From Fedora Project Wiki
(Created page with "{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}} <!-- The...")
 
Line 55: Line 55:
== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
This is follow up of [SPDX_Licenses_Phase_1 Phase 1]. During this phase all remaining packages should be migrated to SPDX license identifier. If the migration is not possible (e.g. needs clarification from legal) then Bugzilla issue has to be created.
This is follow up of [[SPDX_Licenses_Phase_1|Phase 1]]. During this phase, all remaining packages should be migrated to the SPDX license identifier. If the migration is not possible (e.g. needs clarification from legal), then a Bugzilla issue has to be created.


== Feedback ==
== Feedback ==

Revision as of 07:31, 12 May 2022

Idea.png
Guidance
For details on how to fill out this form, see the documentation.


SPDX License Phase 2

Summary

Second phase of transition from Fedora's short name of licenses to standardized SPDX license formula.


Owner

  • Email: msuchy@redhat.com, dcantrell@redhat.com, jlovejoy@redhat.com, ngompa13@gmail.com, rfontana@redhat.com


Current status

  • Targeted release: Fedora Linux 39
  • Last updated: 2022-05-12
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

This is follow up of Phase 1. During this phase, all remaining packages should be migrated to the SPDX license identifier. If the migration is not possible (e.g. needs clarification from legal), then a Bugzilla issue has to be created.

Feedback

Ancient feedback from SPDX organization.

Summary from fedora-legal mailing list: we want this to happen, but this is big scope and likely will happen over more than one release.

Summary from packaging-committee:

  • [1]: older PR to change packaging guidelines
  • [2]: present PR that needs more updating

Summary from devel-list: TBD

Benefit to Fedora

The use of a standardized identifier for license will align Fedora with other distributions. And allows efficient and reliable identification of licenses.

Scope

  • Proposal owners (things sorted by done/todo and by priorities):
    • Identify all remaining packages.
    • Notify owners of these packages.
    • After a grace period, submit PR to package where the transition is easy.
    • Create tracking BZ for packages with unclear transition path
    • Submit BZ for packages which cannot migrate in time.
  • Other developers:

Early adopters can migrate their License tag to the SPDX identifiers. Proposal owners will gather feedback and will work on potential problems.

    • migrate the License tag from short name to SPDX expression.
  • Policies and guidelines: Licensing page, packaging guidelines has to be altered.
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

License strings are not used anything in run time. This change will not affect the upgrade or runtime of Fedora.

During the transition period, developer tools like rpminspect, licensecheck, etc. may produce false negatives. And we have to define a date where we flip these tools from old Fedora's short names to the SPDX formula.

How To Test

Users should not need any testing. These steps are for package maintainers:

  • Fetch your license string from License tag in SPEC file.
  • Test that your current Fedora's short name is correct. E.g.
   $ license-validate -v 'MIT or GPLv1'
   Approved license
  • Convert license string to SPDX formula:
   $ license-fedora2spdx 'MIT or GPLv1'
   Warning: more options how to interpret MIT. Possible options: ['Adobe-Glyph', 'MIT-CMU', 'MIT-CMU', 'HPND', 'HPND', 'no-spdx-yet (MIT license (also X11))', 'SGI-B-2.0', 'SGI-B-2.0', 'SMLNJ', 'MIT-enna', 'MIT-feh', 'mpich2']
   mpich2 or GPL-1.0-only

In this example, the short name GPLv1 can be converted straight to GPL-1.0-only. But short name MIT stands for several licenses with different SPDX identifiers. You have to examine what license is package actually using. license-fedora2spdx will try to convert the formula and use one of the options but without any heuristics. You need to manually review the license.

You can check if SPDX formula is correct using:

 $ license-validate -v --file FIXME "MIT-CMU or GPL-1.0-only"

User Experience

Users should be able to use standard software tools that audit licenses. E.g. for Software Bills of Materials.

Dependencies

No other dependencies.

Contingency Plan

  • Contingency mechanism: There will be no way back. We either rollback in Phase 1. Once we will start Phase 2 we will be beyond of point with no return.
  • Contingency deadline: Beta freeze. But it is expected that not all packages will be converted by that time and the change will continue in the next release.
  • Blocks release? No. This change has no impact on runtime of any package.

Documentation

N/A (not a System Wide Change)

Release Notes