(67 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | ||
= | = SPDX License Phase 1 <!-- The name of your change proposal --> = | ||
== Summary == | == Summary == | ||
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | ||
Introduce tooling and data allowing package maintainers to transition from Fedora's existing short license names to standardized [https://spdx.org/licenses/ SPDX license] [https://spdx.dev/specifications/ expressions]. Update and improve Fedora-legal documentation related to licensing, and move off of wiki. | |||
== Owner == | == Owner == | ||
Line 20: | Line 16: | ||
* Name: [[User:ngompa| Neal Gompa]] | * Name: [[User:ngompa| Neal Gompa]] | ||
* Name: [[User:dcantrell| David Cantrell]] | * Name: [[User:dcantrell| David Cantrell]] | ||
* Name: [[User:ref| Richard Fontana]] | |||
* Name: [[User:mattdm| Matthew Miller]] | |||
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | ||
* Email: msuchy@redhat.com, dcantrell@redhat.com, jlovejoy@redhat.com, ngompa13@gmail.com | * Email: msuchy@redhat.com, dcantrell@redhat.com, jlovejoy@redhat.com, ngompa13@gmail.com, rfontana@redhat.com | ||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | ||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | ||
--> | --> | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAcceptedF38]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Line 49: | Line 46: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* FESCo issue: | * [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/GWJ477IQF2ZLLKUHNDVG4YR4CTGOMSVP/ devel thread] | ||
* Tracker bug: | * FESCo issue: [https://pagure.io/fesco/issue/2799 #2799] | ||
* Release notes tracker: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2096410 #2096410] | ||
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/846 #846] | |||
* [https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807rpCjus-8s/edit#gid=0 Current status of migration] | |||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
In the past, Fedora decided to represent licenses using short abbreviations in the License field of spec files. Although we documented the short names very well, the identifiers were never standard. In the meantime, SPDX identifiers have emerged as a new standard, and [https://wiki.spdx.org/view/Business_Team/Adoption other vendors and developers have started using them]. I want to especially highlight adoption by [https://www.kernel.org/doc/html/v4.18/process/license-rules.html# kernel], [https://www.debian.org/doc/debian-policy/index.html Debian], [https://en.opensuse.org/openSUSE:Packaging_guidelines#Licensing openSUSE], and [https://docs.freebsd.org/en/articles/committers-guide/#pref-license FreeBSD]. | |||
In this change, we want to provide documentation and tooling to allow maintainers to begin using SPDX license expressions instead of the existing Fedora short names. The existing Fedora abbreviations will still be honored as the move to SPDX expressions will be opt-in. In [[Changes/SPDX_Licenses_Phase_2|Phase 2]], we will identify the packages and help them to migrate to SPDX expressions. | |||
== Feedback == | == Feedback == | ||
<!-- Summarize the feedback from the community and address why you chose not to accept proposed alternatives. This section is optional for all change proposals but is strongly suggested. Incorporating feedback here as it is raised gives FESCo a clearer view of your proposal and leaves a good record for the future. If you get no feedback, that is useful to note in this section as well. For innovative or possibly controversial ideas, consider collecting feedback before you file the change proposal. --> | <!-- Summarize the feedback from the community and address why you chose not to accept proposed alternatives. This section is optional for all change proposals but is strongly suggested. Incorporating feedback here as it is raised gives FESCo a clearer view of your proposal and leaves a good record for the future. If you get no feedback, that is useful to note in this section as well. For innovative or possibly controversial ideas, consider collecting feedback before you file the change proposal. --> | ||
Ancient [https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/HDASR3EKEEGDWYL2NMGMUI3PSQ23JL5Q/ feedback from SPDX organization]. | |||
