From Fedora Project Wiki
(Redirected from Packaging/Minutes20070807)
Fedora Packaging Committee Meeting of {2007-08-07}
Present
- JasonTibbitts (
tibbs
) - JesseKeating (
f13
) - RalfCorsepius (
racor
) - TomCallaway (
spot
) - ToshioKuratomi (
abadger1999
)
Writeups
The following drafts have been accepted by FESCO and are to be written into the guidelines:
- The license tag refinements requested by the board:
- http://fedoraproject.org/wiki/PackagingDrafts/LicenseTag
- Dynamic user and group creation policy:
- http://fedoraproject.org/wiki/PackagingDrafts/UsersAndGroups
Votes
There were no votes this week.
Other Discussions
The following additional items were discussed; see the logs for full details.
- Clarifying what the License: tag refers to (source or resulting binary):
- http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification
- There was plenty of interesting discussion here; it's a delicate issue but the current tendency is to let License: refer to the license on the source packages.
IRC Logs
[12:03:43] * abadger1999 yawns and looks around [12:03:49] Quit bpepple|lt has left this server ("Ex-Chat"). [12:03:53] * spot is here [12:04:49] <spot> anyone else? :) [12:05:13] * jeremy is here, but is just rabble :) [12:05:58] <racor> i am here but probably don't have more than 10 mins. [12:06:21] * tibbs here [12:06:26] Quit JSchmitt has left this server (Client Quit). [12:06:38] <spot> f13: i know you're here. wakey wakey [12:06:59] <tibbs> Do we have anything to cover other than writeups? [12:07:03] <spot> http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification [12:07:08] <spot> thats the only item [12:07:12] <f13> spot: yeah yeah [12:07:22] <f13> wondering why my workstation didn't return after I got back. [12:07:26] <spot> ville's already given it a +1 [12:07:37] <tibbs> I dislike that quite a bit, actually. [12:07:46] <spot> okay... why? [12:08:14] <tibbs> Because it's then rather difficult to figure out what the proper license tag value is. [12:08:46] <tibbs> Instead of looking at the source and determining the license tag, you have to understand how all of the dependencies combine. [12:09:13] <jwb> why? [12:09:36] <spot> jwb: say, the code of a package is under GPL or BSD [12:09:41] <spot> but it links to a GPL lib [12:09:51] <spot> then, the work is GPL, theres no way it can be BSD [12:10:41] <tibbs> And then you get to define "linking". What if I depend on one perl module which is GPLv2+ but this module is "GPL+ or Artistic". [12:10:45] <tibbs> What's the resulting license? [12:11:03] <tibbs> Does it depend on whether the package is noarch or not? [12:11:11] <spot> i'm not sure. i need to talk to RH legal and see what they think on that. [12:11:13] <jwb> spot, so taking that same example, say a BSD licensed equivalent library comes along and you link against that. now you have to change the spec to BSD? [12:11:26] <jwb> i think it's a bit over-reaching [12:11:28] <spot> jwb: no, because BSD is compatible with either [12:11:30] <jwb> but i'm rabble [12:11:51] <tibbs> And then we get upstreams saying "Fedora lies about the license of my software." [12:11:53] <spot> GPL is a rather special case. [12:12:05] <jwb> i don't see why such a package could not be labled as "GPL or BSD" [12:12:36] <abadger1999> jwb, spot: But if the example package was Public Domain, for instance, it would flip flop between GPL and Public Domain depending on the library it linked to. [12:12:39] <tibbs> The real issue is that I don't want a degree in IP law to become a prerequisite for reviewing packages. [12:13:00] <spot> abadger1999: yes. [12:13:13] <spot> ok, i withdraw the draft. i see the problem. [12:13:33] <abadger1999> Do we need to clarify that we are looking at the source licenses, though? [12:14:01] <spot> source licenses of the delivered works [12:14:13] <spot> not necessarily all of the source licenses [12:14:30] <spot> lots of upstream apps include code under licenses we don't end up packaging in the binary RPMS [12:14:55] <tibbs> In any case, wasn't the idea of making the license tags uniform and machine-parseable was so that something could actually derive the resulting binary licenses? [12:15:18] <spot> tibbs: *nod* [12:16:06] <abadger1999> "Damn it Jim, I'm a computer, not a lawyer." :-) [12:16:15] <jwb> heh [12:16:38] <spot> I think "source licenses of the delivered works" is the closest to the truth here. [12:16:39] <tibbs> I really don't know what to do here. The idea that spot was proposing is very valid. [12:17:01] <tibbs> But the complexity is unpleasant. [12:17:22] <jwb> and (sorry) unmanagable [12:17:23] <abadger1999> spot: I would go for that. [12:17:33] <spot> hopefully, it is a one time pain per package. [12:17:37] <tibbs> Is anyone in the distro universe paying attention to things at this level? [12:17:48] <jwb> debian i think [12:17:53] <spot> mandriva is watching us very closely. [12:18:05] <tibbs> spot: The problem is that one change can cascade through a whole set of