< Changes
No edit summary |
No edit summary |
||
| Line 55: | Line 55: | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
This is follow-up of [[Changes/SPDX_Licenses_Phase_1|Phase 1]]. During this phase, all remaining packages should be migrated to use SPDX license identifiers in the License: field of the package spec file. If the migration is not possible (e.g. needs clarification from legal), then a Bugzilla issue has to be created. | This is follow-up of [[Changes/SPDX_Licenses_Phase_1|Phase 1]]. During this phase, all remaining packages should be migrated to use SPDX license identifiers in the License: field of the package spec file. | ||
Options for how to best migrate still need to be specified in terms of how much automation can be applied versus taking this as an opportunity as a more thorough license review. Some initial guidance and identification of challenges has been identified at [https://docs.fedoraproject.org/en-US/legal/update-existing-packages/|Updating Existing Packages] but more details are needed, especially in regard to Fedora "category" short names. | |||
If the migration is not possible (e.g. needs clarification from legal), then a Bugzilla issue has to be created. | |||
== Feedback == | == Feedback == | ||
| Line 61: | Line 65: | ||
See [[Changes/SPDX_Licenses_Phase_1#Feedback|feedback section of Phase 1]] | See [[Changes/SPDX_Licenses_Phase_1#Feedback|feedback section of Phase 1]] | ||
Discussions on mailing list: | |||
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/EXGT34EJPG3G4FJZ4R2SRAI342QDHFOF/|SPDX Statistics] | |||
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/NZIFT62REORSNS6MMES446PMCOOSEPSA/|SPDX Change Update] | |||
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3TGCSROJTSX5PXZLKOHCOMVIBTZDORNS/|SPDX - How to handle MIT and BSD] | |||
Challenges: | |||
* license-fedora2spdx tool uses mapping of Fedora shortnames to SPDX ids using the [https://gitlab.com/fedora/legal/fedora-license-data/-/tree/main|fedora-license-data] to suggest SPDX ids. Where there is a one-to-one mapping, the package maintainer could simply update the License field: and move on. | |||
* for many packages, the use of Fedora shortnames that represent multiple licenses, further inspection will be needed. Currently, Fedora documentation provide sparse advice on how to do this inspection and thus, a range of methods are used. | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
| Line 93: | Line 106: | ||
== Scope == | == Scope == | ||
* Prep work: | |||
** poll package maintainers on methods and tools used for license inspection | |||
** create additional guidance (using info from above) | |||
** planning/brainstorming on most efficient way to update packages, especially those that do not have one-to-one identifier update and will need closer inspection | |||
* Proposal owners (things sorted by done/todo and by priorities): | * Proposal owners (things sorted by done/todo and by priorities): | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
Revision as of 17:27, 18 November 2022
For details on how to fill out this form, see the documentation.
SPDX License Phase 2
Summary
Second phase of transition from using Fedora's short name for licenses to SPDX identifiers in the License: field of Fedora package spec files. This phase addresses how to update the License: field for existing packages, including documenting more specific guidance on how to find licenses in a package.
Owner
- Name: Miroslav Suchý
- Name: Jilayne Lovejoy
- Name: Neal Gompa
- Name: David Cantrell
- Name: Richard Fontana
- Name: Matthew Miller
- Email: msuchy@redhat.com, dcantrell@redhat.com, jlovejoy@redhat.com, ngompa13@gmail.com, rfontana@redhat.com
Current status
- Targeted release: Fedora Linux 39
- Last updated: 2022-11-18
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
This is follow-up of Phase 1. During this phase, all remaining packages should be migrated to use SPDX license identifiers in the License: field of the package spec file.
Options for how to best migrate still need to be specified in terms of how much automation can be applied versus taking this as an opportunity as a more thorough license review. Some initial guidance and identification of challenges has been identified at Existing Packages but more details are needed, especially in regard to Fedora "category" short names.
If the migration is not possible (e.g. needs clarification from legal), then a Bugzilla issue has to be created.
Feedback
See feedback section of Phase 1
Discussions on mailing list:
Challenges:
- license-fedora2spdx tool uses mapping of Fedora shortnames to SPDX ids using the [1] to suggest SPDX ids. Where there is a one-to-one mapping, the package maintainer could simply update the License field: and move on.
- for many packages, the use of Fedora shortnames that represent multiple licenses, further inspection will be needed. Currently, Fedora documentation provide sparse advice on how to do this inspection and thus, a range of methods are used.
Benefit to Fedora
The use of a standardized identifier for license will align Fedora with other distributions. And allows efficient and reliable identification of licenses. Depending on the level of diligence done in this transition, Fedora could be positioned as a leader and contributor to better license info upstream (of Fedora).
Scope
- Prep work:
- poll package maintainers on methods and tools used for license inspection
- create additional guidance (using info from above)
- planning/brainstorming on most efficient way to update packages, especially those that do not have one-to-one identifier update and will need closer inspection
- Proposal owners (things sorted by done/todo and by priorities):
- Identify all remaining packages.
- Notify owners of these packages.
- After a grace period, submit PR to a package where the transition is easy.
- Create tracking BZ for packages with unclear transition path
- Submit BZ for packages that cannot migrate in time.
Owners will start doing this after Fedora 38 branching. I.e. after 2023-02-07.
- Other developers:
- All packages (during the package review) should use the SPDX expression.
- Migrate the existing License tag from a short name to an SPDX expression.
- Release engineering: #Releng issue number
- Policies and guidelines: Licensing page, packaging guidelines has to be altered.
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
License strings are not used anything in run time. This change will not affect the upgrade or runtime of Fedora.
During the transition period, developer tools like rpminspect, licensecheck, etc. may produce false negatives. And we have to define a date where we flip these tools from old Fedora's short names to the SPDX formula.
How To Test
See How to test section of Phase 1
User Experience
Users should be able to use standard software tools that audit licenses. E.g. for Software Bills of Materials.
Dependencies
No other dependencies.
Contingency Plan
- Contingency mechanism: There will be no way back. We either rollback in Phase 1. Once we will start Phase 2 we will be beyond of point with no return.
- Contingency deadline: Beta freeze. But it is expected that not all packages will be converted by that time and the change will continue in the next release.
- Blocks release? No. This change has no impact on runtime of any package.
Documentation
N/A (not a System Wide Change)