Summary from [https://lists.fedoraproject.org/archives/search?q=spdx&page=1&mlist=legal%40lists.fedoraproject.org&sort=date-desc fedora-legal mailing list]: we want this to happen, but this is big scope and likely will happen over more than one release. | Summary from [https://lists.fedoraproject.org/archives/search?q=spdx&page=1&mlist=legal%40lists.fedoraproject.org&sort=date-desc fedora-legal mailing list]: we want this to happen, but this is big scope and likely will happen over more than one release. | ||
Summary from packaging-committee: | |||
* [https://pagure.io/packaging-committee/pull-request/971#]: older PR to change packaging guidelines | |||
* [https://pagure.io/packaging-committee/pull-request/1142]: present PR that needs more updating | |||
Summary from devel-list: TBD | Summary from devel-list: TBD | ||
=== Questions from the mailing list discussion === | |||
==== Can we use SPDX expressions in older Fedora branches? ==== | |||
Yes. | |||
==== How do we convert existing Fedora abbreviations to SPDX expressions? ==== | |||
:: You can use the tool `license-fedora2spdx(1)` from the package `license-validate`. E.g. | |||
<pre> | |||
license-fedora2spdx 'MIT or GPLv1' | |||
</pre> | |||
:: The [https://gitlab.com/fedora/legal/fedora-license-data fedora-license-data] upstream project contains licenses and their approval status in Fedora. Where applicable, the existing Fedora short abbreviation is noted in the file as well. You can use this information to cross-reference the existing Fedora abbreviations to SPDX abbreviations. This information will also be published in more human-readable form as part of the Fedora Legal Documentation. | |||
:: As an example, let's say your package has "License: GPLv2+" in the spec file. A grep of the TOML files in the fedora-license-data project will point you to [https://gitlab.com/fedora/legal/fedora-license-data/-/blob/master/data/GPL-2.0-or-later.toml GPL-2.0-or-later.toml] and if you look at that file, you will see the expression field under the [license] section says '''GPL-2.0-or-later'''. A description of the TOML file format is in the [https://gitlab.com/fedora/legal/fedora-license-data/-/blob/master/TEMPLATE.toml TEMPLATE.toml] file at the top level of the project. | |||
:: The license-fedora2spdx tool should only be used as a starting point. Maintainers are encouraged to use this as an opportunity to check the source code for the package and construct a new, more accurate SPDX expression. The new [https://docs.fedoraproject.org/en-US/legal/license-field/ Fedora legal documentation] provides specific guidance and expectations on how to populate the License: field that somewhat differs from or is more consistent than past Fedora guidelines. | |||
==== I have a package with '''BSD''' or '''MIT''' in the License field, how do I convert that? ==== | |||
:: In this case, you will need to dig in to the source a bit more. SPDX differentiates between the various BSD licenses whereas the Fedora abbreviations called them all BSD. An excellent tool to help in this way is the [https://github.com/spdx/spdx-license-diff SPDX License Diff tool] (a browser plugin) The common ones are BSD-2-Clause and BSD-3-Clause. | |||
:: For MIT, it's similar: Fedora has previously used 'MIT' to refer to a large number of different licenses. However, note that unlike the BSD case, there is an SPDX identifier 'MIT', which refers only to the license that today is most commonly thought of as [https://opensource.org/licenses/MIT the MIT license]. Ensure you are choosing the correct SPDX identifier(s) for your package. | |||
You can also use the tool `askalono crawl $DIRECTORY`. This tool is in the package `askalono-cli`. | |||
==== With Fedora abbreviations we could use '''and''', '''or''', and parentheses when constructing expressions. Can we do that with SPDX? ==== | |||
:: Yes, but SPDX spells it '''AND''' and '''OR'''. Parentheses are allowed in the same manner as Fedora expressions. See https://docs.fedoraproject.org/en-US/legal/license-field/ for more information. | |||
==== What if my License field is already SPDX-compatible? ==== | |||
:: Well, you are ahead of the change proposal then. Thanks! | |||
==== Can we combine Fedora abbreviations and SPDX abbreviations? ==== | |||
:: No. If you want to use SPDX abbreviations, you have to convert the entire expression to SPDX syntax. | |||
