From Fedora Project Wiki

Transcript of 12 April 2023 Fedora Council Video Meeting

This transcript was computer generated and might contain errors. It was lightly edited for clarity. Time stamps are approximate due to editing.

Video available on YouTube.

Matthew Miller: Hey everybody. I am Matthew Miller. The Fedor and this is a Fedora Council video meeting. So, In Fedora Matrix chat, every week or so. But once a month we do a video call to do kind of a high bandwidth conversation about something interesting going on in the project, hopefully something that's going. Well, not something that's going wrong. Something somebody has done or is doing and can I have a conversation about that and show something off? So, today we are talking about licensing, which

Matthew Miller: Is an important topic for fedora license and keep track of that. And so, we recently went through a big change in how we do that. So we have David Cantrell, who is a member of the Fedora Council but also worked a lot on this, Miroslav Suchý and Jolene Lovejoy and Richard Fontana here to talk about this with. I guess David says a tag team sort of presentation. So with that, I will turn it over to you. Do you want us to people with questions to jump in during the presentation? Or would you like us to let you do your dog and pony show?

David Cantrell: Yes. So, so the slides probably won't take that long. I would prefer if we can get through these slides and then do a larger Q&A at the end. The other reason I ask for that is I, I have to drop exactly at 11 because I have another meeting. So, if if we can do that, if everyone's cool with that, Okay, all right.

Matthew Miller: That sounds good to me.

David Cantrell: Now, let me present. The window here. Okay.

David Cantrell: Particularly. just,

David Cantrell: Yeah.

Matthew Miller: Yep, looking good.

David Cantrell: Okay. Okay, this is Fedora spdx, licenses and expressions. Sorry. Yes, this is a very interesting topic. There's a lot to it. It sounds really simple, but let's get into it first off. Who are we? I'm not gonna go in this order. I'm gonna call on people. So as Matthew said, I'm David April I work on the software management team so I work on RPM and Dnf and things adjacent to that, I'm a member of Fesco and on the Fedora Council joint.

Jilayne Lovejoy: Hi. I'm Jilayne Lovejoy, I'm a product council at Red Hat. I've also worked on the Spdx legal team, pretty much since the beginning of spdx and kind of always kept an eye on what Fedora Fedora. License list was a big influence for for spdx at the very beginning. Especially and I've worked on other sort of open source, legal type community issues over my career.

David Cantrell: Miroslav.

Miroslav Suchy: My name is Miroslav Suchý a manager in Packit and CPT team, where we try to ease the package maintenance. And as a side job or sledge volunteering kind of package maintainer of few packages in Fedora, license data package in federal, and licenses validate package.

David Cantrell: And Richard's.

Richard Fontana: I'm Richard Fontana. I'm a lawyer at Red Hat. I am on what's now called the Technology and Open Source legal team. And I've done work mainly around open source legal issues for a long time. Now, I've been at Red Hot for a long time, actually have worked provided advice around Fedora Council Red Hat which is an interesting. Fun fact. So I got to Red Hat in 2008, but that's That's me.

00:05:00

David Cantrell: Okay, thank you. And I I before we keep going, I just want to point out that this to me this project, we've been working on this for a couple of years now. And it is a successful community project in Fedora, Just engineering, but also people from Red Hat Legal. And I think this is the first four fedora.

Jilayne Lovejoy: Yeah. So hopefully most of you have heard of spdx before, but if you haven't, or if you're not entirely, sure what it is. It stands for the software package Data exchange Obviously, SPX is what we usually go by. And it's basically an open standard for communicating software, build material information, including licenses information. Which is, of course, what we're talking about here.

Jilayne Lovejoy: As well as other information. So think about it as like a language, right? In the software supply chain, People often want to know what the software is made of, and they ask for that in various forms and having various forms in your supply chain is not a very efficient thing. So sbx was created the idea of like, Let's communicate this information in a standard way and define that and that'll make everything more efficient. Now, you may have heard about software bill materials, a lot in the news, the last couple years, especially since the US government is now requiring them. However, this is not new spdx has been around since 2010. People have been asking for this information since then it's just gotten a lot more. Headlines. I guess you'd say in the last couple years spdx the specification just an old side note is it's quite lengthy document with a lot of information in it and there's a 3.0 coming out.

