(add more info on tasks, etc.) |
|||
Line 18: | Line 18: | ||
* Name: [[User:ngompa| Neal Gompa]] | * Name: [[User:ngompa| Neal Gompa]] | ||
* Name: [[User:dcantrell| David Cantrell]] | * Name: [[User:dcantrell| David Cantrell]] | ||
* Name: [[User:rfontanaref| Richard Fontana]] | |||
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | ||
* Email: msuchy@redhat.com, dcantrell@redhat.com, jlovejoy@redhat.com, ngompa13@gmail.com | * Email: msuchy@redhat.com, dcantrell@redhat.com, jlovejoy@redhat.com, ngompa13@gmail.com, rfontana@redhat.com | ||
Line 54: | Line 55: | ||
In the past, Fedora decided to use short names for licenses. Although we documented the short names very well. The identifiers were never standard. In the meantime, SPDX identifiers become standard, and [https://wiki.spdx.org/view/Business_Team/Adoption other SW vendors start using it]. | In the past, Fedora decided to use short names for licenses. Although we documented the short names very well. The identifiers were never standard. In the meantime, SPDX identifiers become standard, and [https://wiki.spdx.org/view/Business_Team/Adoption other SW vendors start using it]. | ||
In this phase, we want to provide documentation and tooling to allow maintainers to | In this phase, we want to provide documentation and tooling to allow maintainers to begin using SPDX license ids instead of the old Fedora short names. This move is opt-in. There will be Phase 2, where we identify the remaining packages and help them to migrate to the SPDX formula. | ||
== Feedback == | == Feedback == | ||
Line 61: | Line 62: | ||
Summary from [https://lists.fedoraproject.org/archives/search?q=spdx&page=1&mlist=legal%40lists.fedoraproject.org&sort=date-desc fedora-legal mailing list]: we want this to happen, but this is big scope and likely will happen over more than one release. | Summary from [https://lists.fedoraproject.org/archives/search?q=spdx&page=1&mlist=legal%40lists.fedoraproject.org&sort=date-desc fedora-legal mailing list]: we want this to happen, but this is big scope and likely will happen over more than one release. | ||
Summary from packaging-committee: | |||
* [https://pagure.io/packaging-committee/pull-request/971#]: older PR to change packaging guidelines | |||
* [https://pagure.io/packaging-committee/pull-request/1142]: present PR that needs more updating | |||
Summary from devel-list: TBD | Summary from devel-list: TBD | ||
Line 99: | Line 104: | ||
** Miroslav Suchý: license-fedora2spdx - done | ** Miroslav Suchý: license-fedora2spdx - done | ||
** Miroslav Suchý: allow `license-validate` to use spdx - TODO | ** Miroslav Suchý: allow `license-validate` to use spdx - TODO | ||
** David Cantrell: | ** Jilayne Lovejoy: map rest of Fedora licenses to SPDX ids - done | ||
** David Cantrell: create machine readable format and new repo - done | |||
** David Cantrell: merge mapping of Fedora licenses to SPDX ids to new data format/repo - done | |||
** David Cantrell: separate licenses from rpminspect-data-fedora [https://bugzilla.redhat.com/show_bug.cgi?id=2077914 BZ 2077914] - TODO | ** David Cantrell: separate licenses from rpminspect-data-fedora [https://bugzilla.redhat.com/show_bug.cgi?id=2077914 BZ 2077914] - TODO | ||
** David Cantrell: generate from license data | ** Richard Fontana & Jilayne Lovejoy: review update all licensing info and legal pages in wiki - in process | ||
** SOMEBODY: help maintainers who want to proactively change license string to SPDX | ** Jilayne Lovejoy & Richard Fontana: create and populate new Docs pages for legal and licensing info - in process | ||
** David Cantrell: generate from license data to new Docs page similar to [https://fedoraproject.org/wiki/Licensing:Main#Software_License_List Licensing:Main] | |||
** Jilayne Lovejoy: prepare PR for updates to packaging guidelines - in process [https://pagure.io/packaging-committee/pull-request/1142] | |||
** SOMEBODY: help maintainers who want to proactively change license string to SPDX identifiers. | |||
* Out of Scope: In this phase, we do not target to move **all** packages to SPDX identifiers. That will be done in Phase 2. In Phase 2 we will identify the remaining packages and open BZ or PR. | * Out of Scope: In this phase, we do not target to move **all** packages to SPDX identifiers. That will be done in Phase 2. In Phase 2 we will identify the remaining packages and open BZ or PR. | ||
Line 116: | Line 126: | ||
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | ||
* Policies and guidelines: Licensing page has to be altered. <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Policies and guidelines: Licensing page, packaging guidelines has to be altered. <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. Please submit a pull request with the proposed changes before submitting your Change proposal. --> | <!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. Please submit a pull request with the proposed changes before submitting your Change proposal. --> | ||
Revision as of 14:36, 10 May 2022
SPDX License Phase 1
Summary
Transition from Fedora's short name of licenses to standardized SPDX license formula.