==== I maintain a firmware package, what do I use for the SPDX expression? ==== | |||
:: There are a number of cases that require the '''fedora-license-data''' package to define new SPDX-compatible abbreviations. If the fedora-license-data project does not yet have a '''LicenseRef-''' file for your particular license, then Fedora Legal is still working on what that will look like. You may want to wait on the SPDX change until the next change proposal, or else submit an issue to the [https://gitlab.com/fedora/legal/fedora-license-data Fedora License Data] project. | |||
==== What tools validate the License field? ==== | |||
:: There is '''license-validate''' noted below. There is also '''rpminspect''' and '''rpmlint''' which will validate the License tag value against the data that comes from the fedora-license-data RPM. | |||
==== Can new packages use the older Fedora license abbreviations? ==== | |||
:: No. All new packages will need to use SPDX expression syntax in the License field of the spec file. | |||
==== How do I know if the spec file has been converted? ==== | |||
During the transition period, there will be some spec files that will use the new SPDX format and some spec files will use the old short names. In the second phase, we will try to identify a package that has not been migrated yet. To identify what has and what has not been migrated, please do one of the following: | |||
* comment in spec file changelog entry. E.g., comment contains "SPDX migration". This is the most preferred way. | |||
* comment in dist-git in some format. E.g., comment contains "SPDX migration". | |||
=== Old to New Examples === | |||
This table shows some examples of existing License fields in Fedora packages and what they might look like with SPDX syntax. Note that these examples assume that a simple, straightforward conversion is possible, which will not be true in all cases (and may not be accurate for these specific packages). There may not be a one-to-one correspondence between a legacy Fedora license tag and an SPDX expression, because the assumptions around what the license abbreviations are supposed to represent or convey have changed or have been made more consistent. See https://docs.fedoraproject.org/en-US/legal/license-field/ for more information. Maintainers should use this change as an opportunity to check the source code of their package and improve the accuracy of the license tag. | |||
{| class="wikitable" | |||
|+ Example License tag values | |||
|- | |||
! Package !! Fedora abbreviations !! SPDX expression | |||
|- | |||
| glibc || LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL || (unable to convert now because of "Public Domain") | |||
|- | |||
| zsh || MIT || MIT | |||
|- | |||
| tmux || ISC and BSD || ISC AND BSD-3-Clause AND BSD-2-Clause | |||
|- | |||
| libX11 || MIT || MIT | |||
|- | |||
| htop || GPLv2+ || GPL-2.0-or-later | |||
|- | |||
| emacs || GPLv3+ and CC0 || GPL-3.0-or-later AND CC0-1.0 | |||
|- | |||
| firefox || MPLv1.1 or GPLv2+ or LGPLv2+ || MPL-2.0 | |||
|- | |||
| coreutils || GPLv3+ || GPL-3.0-or-later | |||
|- | |||
| openssh || BSD || SSH-OpenSSH | |||
|- | |||
| openssl || ASL 2.0 || Apache-2.0 | |||
|- | |||
| gcc || GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD || GPL-3.0-or-later AND (GPL-3.0-or-later WITH Classpath-exception-2.0) AND (GPL-2.0-or-later WITH Classpath-exception-2.0) AND LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause | |||
|} | |||
For firefox, it appears the source tree refers to MPL version 2.0 now and there no explicit mention of dual licensing with the GPL or LGPL. The maintainer(s) of this package should verify that before changing the License tag value. | |||
OpenSSH carries a BSD license, but SPDX has its own entry for it. As of this writing, that entry is not yet in '''fedora-license-data'''. | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
Line 90: | Line 196: | ||
https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | ||
--> | --> | ||
The use of a standardized identifier for license will align Fedora with other distributions. And allows efficient and reliable identification of licenses. | |||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners (things sorted by done/todo and by priorities): | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