packages. [12:18:07] <spot> debian is similar to us [12:19:10] <tibbs> Deriving licenses from buildrequires isn't useful in general, I guess. [12:19:20] <tibbs> Is it possible to do it from runtime dependencies? [12:19:42] <spot> theoretically. [12:19:50] <tibbs> I guess not, because we have no way to quantify what links against something versus using it in some other way. [12:19:56] <spot> you'd have to cascade all the way down [12:20:58] <tibbs> I simply don't understand how "linking" is defined for interpreted code, either. [12:21:01] <abadger1999> But you run into corner cases where package foo contains /usr/lib/libfoo under LGPL and /usr/bin/foo-tiny-util under GPL so you need a human or a file by file tag. [12:21:42] <tibbs> We already flag complex licenses with "and", [12:21:57] <tibbs> so if doing a full review you'd know you needed to inspect more closely. [12:22:07] <spot> tibbs: i need to talk to RH Legal and see what they define as linking [12:22:38] <tibbs> But you'd still require manual inspection to determine "use" versus "linking", regardless of the definition of linking. [12:22:47] <abadger1999> I'm just saying that automated derivation from runtime dependencies would have issues on those licenses. [12:22:47] <spot> http://fedoraproject.org/wiki/PackagingDrafts/LicenseClarification [12:22:51] <spot> thats a rewording [12:23:46] <tibbs> Frankly I don't know which version we want. [12:23:48] <jwb> sane, but confusing [12:23:52] <racor> you'll have to distinguish run-time licenses, licenses of source files being used and licenses of sources files inside of a source tarball. All can be different. [12:23:53] <spot> http://www.fsf.org/licensing/licenses/gpl-faq.html#MereAggregation [12:24:28] <spot> (short answer: they don't know either) [12:25:28] <spot> racor: i think "licenses of source files being used" is the closest to what we want [12:25:33] <tibbs> I think we'd be safe with "License: is the source license" until we and the rest of the world understands the issues more thoroughly. [12:26:32] <spot> tibbs: just: "The value of the License tag represents the copyright/license info of the source code of the delivered works only." [12:26:36] <spot> ? [12:27:16] <racor> spot: But you have been banning unused sources from tarballs, in the past [12:27:48] <spot> racor: yes, but that's never been documented policy [12:28:05] <tibbs> Well, if we can't legally distribute the srpm then we don't really have much choice. [12:28:19] <spot> and its not so much banning unused sources as getting people to remove code that is under proprietary licenses [12:28:25] <spot> which we can't distribute [12:28:39] <spot> the fact that it is unused makes it possible to remove [12:28:43] <racor> spot: which is not a legal issue, but a religious one. [12:28:52] <spot> no, it is a legal issue. [12:29:02] <spot> if we don't have permission to redistribute, it can't go in the SRPM [12:29:34] <racor> "non-free" is a religious issue. [12:29:49] * spot wonders where he said "non-free" in that [12:29:59] <abadger1999> Right. This is more along the lines of, foo includes a copy of zlib but we use the system zlib. Do not list the license of zlib. [12:30:07] <spot> exactly. [12:30:41] <spot> ntp includes a copy of ElectricFence, but we don't list GPLv2+ there [12:30:52] <spot> because it doesn't use it at all [12:31:03] * jwb scratches head [12:31:15] <spot> jwb: don't look too closely at ntp or you will go blind [12:31:41] <jwb> aside: are we asking upstream wtf they are doing in cases like that? [12:31:59] <spot> in all the cases that have been brought to me so far, absolutely [12:32:09] <spot> several upstreams have already cleaned up their act [12:32:59] <racor> jwb: You can ask, but often they can't change the license, ... [12:33:27] <jwb> i wasn't talking about the license [12:33:34] <jwb> but it was an aside, so move on :) [12:34:08] <racor> sorry, my time's up, I've got to go ... [12:34:26] <spot> ok, with racor gone, we don't have quorum anymore [12:35:21] <spot> we could leave the licensing as is, and let the packagers and the fedora licensing team (aka me) come to an agreement [12:35:48] <spot> since its not legally binding, it is only included as a useful baseline for auditing [12:36:15] <abadger1999> I think it's valid to clarify this. [12:36:42] <tibbs> I as well, but only after we've had some of the grey areas cleaned up. [12:36:54] <spot> ok, lets highlight the grey areas [12:36:57] <tibbs> Because right now we don't fully understand the implications of such a change. [12:37:03] <spot> so i can make sure i hit them all with the lawyers [12:37:33] <tibbs> Well "define linking", especially in regards to interpreted languages. [12:38:00] <spot> yup, got that one [12:38:15] <tibbs> Also, if Artistic is a bad license, why do we still list it? [12:38:32] <tibbs> (I note that rpmlint kicked "Artistic" back at me today.) [12:39:39] <tibbs> Also, are we supposed to be blocking package reviews that don't have proper license tags