Owner
- Name: Miroslav Suchý
- Name: Jilayne Lovejoy
- Name: Neal Gompa
- Name: David Cantrell
- Name: Richard Fontana
- Email: msuchy@redhat.com, dcantrell@redhat.com, jlovejoy@redhat.com, ngompa13@gmail.com, rfontana@redhat.com
Current status
- Targeted release: Fedora Linux 38
- Last updated: 2022-05-10
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
In the past, Fedora decided to use short names for licenses. Although we documented the short names very well. The identifiers were never standard. In the meantime, SPDX identifiers become standard, and other SW vendors start using it.
In this phase, we want to provide documentation and tooling to allow maintainers to begin using SPDX license ids instead of the old Fedora short names. This move is opt-in. There will be Phase 2, where we identify the remaining packages and help them to migrate to the SPDX formula.
Feedback
Ancient feedback from SPDX organization.
Summary from fedora-legal mailing list: we want this to happen, but this is big scope and likely will happen over more than one release.
Summary from packaging-committee:
Summary from devel-list: TBD
Benefit to Fedora
The use of a standardized identifier for license will align Fedora with other distributions. And allows efficient and reliable identification of licenses.
Scope
- Proposal owners:
- Miroslav Suchý: license-fedora2spdx - done
- Miroslav Suchý: allow
license-validate
to use spdx - TODO - Jilayne Lovejoy: map rest of Fedora licenses to SPDX ids - done
- David Cantrell: create machine readable format and new repo - done
- David Cantrell: merge mapping of Fedora licenses to SPDX ids to new data format/repo - done
- David Cantrell: separate licenses from rpminspect-data-fedora BZ 2077914 - TODO
- Richard Fontana & Jilayne Lovejoy: review update all licensing info and legal pages in wiki - in process
- Jilayne Lovejoy & Richard Fontana: create and populate new Docs pages for legal and licensing info - in process
- David Cantrell: generate from license data to new Docs page similar to Licensing:Main
- Jilayne Lovejoy: prepare PR for updates to packaging guidelines - in process [3]
- SOMEBODY: help maintainers who want to proactively change license string to SPDX identifiers.
- Out of Scope: In this phase, we do not target to move **all** packages to SPDX identifiers. That will be done in Phase 2. In Phase 2 we will identify the remaining packages and open BZ or PR.
- Other developers:
Early adopters can migrate their License tag to the SPDX identifiers. Proposal owners will gather feedback and will work on potential problems.
We want to have all bits ready, so that maintainers can start changing the spec files just after Fedora 37 branching (summer 2022)
- Release engineering: #Releng issue number
- Policies and guidelines: Licensing page, packaging guidelines has to be altered.
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
License strings are not used anything in run time. This change will not affect the upgrade or runtime of Fedora.
During the transition period, developer tools like rpminspect, licensecheck, etc. may produce false negatives. And we have to define a date where we flip these tools from old Fedora's short names to the SPDX formula.
How To Test
Users should not need any testing. These steps are for package maintainers:
- Fetch your license string from
License
tag in SPEC file. - Test that your current Fedora's short name is correct. E.g.
$ license-validate -v 'MIT or GPLv1' Approved license
- Convert license string to SPDX formula:
$ license-fedora2spdx 'MIT or GPLv1' Warning: more options how to interpret MIT. Possible options: ['Adobe-Glyph', 'MIT-CMU', 'MIT-CMU', 'HPND', 'HPND', 'no-spdx-yet (MIT license (also X11))', 'SGI-B-2.0', 'SGI-B-2.0', 'SMLNJ', 'MIT-enna', 'MIT-feh', 'mpich2'] mpich2 or GPL-1.0-only
In this example, the short name GPLv1
can be converted straight to GPL-1.0-only
. But short name MIT
stands for several licenses with different SPDX identifiers. You have to examine what license is package actually using. license-fedora2spdx
will try to convert the formula and use one of the options but without any heuristics. You need to manually review the license.
You can check if SPDX formula is correct using:
$ license-validate -v --file FIXME "MIT-CMU or GPL-1.0-only"
User Experience
Users should be able to use standard software tools that audit licenses. E.g. for Software Bills of Materials.
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)