** Miroslav Suchý: license-fedora2spdx - done | |||
** Jilayne Lovejoy: map rest of Fedora licenses to SPDX ids - done | |||
** David Cantrell: create machine-readable format and new repo - done | |||
** David Cantrell: merge mapping of Fedora licenses to SPDX ids to new data format/repo - done | |||
** Richard Fontana & Jilayne Lovejoy: review update all licensing info and legal pages in wiki - Done | |||
** Jilayne Lovejoy & Richard Fontana: create and populate new Docs pages for legal and licensing info - Done | |||
** Neal Gompa - create description of various tooling used by Fedora in relation to license data (need to decide where to put this) - TODO | |||
** Miroslav Suchy - create [https://gitlab.com/fedora/legal/fedora-license-data fedora-license-data package] (with data from rpminspect-data-fedora) - [https://bugzilla.redhat.com/show_bug.cgi?id=2090451 Package Review] - done | |||
** David Cantrell: separate licenses from rpminspect-data-fedora [https://bugzilla.redhat.com/show_bug.cgi?id=2077914 BZ 2077914] - DONE | |||
** Miroslav Suchý: allow `license-validate` to use spdx - done | |||
** David and Miroslav: generate from license data to new Docs page similar to [https://fedoraproject.org/wiki/Licensing:Main#Software_License_List Licensing:Main] - Done | |||
** SOMEBODY: create a webhook that updates the Docs page after the merge to fedora-license-data - TODO | |||
** Jilayne Lovejoy: prepare PR for updates to packaging guidelines - DONE [https://pagure.io/packaging-committee/pull-request/1142] | |||
** SOMEBODY: help maintainers who want to change license string to SPDX identifiers proactively. | |||
* Out of Scope: In this phase, we do not target to move **all** packages to SPDX identifiers. That will be done in [[Changes/SPDX_Licenses_Phase_2|Phase 2]]. In [[Changes/SPDX_Licenses_Phase_2|Phase 2]] we will identify the remaining packages and open BZ or PR. | |||
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
Early adopters can migrate their License tag to the SPDX identifiers. Proposal owners will gather feedback and will work on potential problems. | |||
* [https://github.com/befeleme/pyp2spec/issues/4 notified pyp2spec] maintainers | |||
* [https://github.com/fedora-ruby/gem2rpm/issues/113 notified gem2rpm] maintainers | |||
We want to have all bits ready so that maintainers can start changing the spec files just after Fedora 37 branching (summer 2022). | |||
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
Line 102: | Line 233: | ||
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | ||
* Policies and guidelines: | * Policies and guidelines: Licensing page, packaging guidelines has to be altered. <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. Please submit a pull request with the proposed changes before submitting your Change proposal. --> | <!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. Please submit a pull request with the proposed changes before submitting your Change proposal. --> | ||
Line 110: | Line 241: | ||
* Alignment with Objectives: | * Alignment with Objectives: | ||
<!-- Does your proposal align with the current Fedora Objectives: https://docs.fedoraproject.org/en-US/project/objectives/ ? It's okay if it doesn't, but it's something to consider --> | <!-- Does your proposal align with the current Fedora Objectives: https://docs.fedoraproject.org/en-US/project/objectives/ ? It's okay if it doesn't, but it's something to consider --> | ||
=== Status of licenses in Fedora === | |||
I tried to automatically convert all licenses in the current Fedora using `license-fedora2spdx`. And the results is: | |||
* 28478 - number of all lines with `License` tag in spec files | |||
* 2176 - errors in parsing the license. I estimate that about [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/DXVRRXMYXCHTP47DXMLLIGYUX6C5TDVQ/ a hundred packages do not use correct short name identifiers]. The rest of this is likely a result of this [https://gitlab.com/fedora/legal/fedora-license-data/-/issues/3 issue in fedora-license-data]. | |||
* 14931 - there is more than one option on how to convert the short name to SPDX (i.e., the cases of MIT, BSD, etc.) | |||
That means that 11371 license strings can be automatically converted. | |||
As of 2022-10-27: | |||
* There are 23302 spec files in Fedora | |||
* 264 mentions "spdx" in the spec changelog | |||
* out of the remaining, 173 packages mention "spdx" in dist-git log | |||