now? [12:40:26] <spot> yep. [12:40:37] <spot> (on the last one, as its in the reviewguidelines now) [12:41:21] <tibbs> My real concerns about not understanding the implications of today's proposal aren't really legal, though. [12:41:40] <spot> So, the question is: [12:41:57] <spot> does the License: tag refer to the final, derived license for the bits in the binary rpm [12:42:01] <spot> ? [12:42:19] <tibbs> Yes, that's the fundamental issue as I see it. [12:42:46] <abadger1999> tibbs: +1. The nightmare is more about determining what license is in effect at review time and keeping it updated as changes to other packages take place. [12:42:48] <spot> And, what I'm hearing is that it should not be, because figuring that out is too much of a burden on the packager in complicated cases. [12:43:20] <tibbs> Well, I'm ambivalent. [12:44:15] <tibbs> It would be a massive pain, and there is at least one complicated legal question that has bearing on a couple thousand packages. [12:44:29] <tibbs> But it also makes plenty of sense. [12:44:32] <tibbs> SO I don't know. [12:44:42] <spot> fwiw, all of the packagers emailing me for clarification have been assuming that the License tag does refer to the derived license of the bits in the binary rpm [12:44:56] <abadger1999> I think it depends on which audience we're addressing. [12:45:38] <abadger1999> Developers looking for code to use in their projects care about source licenses. Distros care about binary bits. [12:46:27] <tibbs> Maybe we just need to bite the bullet and provide different tags for different uses. [12:46:46] <tibbs> Have License: remain as is and add a DerivedLicense: tag. [12:47:17] <tibbs> which could be optional, indicating that nobody has done a full license review yet. [12:47:24] <spot> well... [12:47:37] <spot> i think that developers looking for code to use will be using source to determine this [12:47:38] <abadger1999> Developers who are using libraries (not looking to grab code) care about all the possible licenses of the binary bits. [12:48:09] <spot> abadger1999: but we don't want to confuse them into thinking that something in Fedora is ok to link to as BSD when its GPL as built. [12:48:17] <abadger1999> whereas the distro cares about one license that may trump all the others. [12:48:34] <spot> the License tag is for the distro to do auditing [12:48:43] <spot> it is not in any way legally binding [12:48:43] <abadger1999> spot: But from a developer perspective it is BSD. [12:48:58] <abadger1999> Even if it means they include their own copy of the library :-( [12:49:02] <spot> developers will need to look at the license and decide it for themselves [12:49:19] <spot> if rpm let us differentiate "SourceLicense" and "License", then... maybe. [12:50:18] <spot> lemme talk to Panu and see what he thinks about this [12:51:02] <abadger1999> So, since it's for us to do auditing, I think we actually do care about the most complicated case: end result considering linking. [12:51:57] * spot nods [12:52:31] <abadger1999> Here's another legal grey area raised on list: if foo provides libfoo.so.1 under GPL and bar provides libfoo.so.1 under BSD, how do we decide what the license of foo-util is? [12:52:56] <spot> the same library, with the same filename? [12:53:07] <spot> just a different license? [12:53:21] <spot> I suppose it would be whichever was in the BR for that package [12:53:23] <abadger1999> spot drop in replacements of each other under different license. [12:53:35] <abadger1999> But it shouldn't matter. [12:53:40] <abadger1999> It's a runtime issue, yes? [12:53:50] <spot> abadger1999: only if it dlopens the .so [12:54:08] <spot> if it actually links to the headers of one... [12:54:23] <spot> which is almost always how libraries link in. you've got to know what to call. :) [12:55:09] <abadger1999> spot: Okay -- but then if I BR the BSd one but on my system I have the GPL library installed, the BSD license still takes effect? [12:55:14] <spot> abadger1999: yes [12:55:19] <spot> because you didn't link to GPL code [12:55:34] <spot> the fact that the GPL has the exact same api is a pleasant coincidence [12:55:38] <spot> but not your intention. [12:55:39] <abadger1999> So all I need to do to work around the GPL on readline is reimplement the headers and enough of a stub to compile and link? [12:55:46] <spot> abadger1999: technically, yes. [12:55:59] <spot> but you'd likely need to never have looked at the GPL code [12:56:24] <abadger1999> But I could look at the documentation for readline. [12:56:24] <spot> do it entirely cleanroom [12:56:29] <spot> absolutely [12:56:47] <spot> as long as it didn't include GPL code in the docs [12:57:38] <spot> this is why the license is only wholly binding when it is in the code files itself [13:01:09] <spot> since we don't have quorum, we're done for now. [13:01:14] <spot> we can revisit this later. :) [13:01:17] <spot> thanks all. [13:01:34] <abadger1999> thanks spot. I'm glad I'm not a lawyer :-) [13:01:56] <spot> me too. i just play one on tv.