Jilayne Lovejoy: Which will be a bit more modular to accommodate, sort of different use cases, by way of profiles. So, for example, if you're interested in provenance, but you don't care. So much about licensing or so forth and so on it, became a standard is a standard in September 2021. But the thing that we sort of care about most here is sort of a subset of the bigger project and that is sbx licenses list which Is not simply a list. As I always say, although, that's what everybody thinks of it, and obviously, that's what it's called. But there are, if you go to the website, there's a list of licenses and you see the names, and most importantly, the license IDs. But the sort of work around that to make that a reliable way to identify licenses. And exceptions is that there's a some standards of how and guidelines of how things get added and there's matching guidelines to make sure that one ID truly represents an identified amount of text and

Jilayne Lovejoy: And we don't have two things called the same thing for, you know, or or two things called different things that are the same vice versa and so yeah. So that's the ex licenses often used. Even if someone doesn't use the Spx specification, which is sort of what we're doing here. And just, as a side note, there's been a long history of involvement with Fedora Spx. I look kind of look back at the history and of course of this and Tom Calaway, it was involved in the early days. And, you know, we were looking at the good and bad list and how things were attracted Fedora Fedora license is an added, many of them to the sbx licenses. I think this is notable because We added about 80 licenses at that time, the list, which is the biggest addition ever.

Jilayne Lovejoy: In one one Rev of the licenses list and just last last release of this VX licenses list. I think we added about 40 most of those more because of Fedora. License list. That's met that said Fedora license list which is really contributing to the the bigger system. You know, ecosystem, if you want to call it, that being able to identify a licenses and track them.

David Cantrell: Okay, thank…

Jilayne Lovejoy: All right.

David Cantrell: So I'm a package maintainer. Miroslav's package maintainer of Fedora. License information in the packages. So I like, Why are we doing this? Richard, can you tell me why we're doing this?

Richard Fontana: Well, yeah, I think we probably all have somewhat different perspectives on this like, for me. Spdx. Expression. So, not just the identifiers that are in the fpdx licenses, but the sort of larger system of spdx expressions, which are as jilliance had a language, which you can use for representing any sort of license information, this enables, the advantage that I see, is it enables a kind of Well-defined, you know?

00:10:00

Richard Fontana: Highly precise way of describing the licenses that apply to the various parts of a package and that that in itself like that that degree of accuracy and complete. This information is sort of to me inherently valuable because otherwise you know you either have kind of inaccurate information or information that is like sort of two fuzzy and and you know isn't going to mean the same thing from package to package different conventions, for package to package.

Richard Fontana: Um, Spdx provides a way to have a uniform way of describing the line in a very precise way, the licenses that apply to all the packages and products. So if you think that licenses description is valuable at all and we do spdx is really the the best system that we have right now for for doing that.

Jilayne Lovejoy: I'll just add, I think, you know, the sort of stating the obvious that the reason this is important obviously is if you know we want to be able to reuse code and collaborate and open source licenses enable that, right? So the licenses, you know, does matter. I know sometimes Developers might think otherwise, but that's what kind of helps create the framework for, for all the things we do, especially in Fedora Fedora, license it, you know, you don't make it sort of easy for someone to know what that licenses is. It creates a lot of churn downstream because People who are redistributing.

Jilayne Lovejoy: Especially if it's in products are going to. They really want you know they want to make sure they know what licenses they are dealing with and so there's a lot of time spent and energy on sort of unraveling license information and so you know, I think There's almost a whole business around that. I think it's a better use of time to just let's make it the information better upstream and then there's less time spent downstream. Instead of everybody redoing that work downstream. So I think it is important. It just makes it easier for everybody, however, they're using the code once it's created.

David Cantrell: Okay, we'll do this is good because like as an engineer, I definitely like things to be correct and accurate. If I'm telling someone that something that I am offering them is open source or free software or both. I definitely want to know that they understand that and that the the licensing information is correct. So this is this is good. Adore has an opportunity to participate in this existing standard you know as a community member and we get to sort of ensure that everything that we have in Fedora Council correct, licensing information. but also as a package maintainer,

David Cantrell: Naturally, we get a little bit of pushback, we have a well-established system. That's well I use the term established loosely because it was mostly the work of Tom Calloway and there wasn't a clear process to get information on. There is basically You know have have a discussion with whoever wanted to have the discussion and then agree on a short name and the objective seem to be focused around what short abbreviation were We going to give the licenses? Not really are these the same thing or are they different licenses? Are they actually things? We can ship? It was focused more on the technical aspect and we had no clear owner of this data and it was duplicated and and multiple places, we just get you know if we we've grown past, what it could provide us.

David Cantrell: So with all that, what have we done?