* 22865 packages needs to be migrated yet. | |||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
Line 115: | Line 264: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
License strings are not used anything in run time. This change will not affect the upgrade or runtime of Fedora. | |||
During the transition period, developer tools like rpminspect, licensecheck, etc. may produce false negatives. And we have to define a date where we flip these tools from old Fedora's short names to the SPDX formula. | |||
== How To Test == | == How To Test == | ||
Line 134: | Line 285: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
Users should not need any testing. These steps are for package maintainers: | |||
* Fetch your license string from `License` tag in SPEC file. | |||
* Test that your current Fedora's short name is correct. E.g. | |||
$ license-validate -v --old 'MIT or GPLv1' | |||
Approved license | |||
* Convert license string to SPDX formula: | |||
$ license-fedora2spdx 'MIT or GPLv1' | |||
Warning: more options how to interpret MIT. Possible options: ['Adobe-Glyph', 'MIT-CMU', 'MIT-CMU', 'HPND', 'HPND', 'no-spdx-yet (MIT license (also X11))', 'SGI-B-2.0', 'SGI-B-2.0', 'SMLNJ', 'MIT-enna', 'MIT-feh', 'mpich2'] | |||
mpich2 or GPL-1.0-only | |||
In this example, the short name `GPLv1` can be converted straight to `GPL-1.0-only`. But short name `MIT` stands for several licenses with different [https://spdx.org/licenses/ SPDX identifiers]. You have to examine what license is package actually using. `license-fedora2spdx` will try to convert the formula and use one of the options but without any heuristics. You need to manually review the license. | |||
You can check if SPDX formula is correct using: | |||
$ license-validate -v "MIT-CMU or GPL-1.0-only" | |||
Note: `license-validate` should be in version 8-1 (present in F37+) otherwise it does not recognize the `--old` argument. | |||
== User Experience == | == User Experience == | ||
Line 146: | Line 315: | ||
- Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | ||
--> | --> | ||
Users should be able to use standard software tools that audit licenses. E.g. for Software Bills of Materials. | |||
== Dependencies == | == Dependencies == | ||
Line 151: | Line 322: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
No other dependencies. | |||
== Contingency Plan == | == Contingency Plan == | ||
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | <!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | ||
* Contingency mechanism: | * Contingency mechanism: In this first phase, if something goes wrong, we can 'git revert' each change in dist-git. It is expected that in the first phase, there will be only a few packages altered. It may be a few hundred, but it is still doable to revert. <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | <!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | ||
* Contingency deadline: | * Contingency deadline: Beta freeze. But it is expected that not all packages will be converted by that time and the change will continue in the next release. <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | <!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | ||
* Blocks release? | * Blocks release? No. This change has no impact on runtime of any package. <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
== Documentation == | == Documentation == | ||
Line 167: | Line 337: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
[https://docs.fedoraproject.org/en-US/legal/allowed-licenses/|Allowed Licenses] | |||
[https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_process_used Update existing packages] | |||
== Release Notes == | == Release Notes == | ||
Line 175: | Line 348: | ||
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | ||
--> | --> | ||
In Fedora 38, we initiated the migration of license tags in RPMs to the SPDX identifier. The work has been done in more than 20 % of packages and will continue in the next Fedora release. |
Latest revision as of 20:48, 17 January 2023
SPDX License Phase 1
Summary
Introduce tooling and data allowing package maintainers to transition from Fedora's existing short license names to standardized SPDX license expressions. Update and improve Fedora-legal documentation related to licensing, and move off of wiki.
