlib. Do not list the license of zlib.
[12:30:07] <spot> exactly.
[12:30:41] <spot> ntp includes a copy of ElectricFence, but we don't list GPLv2+ there
[12:30:52] <spot> because it doesn't use it at all
[12:31:03] * jwb scratches head
[12:31:15] <spot> jwb: don't look too closely at ntp or you will go blind
[12:31:41] <jwb> aside: are we asking upstream wtf they are doing in cases like that?
[12:31:59] <spot> in all the cases that have been brought to me so far, absolutely
[12:32:09] <spot> several upstreams have already cleaned up their act
[12:32:59] <racor> jwb: You can ask, but often they can't change the license, ...
[12:33:27] <jwb> i wasn't talking about the license
[12:33:34] <jwb> but it was an aside, so move on :)
[12:34:08] <racor> sorry, my time's up, I've got to go ...
[12:34:26] <spot> ok, with racor gone, we don't have quorum anymore
[12:35:21] <spot> we could leave the licensing as is, and let the packagers and the fedora licensing team (aka me) come to an agreement
[12:35:48] <spot> since its not legally binding, it is only included as a useful baseline for auditing
[12:36:15] <abadger1999> I think it's valid to clarify this.
[12:36:42] <tibbs> I as well, but only after we've had some of the grey areas cleaned up.
[12:36:54] <spot> ok, lets highlight the grey areas
[12:36:57] <tibbs> Because right now we don't fully understand the implications of such a change.
[12:37:03] <spot> so i can make sure i hit them all with the lawyers
[12:37:33] <tibbs> Well "define linking", especially in regards to interpreted languages.
[12:38:00] <spot> yup, got that one
[12:38:15] <tibbs> Also, if Artistic is a bad license, why do we still list it?
[12:38:32] <tibbs> (I note that rpmlint kicked "Artistic" back at me today.)
[12:39:39] <tibbs> Also, are we supposed to be blocking package reviews that don't have proper license tags now?
[12:40:26] <spot> yep.
[12:40:37] <spot> (on the last one, as its in the reviewguidelines now)
[12:41:21] <tibbs> My real concerns about not understanding the implications of today's proposal aren't really legal, though.
[12:41:40] <spot> So, the question is:
[12:41:57] <spot> does the License: tag refer to the final, derived license for the bits in the binary rpm
[12:42:01] <spot> ?
[12:42:19] <tibbs> Yes, that's the fundamental issue as I see it.
[12:42:46] <abadger1999> tibbs: +1. The nightmare is more about determining what license is in effect at review time and keeping it updated as changes to other packages take place.
[12:42:48] <spot> And, what I'm hearing is that it should not be, because figuring that out is too much of a burden on the packager in complicated cases.
[12:43:20] <tibbs> Well, I'm ambivalent.
[12:44:15] <tibbs> It would be a massive pain, and there is at least one complicated legal question that has bearing on a couple thousand packages.
[12:44:29] <tibbs> But it also makes plenty of sense.
[12:44:32] <tibbs> SO I don't know.
[12:44:42] <spot> fwiw, all of the packagers emailing me for clarification have been assuming that the License tag does refer to the derived license of the bits in the binary rpm
[12:44:56] <abadger1999> I think it depends on which audience we're addressing.
[12:45:38] <abadger1999> Developers looking for code to use in their projects care about source licenses. Distros care about binary bits.
[12:46:27] <tibbs> Maybe we just need to bite the bullet and provide different tags for different uses.
[12:46:46] <tibbs> Have License: remain as is and add a DerivedLicense: tag.
[12:47:17] <tibbs> which could be optional, indicating that nobody has done a full license review yet.
[12:47:24] <spot> well...
[12:47:37] <spot> i think that developers looking for code to use will be using source to determine this
[12:47:38] <abadger1999> Developers who are using libraries (not looking to grab code) care about all the possible licenses of the binary bits.
[12:48:09] <spot> abadger1999: but we don't want to confuse them into thinking that something in Fedora is ok to link to as BSD when its GPL as built.
[12:48:17] <abadger1999> whereas the distro cares about one license that may trump all the others.
[12:48:34] <spot> the License tag is for the distro to do auditing
[12:48:43] <spot> it is not in any way legally binding
[12:48:43] <abadger1999> spot: But from a developer perspective it is BSD.
[12:48:58] <abadger1999> Even if it means they include their own copy of the library :-(
[12:49:02] <spot> developers will need to look at the license and decide it for themselves
[12:49:19] <spot> if rpm let us differentiate "SourceLicense" and "License", then... maybe.
[12:50:18] <spot> lemme talk to Panu and see what he thinks about this
[12:51:02] <abadger1999> So, since it's for us to do auditing, I think we actually do care about the most complicated case: end result considering linking.
[12:51:57] * spot nods
[12:52:31] <abadger1999> Here's another legal grey area raised on list: if foo provides libfoo.so.1 under GPL and bar provides libfoo.so.1 under BSD, how do we decide what the license of foo-util is?
[12:52:56] <spot> the same library, with the same filename?
[12:53:07] <spot> just a different license?
[12:53:21] <spot> I suppose it would be whichever was in the BR for that package
[12:53:23] <abadger1999> spot drop in replacements of each other under different license.
[12:53:35] <abadger1999> But it shouldn't matter.
[12:53:40] <abadger1999> It's a runtime issue, yes?
[12:53:50] <spot> abadger1999: only if it dlopens the .so
[12:54:08] <spot> if it actually links to the headers of one...
[12:54:23] <spot> which is almost always how libraries link in. you've got to know what to call. :)
[12:55:09] <abadger1999> spot: Okay -- but then if I BR the BSd one but on my system I have the GPL library installed, the BSD license still takes effect?
[12:55:14] <spot> abadger1999: yes
[12:55:19] <spot> because you didn't link to GPL code
[12:55:34] <spot> the fact that the GPL has the exact same api is a pleasant coincidence
[12:55:38] <spot> but not your intention.
[12:55:39] <abadger1999> So all I need to do to work around the GPL on readline is reimplement the headers and enough of a stub to compile and link?
[12:55:46] <spot> abadger1999: technically, yes.
[12:55:59] <spot> but you'd likely need to never have looked at the GPL code
[12:56:24] <abadger1999> But I could look at the documentation for readline.
[12:56:24] <spot> do it entirely cleanroom
[12:56:29] <spot> absolutely
[12:56:47] <spot> as long as it didn't include GPL code in the docs
[12:57:38] <spot> this is why the license is only wholly binding when it is in the code files itself
[13:01:09] <spot> since we don't have quorum, we're done for now.
[13:01:14] <spot> we can revisit this later. :)
[13:01:17] <spot> thanks all.
[13:01:34] <abadger1999> thanks spot. I'm glad I'm not a lawyer :-)
[13:01:56] <spot> me too. i just play one on tv.