David Cantrell: All right. Here's the big reveal. It's Surprise. So we have

00:15:00

David Cantrell: Lacking missing. It was inconsistent. We have clear processes for everything now and it's Get labs. So if you see mistakes or you want to add something or information, On a tool, please send a MERGE request. For Nora license data, this is what used to be those. Those big licenses lists on the On The Fedora can read it…

Richard Fontana: like,

David Cantrell: but it also gets published to the docs site, which is quite nice. Um, I'll kind of go clockwise here contributions to spdx. As we review packages and licenses. Here we are contributing new licenses or changes to matching rules back to spdx. Door has a lot. Software a lot. Source, software. A lot of free software. there, there are That we can contribute back and that's been going well and it's it's nice to see that happening. And then, the big part of this project is obviously the migration to the expressions in the spec files. This.

Richard Fontana: Right.

David Cantrell: This is obviously complicated and we've broken it down into a number of different phases.

Jilayne Lovejoy: I just want to add, I think just as a sort of a timeline and when I joined Red Hat and February of 2021. I think the, the discussion about the moving. The data off the wiki had was already, you know, had predated sort of me. And, of course, I had been talking to Tom and Richard, I don't know for over a decade. I think we figured out about the Dora adopting spdx expressions. I think the focus was on sort of this too. Those two buckets and across. From each other, on the slide, the documentation piece. I think, you know, we realize that the wiki is getting old and everything should be moved to docs. And so that turned out to be much bigger project and, you know, we didn't really count.

Jilayne Lovejoy: In the beginning and then, you know, sort of its own project to sort of revise and update all of that. So I think all of this, you know, is a bit more work than we anticipate existing God. We'll just, you know, just switch desks identifiers.

David Cantrell: He yeah.

Jilayne Lovejoy: Like, how hard could just stuff to get loved it repo and and then I would just add from the spdx perspective. I mean besides I mentioned all his new licenses that were added, You know, I know, I know Richard in times, and others have said, You know, that's the X license is not, there's not enough licenses on there. It doesn't reflect You know say what's in an entire Linux distro I mean Linux kernel adopted spdx IDs and so that you know definitely added but it's it's as long as anyone you know there's as many licenses on it as people ask for there to be. So I mean other than when the Spx legal went out and

Jilayne Lovejoy: and of course the initial release and then later went and tried to pull stuff off a Fedora council is having this really great, you know, and sometimes challenging knock down effect on on spdx and, and therefore, like a much wider range of people and community, and influence, you know, beyond The youngest for the fedora.

Jilayne Lovejoy: Council. You know, great thing about open source, right? And, you know, that's forced spdx to kind of look at some of our processes and make it a little more efficient hopefully. And and you know, that work will continue.

David Cantrell: Yeah.

Richard Fontana: I would just want to emphasize also that this is kind of a This is a project that's larger than just the spdx piece of it, we've been improving. So the dock we've been improving all the legal documentation by kind of creating this new documentation we're making,…

David Cantrell: Hmm.

Richard Fontana: it sort of clearer and updating it and, and kind of rationalizing it. So, there are certain contradictions in the way things were laid out in the wiki interest of documentation around, not just like licenses names but but all sorts of other related fedora just by itself has enabled to kind of Collaborativeness and transparency, a sort of way of working. That is, I think much better than, you know, the past approach of, you know, kind of having a mailing list and then kind of having some back channel, email,

Richard Fontana: Discussions between me and Tom Holloway. This is this is a much a improved approach. I think to just kind of getting this this kind of work done.

David Cantrell: Yeah, that's a good point.

Jilayne Lovejoy: Yeah.

00:20:00

David Cantrell: It's really nice because people can How how the stuff plays out how the process works and they can get involved that way.

Jilayne Lovejoy: I think like, you know, just to build off of Richard's point about the documentation. I mean, I don't know if this happening yet but I think it's very Foreseeable, that. That articulation of the licenses standards for Fedora.

David Cantrell: It's true. Yeah. So with all that and that that large overview, we did it, we're done, everything's finished.

David Cantrell: Well the easy part was so now we actually get to the the business end of what we're doing and and that's going back to the migration here. So this is this is the part where we've been planning some hackfest we will be sending out notices about that but what this what what we have found and what we've agreed on Approach-wise. Is there's a subset of packages where the licenses identifier that's in there is simple. Maybe it's just GPL. V2 plus the old Fedora license and the software is well understood It's something major and we know what it is. So there's there's some things like that that we can

David Cantrell: Generate an spdx expression for, but really, what this comes down to, and to get this information, really correct is manual. Inspection of source code either either by a scanning tool, or reading it or something like that. And and that is a thing that that we need to incorporate into the general package maintenance process, the new package process. But we do understand that this is kind of new kind of, you know, it's a change from from how we have done things. So that's why we want to do these. These hackfest days to show people, you know, kind of the process that that you can use. To go through this.