Owner
- Name: Miroslav Suchý
- Name: Jilayne Lovejoy
- Name: Neal Gompa
- Name: David Cantrell
- Name: Richard Fontana
- Name: Matthew Miller
- Email: msuchy@redhat.com, dcantrell@redhat.com, jlovejoy@redhat.com, ngompa13@gmail.com, rfontana@redhat.com
Current status
- Targeted release: Fedora Linux 38
- Last updated: 2023-01-17
- devel thread
- FESCo issue: #2799
- Tracker bug: #2096410
- Release notes tracker: #846
Detailed Description
In the past, Fedora decided to represent licenses using short abbreviations in the License field of spec files. Although we documented the short names very well, the identifiers were never standard. In the meantime, SPDX identifiers have emerged as a new standard, and other vendors and developers have started using them. I want to especially highlight adoption by kernel, Debian, openSUSE, and FreeBSD.
In this change, we want to provide documentation and tooling to allow maintainers to begin using SPDX license expressions instead of the existing Fedora short names. The existing Fedora abbreviations will still be honored as the move to SPDX expressions will be opt-in. In Phase 2, we will identify the packages and help them to migrate to SPDX expressions.
Feedback
Ancient feedback from SPDX organization.
Summary from fedora-legal mailing list: we want this to happen, but this is big scope and likely will happen over more than one release.
Summary from packaging-committee:
Summary from devel-list: TBD
Questions from the mailing list discussion
Can we use SPDX expressions in older Fedora branches?
Yes.
How do we convert existing Fedora abbreviations to SPDX expressions?
- You can use the tool
license-fedora2spdx(1)
from the packagelicense-validate
. E.g.
- You can use the tool
license-fedora2spdx 'MIT or GPLv1'
- The fedora-license-data upstream project contains licenses and their approval status in Fedora. Where applicable, the existing Fedora short abbreviation is noted in the file as well. You can use this information to cross-reference the existing Fedora abbreviations to SPDX abbreviations. This information will also be published in more human-readable form as part of the Fedora Legal Documentation.
- As an example, let's say your package has "License: GPLv2+" in the spec file. A grep of the TOML files in the fedora-license-data project will point you to GPL-2.0-or-later.toml and if you look at that file, you will see the expression field under the [license] section says GPL-2.0-or-later. A description of the TOML file format is in the TEMPLATE.toml file at the top level of the project.
- The license-fedora2spdx tool should only be used as a starting point. Maintainers are encouraged to use this as an opportunity to check the source code for the package and construct a new, more accurate SPDX expression. The new Fedora legal documentation provides specific guidance and expectations on how to populate the License: field that somewhat differs from or is more consistent than past Fedora guidelines.
I have a package with BSD or MIT in the License field, how do I convert that?
- In this case, you will need to dig in to the source a bit more. SPDX differentiates between the various BSD licenses whereas the Fedora abbreviations called them all BSD. An excellent tool to help in this way is the SPDX License Diff tool (a browser plugin) The common ones are BSD-2-Clause and BSD-3-Clause.
- For MIT, it's similar: Fedora has previously used 'MIT' to refer to a large number of different licenses. However, note that unlike the BSD case, there is an SPDX identifier 'MIT', which refers only to the license that today is most commonly thought of as the MIT license. Ensure you are choosing the correct SPDX identifier(s) for your package.
You can also use the tool askalono crawl $DIRECTORY
. This tool is in the package askalono-cli
.
With Fedora abbreviations we could use and, or, and parentheses when constructing expressions. Can we do that with SPDX?
- Yes, but SPDX spells it AND and OR. Parentheses are allowed in the same manner as Fedora expressions. See https://docs.fedoraproject.org/en-US/legal/license-field/ for more information.
What if my License field is already SPDX-compatible?
- Well, you are ahead of the change proposal then. Thanks!
Can we combine Fedora abbreviations and SPDX abbreviations?
- No. If you want to use SPDX abbreviations, you have to convert the entire expression to SPDX syntax.
I maintain a firmware package, what do I use for the SPDX expression?
- There are a number of cases that require the fedora-license-data package to define new SPDX-compatible abbreviations. If the fedora-license-data project does not yet have a LicenseRef- file for your particular license, then Fedora Legal is still working on what that will look like. You may want to wait on the SPDX change until the next change proposal, or else submit an issue to the Fedora License Data project.
What tools validate the License field?
- There is license-validate noted below. There is also rpminspect and rpmlint which will validate the License tag value against the data that comes from the fedora-license-data RPM.
Can new packages use the older Fedora license abbreviations?
- No. All new packages will need to use SPDX expression syntax in the License field of the spec file.
How do I know if the spec file has been converted?
During the transition period, there will be some spec files that will use the new SPDX format and some spec files will use the old short names. In the second phase, we will try to identify a package that has not been migrated yet. To identify what has and what has not been migrated, please do one of the following:
- comment in spec file changelog entry. E.g., comment contains "SPDX migration". This is the most preferred way.
- comment in dist-git in some format. E.g., comment contains "SPDX migration".
Old to New Examples
This table shows some examples of existing License fields in Fedora packages and what they might look like with SPDX syntax. Note that these examples assume that a simple, straightforward conversion is possible, which will not be true in all cases (and may not be accurate for these specific packages). There may not be a one-to-one correspondence between a legacy Fedora license tag and an SPDX expression, because the assumptions around what the license abbreviations are supposed to represent or convey have changed or have been made more consistent. See https://docs.fedoraproject.org/en-US/legal/license-field/ for more information. Maintainers should use this change as an opportunity to check the source code of their package and improve the accuracy of the license tag.
Package | Fedora abbreviations | SPDX expression |
---|---|---|
glibc | LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL | (unable to convert now because of "Public Domain") |
zsh | MIT | MIT |
tmux | ISC and BSD | ISC AND BSD-3-Clause AND BSD-2-Clause |
libX11 | MIT | MIT |
htop | GPLv2+ | GPL-2.0-or-later |
emacs | GPLv3+ and CC0 | GPL-3.0-or-later AND CC0-1.0 |
firefox | MPLv1.1 or GPLv2+ or LGPLv2+ | MPL-2.0 |
coreutils | GPLv3+ | GPL-3.0-or-later |
openssh | BSD | SSH-OpenSSH |
openssl | ASL 2.0 | Apache-2.0 |
gcc | GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD | GPL-3.0-or-later AND (GPL-3.0-or-later WITH Classpath-exception-2.0) AND (GPL-2.0-or-later WITH Classpath-exception-2.0) AND LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause |
For firefox, it appears the source tree refers to MPL version 2.0 now and there no explicit mention of dual licensing with the GPL or LGPL. The maintainer(s) of this package should verify that before changing the License tag value.
OpenSSH carries a BSD license, but SPDX has its own entry for it. As of this writing, that entry is not yet in fedora-license-data.
Benefit to Fedora
The use of a standardized identifier for license will align Fedora with other distributions. And allows efficient and reliable identification of licenses.
Scope
- Proposal owners (things sorted by done/todo and by priorities):
- Miroslav Suchý: license-fedora2spdx - done
- Jilayne Lovejoy: map rest of Fedora licenses to SPDX ids - done
- David Cantrell: create machine-readable format and new repo - done
- David Cantrell: merge mapping of Fedora licenses to SPDX ids to new data format/repo - done
- Richard Fontana & Jilayne Lovejoy: review update all licensing info and legal pages in wiki - Done
- Jilayne Lovejoy & Richard Fontana: create and populate new Docs pages for legal and licensing info - Done
- Neal Gompa - create description of various tooling used by Fedora in relation to license data (need to decide where to put this) - TODO
- Miroslav Suchy - create fedora-license-data package (with data from rpminspect-data-fedora) - Package Review - done
- David Cantrell: separate licenses from rpminspect-data-fedora BZ 2077914 - DONE
- Miroslav Suchý: allow
license-validate
to use spdx - done - David and Miroslav: generate from license data to new Docs page similar to Licensing:Main - Done
- SOMEBODY: create a webhook that updates the Docs page after the merge to fedora-license-data - TODO
- Jilayne Lovejoy: prepare PR for updates to packaging guidelines - DONE [3]
- SOMEBODY: help maintainers who want to change license string to SPDX identifiers proactively.