Richard Fontana: April.

David Cantrell: Sorry. Now. Revised policy here. Richard I wanted you to touch on these two main objectives here for package maintainers here.

Richard Fontana: Yeah, so this is this is not conceptually new. This is the same thing that we did in the past before we were using spdx expressions to represent licenses. But this is kind of how we are using spdx expressions now. So there are two parts of this. There's first as we encounter new licenses in Fedora,

Richard Fontana: Um, you…

David Cantrell: Something.

Richard Fontana: they're not already on our in Fedora license data and already classified. We we undergo a review based on gitlab issues and determine. You know, did they do they fit into one of our approval categories or they are going to treat them as disallowed and some cases. We actually have licenses that are disallowed but we grant certain limited exceptions to their to their use. And the way we kind of conceptualize what a licenses is and that phase is really from the start sort of, we may not have an spdx. Um expression because there may not be an identifier yet to represent it. But we're always thinking, How would this fit in with the spdx model of what a licenses? That's that's one piece of it and then if something is

Richard Fontana: Approved. Then the normal processes or some exceptions is to kind of submit an issue to the spdx project to add the licenses as a licenses identifier to the spdx licenses. So that's that's one part. And then the other part is once you do have an spdx expression, you, you know, we have this practice in Fedora, Licenses metadata in RPM Spec files and so we created some updated documentation about this. But, you know, in addition to

Richard Fontana: You know the fact that we're now using spdx expressions in the License field and the Spec files we also have kind of clearer documentation on on how you sort of figure out what that representation should be. And so the the sort of summary of the rule we have, which is, which is not different from the past rule under the Tom Calaway system, really? But it's more clearly sort of set out is that that the license field is supposed to be a simple enumeration of all the licenses covering code and content. And you know, anything that's in the binary RPMs that are shift back door. So they're they're going to be some packages that will have some material covered by a licenses particular licenses in.

Richard Fontana: In the source code where that particular licenses won't be represented in the license field. That's just because of this policy, we have the Fedora license field represent what's in a given binary rpm. So that's the two pieces of how we are using spdx expressions and this you know, new system.

00:25:00

David Cantrell: To package maintainers is that the expression that you're generating is for coding content in the binary RPMs and yes, that has been sort of an understood policy. But I don't remember where it was written down and I know that some people thought otherwise and would add other licenses to the licenses tag. So this is important when we have maintainers using scanning tools because it's going to pick up for example, Auto Conf and automate template files which are littered with GPL boilerplate, but that's stuff for building. The software that doesn't actually ship in the binary rpm in some instances. So we just need to work with package maintainers. So they understand, you know how to look at the scanning tool output and and things like that. So there's a lot of work ahead of us and Miroslav has been posting progress reports for us and sort of giving us an idea of where we stand. So Miroslav

Miroslav Suchy: Yeah, so I try to send every two weeks to further development in, recent legal, mailing list status, where we are. I create a burn down chart out of this data, which can give us some estimate where when we are going to be finished because we are at early stage, it's always go one month left one month, right? So this, it oscillate around the summer 2024, right now, and we are right now in 34% and Don. So two, thirds are ahead of us. Ah is like…

David Cantrell: Thanks.

Miroslav Suchy: how many twenty thousand less than 20,000 packages and

Miroslav Suchy: Yeah, we need help of other people like well we can't do that manually. Like if if our team are like David Richard and Juliet would work on that solely alone,…

David Cantrell: just,

Miroslav Suchy: that would probably 20 years. Oh estimated time so we need help to maintainers and I'm sending this reports in in a silly, hope that automating these statistics will like, say, Okay, I'm seeing these smell of it spdx statistics for 25 times already. So maybe, maybe I can read it and usually, at the bottom, there's something. So what you can do that, you're picky peers in in the Done, our part, If you are curious, there's a link for the scripts which actually check the data, but

Miroslav Suchy: Very simply checks the spec files change log and then the disk get change log, if there is a SPD so string and then I consider it done. And then, but it's followed by some heuristic. But it'll license is valid us old a new one and based on that. I do some recommendation. That's all.

David Cantrell: Yeah, it's great. Thank you and and I wanted to add to that that I have noticed posting those. Those reports every two weeks I have seen a package maintainers go and take that step and and convert their packages on their own. You know, not waiting for us to to do a hack fest or or something, you know that we would start. So it is I think it is helping but there is a lot of work to do. So looking forward here Jolene. What do we have? What do we have down the road?

David Cantrell: Oh, you're muted.

Jilayne Lovejoy: I think so that's a great segue to how do we you know, update health package, maintainers update the packages, more efficiently, one thing. If anyone's wondering this and was talked about a lot early on was, Well, can't we just do like I'm gonna call it a find and replace like, Well, we have this mapping of the old IDs, the new ones, you know, can't we just sort of automate that in some way, and that's not It's not doable on scale for a number of reasons, one of, which is that the Fedora license texts. And that's not how sbx works. And then there's there's quite a few like that that represent, you know, a big chunk of

00:30:00

Jilayne Lovejoy: The packages. And so that's sort of it's an impossible for those. Those need to be sort of manually inspected, and then, there is also a lot of some of us believe that while, you know, sometimes package maintainers don't update or look at the licenses except the first, you know, the very initial review and is might be a good opportunity to sort of Double check things. And otherwise, you know, we just sort of read Um regenerating you know, wrong information in a new format you know that that wouldn't be good. So we've now if there's a change order to that's posted on the wiki, That we thought. Well, let's maybe Kind of do something in the interim. Well, we're map some IDs that we feel reasonably confident that are sort of the one-to-one relationship to Svx and create.

Jilayne Lovejoy: A merge requests on our issues on those. So the package maintainer is a chance to actually review them and sort of a little bit of another nudge in addition to miroslav's but every other week kind of reminder we haven't done this yet. That's gonna, you know, it's sort of coming later. But in the meantime, we have a hackfest planned for April 26th. We need to announce that still. That'll focus on the ELN packages. That'll sort of do some training on how

Jilayne Lovejoy: David will do a demo on how to how, how to kind of review a package. So, you know, and then anyone can attend and review their packages during the hackfest and you never will have people there to help out. So think That'll be great. In fact goes, Well, maybe we'll do another one. I'm gonna let Richard you talk about the the pelic data. I think I've already mentioned the sort of in influence on spdx and and impact on other, you know, potential for impact on other communities, which, you know, to be seen. And we've been trying to improve the documentation like ongoing. Like is people have questions, especially on the updating packages, we've been, you know, and it's something's not clear Richard. I've been trying to just stay on top of that. So it's, it's not it doesn't get stale.

Richard Fontana: Yeah, about the health data, so palk is this system? You could say a sort of legacy system. We have inside Red Hat for among other things. It's sort of makes use of licenses. Scanning and it sort of duplicates, a lot of what this fedora Linux.

Richard Fontana: And we had this goal, you know, of kind of taking the license approval and disapproval data. We've been kind of developing internally through this pelt tool and kind of like merging it with the fedora. as as we sort of have migrated to using spdx identifiers and having this new process, we're actually getting That extra data that was you know clean from analyzing REL internally at Red Hat through this public process. We have in fedora a goal from the Red Hat side that we want to have

Richard Fontana: Ideally ultimately, the single list we speak of a single source of truth of. You know what, from red hat's perspective are approved and approved licenses based on, you know what fedora license policy across all of its, you know, portfolio of community projects and and downstream commercial products and so forth. So, so that's, that's an ongoing thing. But I think it's sort of, in a sense, taking care of itself. Through the progress. We've made with the door,

David Cantrell: All right, thank you. Everyone can see what a simple task software licensing is hopefully, this answered some questions. I'd like to think everyone for joining this call. I'd like to thank everyone on the Fedora Spdx team for helping. With this presentation, I'm going to stop sharing my slides now and we can move to I guess Q&A.

Matthew Miller: Yeah. Oh my voice is not working. Sorry. Yeah, thank you everybody. This was really great. I don't think I have any questions because it was so thorough. I don't know if that's better. Also, I've been following this all along, so with,…

David Cantrell: That's true. Yes.

Jilayne Lovejoy: Like questions,…

Matthew Miller: does anyone else have a question?

Jilayne Lovejoy: Matthew. I said,…

00:35:00

Matthew Miller: What that? Right? Well,…

Jilayne Lovejoy: I would hope you don't have any questions.

Matthew Miller: but I should be able to like, you know, ask some leading questions or something. That's a

David Cantrell: Yeah, I should have sent you some before the call.

Matthew Miller: that's one thing I want to say is, David. I think you were a little bit harsh on the older process. I think there was good, it wasn't just talking about like with a short ID, should be there where a lot of interesting conversations about

David Cantrell: Yeah, so I I should clarify with that. That was not my intent. I I feel like we kind of had we had two sides to that process and it was separate groups. That didn't always necessarily know the other was talking. So from my point of view, as a package maintainer, I would ask about something and then I was just waiting to be told what the short ID would be, you know. And and so I I didn't know what the rest of the involvement was the process. We have now moving to Spdx everything is all tied together. You can see the whole workflow workflow through the entire process, which I think is better, but I did not mean to be too harsh on the old, the old system.