- Out of Scope: In this phase, we do not target to move **all** packages to SPDX identifiers. That will be done in Phase 2. In Phase 2 we will identify the remaining packages and open BZ or PR.
- Other developers:
Early adopters can migrate their License tag to the SPDX identifiers. Proposal owners will gather feedback and will work on potential problems.
- notified pyp2spec maintainers
- notified gem2rpm maintainers
We want to have all bits ready so that maintainers can start changing the spec files just after Fedora 37 branching (summer 2022).
- Release engineering: #Releng issue number
- Policies and guidelines: Licensing page, packaging guidelines has to be altered.
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Status of licenses in Fedora
I tried to automatically convert all licenses in the current Fedora using license-fedora2spdx
. And the results is:
- 28478 - number of all lines with
License
tag in spec files - 2176 - errors in parsing the license. I estimate that about a hundred packages do not use correct short name identifiers. The rest of this is likely a result of this issue in fedora-license-data.
- 14931 - there is more than one option on how to convert the short name to SPDX (i.e., the cases of MIT, BSD, etc.)
That means that 11371 license strings can be automatically converted.
As of 2022-10-27:
- There are 23302 spec files in Fedora
- 264 mentions "spdx" in the spec changelog
- out of the remaining, 173 packages mention "spdx" in dist-git log
- 22865 packages needs to be migrated yet.
Upgrade/compatibility impact
License strings are not used anything in run time. This change will not affect the upgrade or runtime of Fedora.
During the transition period, developer tools like rpminspect, licensecheck, etc. may produce false negatives. And we have to define a date where we flip these tools from old Fedora's short names to the SPDX formula.
How To Test
Users should not need any testing. These steps are for package maintainers:
- Fetch your license string from
License
tag in SPEC file. - Test that your current Fedora's short name is correct. E.g.
$ license-validate -v --old 'MIT or GPLv1' Approved license
- Convert license string to SPDX formula:
$ license-fedora2spdx 'MIT or GPLv1' Warning: more options how to interpret MIT. Possible options: ['Adobe-Glyph', 'MIT-CMU', 'MIT-CMU', 'HPND', 'HPND', 'no-spdx-yet (MIT license (also X11))', 'SGI-B-2.0', 'SGI-B-2.0', 'SMLNJ', 'MIT-enna', 'MIT-feh', 'mpich2'] mpich2 or GPL-1.0-only
In this example, the short name GPLv1
can be converted straight to GPL-1.0-only
. But short name MIT
stands for several licenses with different SPDX identifiers. You have to examine what license is package actually using. license-fedora2spdx
will try to convert the formula and use one of the options but without any heuristics. You need to manually review the license.
You can check if SPDX formula is correct using:
$ license-validate -v "MIT-CMU or GPL-1.0-only"
Note: license-validate
should be in version 8-1 (present in F37+) otherwise it does not recognize the --old
argument.
User Experience
Users should be able to use standard software tools that audit licenses. E.g. for Software Bills of Materials.
Dependencies
No other dependencies.
Contingency Plan
- Contingency mechanism: In this first phase, if something goes wrong, we can 'git revert' each change in dist-git. It is expected that in the first phase, there will be only a few packages altered. It may be a few hundred, but it is still doable to revert.
- Contingency deadline: Beta freeze. But it is expected that not all packages will be converted by that time and the change will continue in the next release.
- Blocks release? No. This change has no impact on runtime of any package.
Documentation
Release Notes
In Fedora 38, we initiated the migration of license tags in RPMs to the SPDX identifier. The work has been done in more than 20 % of packages and will continue in the next Fedora release.