Richard Fontana: Yeah. And the old system we actually had as far as I was involved in it. Going back to 2008 actually, 2007 before I was at right up Tom Calloway was was exploring like, you know, issues of Boss licensed policy at a, an extremely deep, an intricate level, and I got involved in that. And, and so, they're all these discussions happening, largely between me and Tom Holloway behind the scenes, but that was not public. And I think we're, I think we're still sort of guilty, you know, in this new system of not being as transparent about this thinking process part of it, as we could be. But I'm trying to like, what in dealing with issues on gitlab. I'm trying to do a better job of kind of publicly explained like the reasoning process. And we want to this is also why we have better documentation. So one thing we didn't have in the old system is any attempt to have kind of like a distilled explanation of what fedora

Richard Fontana: Mx, sort of a more elaborate explanation of like, What is our policy around documentation with What is our policy around font licenses, in a way that we didn't quite have before. I mean, it wasn't that bad before, but, but I think it's better now.

Jilayne Lovejoy: And I'll just add that.

David Cantrell: Next.

Jilayne Lovejoy: I mean, it was very it really interesting that whole process of what Richard described of looking at the documentation updating it. Because even as someone who's not like intimately involved in Fedora.

David Cantrell: but,

Jilayne Lovejoy: You kind of knew you kind of knew what it was the policy of what was allowed. Um, if you watch the Fedor,

Jilayne Lovejoy: A single point of failure with one person holding all that in their head and everyone just assuming they know what it is. I mean you really need to have a documented and…

David Cantrell: which,

Jilayne Lovejoy: and I think that's a common problem and open source projects because it's a bit reflected a lot on my role in spdx and…

Matthew Miller: Get.

Jilayne Lovejoy: the same way you have someone who's just been involved for a long time. And it takes a lot of discipline to kind of write it all to write it all down. Because you know, he's like as Richard said, Even he's like kind of, you know, having really think about doing that even now that we have a more transparent process and gay a lot. So I think it's a common Group challenge and of course, documentation is usually always like lagging, right? But, you know, it's it's a good to refresh that and think about that and again and you know, we've done the same thing at spdx. Our documentation is not great. And and when I start thinking about, okay, a package maintainer is never done. You know, doubled spdx to come in and like can I point them to something that like clearly Inconsistently explains what the process is? You know, that's it's always a good. Good improvement.

Matthew Miller: I want to also clarify for anybody, watching. Tom Calaway is not dead. He's still around.

Jilayne Lovejoy: Yeah.

Matthew Miller: We sounded. Like Remember like we're giving eulogies here that he's just went to work for Amazon and open source community stuff there and it's very busy. He is still active in Fedora. Yeah.

Jilayne Lovejoy: Yeah.

David Cantrell: Yes. Thank you. Matthew.

Jilayne Lovejoy: yeah, and and I think Oh no. I think I was actually gonna say something, well, along those lines. But that's more extreme than I was thinking that I think we were all a bit self-conscious of like, Oh gosh, you know, what's what's Tom thinking? During all this? Like, are we? And, you know, see like and so, unfortunately, David and I did a presentation about this whole process on early days in at all. Things open in Raleigh in October and Tom was there. And and we all went had a beer which was lovely and, you know, and he was very supportive and of course, you know, he was Tom that we had a nice time chatting and joking about the whole thing.

00:40:00

David Cantrell: Yeah. Now in fact I I think there are a few instances reset.

Jilayne Lovejoy: So he's not hating us for doing this. David Cantrell: It it seems like you're you're solving a lot of long-standing concerns and questions. I had you know, that were just kind of like back burner issues, which was, which was nice, but yes, he was very supportive of everything we were doing and and moving Fedora presentation. But you'll see if you go to the legal documentation site is, We we did not carry over there was the Compatibility Table for GPL Licenses and Yeah, Richard and that, that is a question that comes up from time to time from package, maintainers because that was kind of a long established. being that we had in and had infadora and

David Cantrell: our our conversations with it have have basically been around. trying to figure out where that came from, you know, where that sort of You know, concept and and maybe fear of using something licenses that wasn't gpl, compatible, where did it come from? And there and that led down this this whole path of I was digging up old emails about questions about GPL, GPL, V3 and V2 and things like that. And Richard, I can't remember if we ever actually conclusively found where? Where the starter we just sort of maybe theorized that it was,

David Cantrell: Around the drafting of GPL V3 and that the the notion of license compatibility was a concern. But now going forward is that something that that we need to think about in the same way?

Richard Fontana: oh yeah, I mean I don't I I don't know how far back Tom Calloway was making an attempt to to

Richard Fontana: Sort of notate judgments about GPL, compatibility. It may have actually been earlier than gplv3, the issue is You know. So Florian Weimer said on I think the Fedora GPL compatibility, by the way, there's, there's also issues of compatibility with Non-gpl licenses, at Fedora,

Richard Fontana: That's a fair comment. I don't think Fedora. You disagree.

Matthew Miller: so, I think we did sometimes like there's some things with like read line in particular, I remember people being very careful about that and making sure that, you know, if he hasn't it wasn't gpl compatible, you didn't link it with read line that that sort of thing. I think, I I at least use it used it for that kind of thing, I don't know, but I don't think we were consistent. I think that's fair to say.

David Cantrell: We weren't consistent and it was like you said, like mostly a self-policing thing. Like we saw we saw this chart we have to follow these rules kind of thing.

Richard Fontana: Yeah, I mean the this is actually my views on this topic were shaped in part by working on these fedora. License compatibility issues came up, we would always find a reason to explain why the general rule didn't apply in a given case. So the exception always canceled out the rule. And and I think that we found that there was a big divide between Sort of false. Community. That I don't have to describe like false community doctrine, sort of like removed from practical day to day issues of software development. And what, what software developers, what project maintainers actually do in in terms of like, like, what what?

Richard Fontana: Code under what licenses, they introduce into their projects, or what licenses of dependencies they use. There was a big divide and and this is a whole kind of big topic. I've been obsessed with for a while as jilayne knows. But I I think the picture that fedora license incompatibility problem at all. And we still say we actually have some documentation about this now because someone raised us on the fedora

00:45:00

David Cantrell: And, and the reason I brought that up is I wanted to reiterate on the On the license tag in the SPEC file is enumerating. All of the the licenses identifiers that appear in code that goes into code and content that goes into the binary RPMs. What we didn't mention in the presentation, was that? There's no effective license. Computation. We don't like package,…

Matthew Miller: Right.

David Cantrell: maintainers. Should not be saying like, Oh well, that's some BSD code and that's some GPL code. That means my package is GPL. They're not packaging.

Matthew Miller: That's…

David Cantrell: Maintainers are that is a big change?

Matthew Miller: that's a big change.

Richard Fontana: Well, I don't,…

David Cantrell: Because we used to kind of roll that in…

Richard Fontana: I don't agree. It's a shame. it's

David Cantrell: but but it's it's a change from from the, the practice of a lot of package maintainers Yes.

Richard Fontana: It that is accurate. Yeah, so there was an inconsistent, one of the reasons why we have this rule. So I would contend that it was the old rule. As I understood it, maybe I misunderstood at least how some people were interpreting it. I think that the documentation, some of the documentation expressed this, as the old rule on the problem is that people package maintainers were applying it inconsistently from package to package. And so, we had some people applying this effective license rule each person with basically interpreting the GPL on their own. And so the goal of having kind of a uniform

Richard Fontana: Uh, sort of system that is going to be consistent from a package to package, was not being realized. And that's one of the advantages of moving to spdx is that you can have the potential of having a uniform standard system of licenses description. But if everyone is in his kind of interpreting like licensing in ways, that sort of allow you to kind of remove certain licenses, in different ways, from package of package, that advantage is, is going to be, it's going to be law. So yeah.

David Cantrell: Yes. Yeah.

David Cantrell: just,

Matthew Miller: Often is a license or a licenses statement, or something in its own way. At least needs to be, looked at, like, What,…

David Cantrell: Yes.

Matthew Miller: what is it is this meant to does it acting like a licenses? I don't know. So, when you see something like that, we should bring that as a possible thing as…

David Cantrell: So it's, it's

Matthew Miller: So that can get looked up by the people who know what they're talking about Jolene, just making faces at my statements. So

Jilayne Lovejoy: No, no. I mean Well,…

Richard Fontana: But this is another case…

Jilayne Lovejoy: it's a great point.

Richard Fontana: where it's really not a change. So there is there was a Callaway public domain. Not identify harassment a name maybe it wasn't used consistently from back.

Matthew Miller: Right. I think Generally,…

Richard Fontana: It's just like as we were just talking about

Matthew Miller: if something had was GPL with some public domain things in there, no one would bother to list GPL and public domain. They would just list GPL.

Richard Fontana: That's probably,…

Matthew Miller: I can't think of a case.

Richard Fontana: that's probably true. Yeah.

David Cantrell: Yeah. but we have,

Matthew Miller: Yeah. So that's that. Yeah.

Jilayne Lovejoy: But there's a lot of packages that do use that public domain. kind of old name and I think what you probably said without maybe even realizing in Matthew's like there's there I've noticed in my many years of like dealing with looking at licenses and license type information in source files up. sometimes something sort of purports to be public domain, but it's really a licenses and so, you know, Because of using just a kind of a short name without really describing like rules around when it was used or you know it kind of being a little bit loose. Um you know those things need to be looked at because maybe they're not really a public domain dedication. Maybe there's it's actually licenses or maybe it is now in an interesting kind of potentially come full circle. scenario, what we have been doing is

Jilayne Lovejoy: we've actually been investigating those and like go look at it, figure out what it is and then submit it and get lab and we've been sort of collecting those in one text file and telling people to use. A licensed REF license ref is an spdx. Specification. Designation for a licenses, It's not on. Jilayne Lovejoy: Or licenses type stuff. That's not on the spx license list because there's no way the licenses list can accommodate everything that's found in software. And the reason that we did that is in, I kind of anticipated that like we don't really know how many of these these things will find and what they look like. And if we just submit them to spdx one by one, it doesn't really give a full picture of the scenario so like maybe there aren't that many or maybe there's like a hundred variations that stay kind of the same thing and so I wanted to say like Let's just kind of do It's a little bit of a potential you know possibly a

00:50:00

Jilayne Lovejoy: A, You know, interim fix that we might have to go back and change later, but if we collect, like all these things that look like a public domain, you know, a simple public domain dedication is what we kind of presume. It would have been under the Callaway system and then we say, Hey, look spdx going through, you know, this Linux, distro fedora.

Matthew Miller: So, our, the license ref right now is one single license ref that goes to a thought. So if I find a dedication get that added to the collected file and not need to come up with a new license ref for each one that seems very sensible. It's

Jilayne Lovejoy: Exactly.

Richard Fontana: Rest.

Jilayne Lovejoy: Yeah. And you know it's possible that Spdx will look at that and say, Yeah, maybe we'll adopt something like that for these. And there's also some like Ultra we call it. We have another similar thing. We're dealing with ultra permissive licenses, where it's it's just like a one-liner with no license conditions or anything. And just again, we don't know how many things like that or out there and maybe Spdx will say, You know what we are going to create like a ironically a bit of a category ID. I mean I'm not predicting the future, big big caveat disclaimer but it's defined as meaning one of these defined things, right? Like there's no way it's not helpful to just have Some undefined thing that people have to figure out what it means. Right? But like I think think the past

Matthew Miller: Yeah, and a lot of these things are like, I came across one that said This is public domain Do not copyright this code. Which What does that mean? I don't. It engineers shouldn't be writing statements like that. I'm I gonna say it's a blanket thing because it's Heart heart.

Richard Fontana: Lawyers are bad at writing licenses to.

Matthew Miller: Yeah, okay.

Jilayne Lovejoy: Yeah.

Matthew Miller: No, no answer. Write any of these things, stop it. Everything's terrible. We had ended up with that piece of software, just changing it to an existing very permissive licenses that

Matthew Miller: Back instruments.

Jilayne Lovejoy: Yeah, when well problem is is even when you change a licenses,…

Matthew Miller: Happy to do that.

Jilayne Lovejoy: that old the old versions probably exist with that other line.

Matthew Miller: Okay. Yeah.

Jilayne Lovejoy: But I mean for if fedora license and like great, you know, like pretend those old ones don't exist.

Matthew Miller: Yep. That's yeah that's a thing Fedora.

Jilayne Lovejoy: But yeah,

Matthew Miller: David had to head to leave already?

Jilayne Lovejoy: yeah.

Matthew Miller: Anybody have any final thoughts or questions here?

Matthew Miller: Okay. Well, thank you again very much. This was great. Thank you for all this work and ongoing work and explaining it. It's very nice next month. We are having a Fedora Linux release rather than having one of these meetings. So I think we will not have a video meeting set. Correct. Ben.

Ben Cotton: Well, so we had sort of preemptively, canceled it, but the release party's gonna be a little later than normal. So it,…

Matthew Miller: Okay.

Ben Cotton: we might actually decide we want to do it in May and skip the June meeting. So that's something for us to figure out later on. So stay tuned to discussion.fedoraproject.org to find out.

Matthew Miller: Sounds good. Alright, goodbye everybody.