legal

legal@lists.fedoraproject.org

1364 discussions

Retiring celestia due to licensing issues
by Mattia Verga 26 Mar '24

26 Mar '24

As announced in [1] the message on devel list, I have retired celestia and celestia-data due to some files have been discovered to be covered under CC-BY-NC-SA-3.0 (plus some other are still waiting for a full check by upstream). I wonder if I need to ask fedora-infra to remove all the sources from the lookaside cache? Mattia [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…

2 1

Redis will no longer be OSS... now what?
by Neal Gompa 21 Mar '24

21 Mar '24

Hey everyone, It looks like Redis, Inc. has announced that future versions of Redis are no longer OSS and will be dual-licensed SSPL and RSAL[1]. Absent a fork of Redis coming up, we will likely need to remove Redis from Fedora. All I can say is... :( [1]: https://redis.com/blog/redis-adopts-dual-source-available-licensing/ -- 真実はいつも一つ！/ Always, there's only one truth!

4 3

Re: Redis will no longer be OSS... now what?
by Neal Gompa 20 Mar '24

20 Mar '24

On Wed, Mar 20, 2024 at 6:26 PM Jonathan Wright via devel <devel(a)lists.fedoraproject.org> wrote: > > We can potentially look to https://github.com/Snapchat/KeyDB which I've been loosely working on packaging anyway. > I'll want to test this for Pagure at least, since we're going to have to switch our recommendations around soon because of this. -- 真実はいつも一つ！/ Always, there's only one truth!

1 0

Fwd: SPDX Statistics - Book Smugglers edition
by Miroslav Suchý 16 Mar '24

16 Mar '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - Book Smugglers edition Datum: Sat, 16 Mar 2024 11:03:00 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: The last phase has been announce https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_4 and we will proceed when approved with FESCO. RC2 of SPDX <https://rodina-sucha.cz/tags/SPDX> v.3 specification has been published. https://spdx.github.io/spdx-spec/v3.0/ <https://spdx.github.io/spdx-spec/v3.0/><https://spdx.github.io/spdx-spec/v3.0/>. Two weeks ago we had: > * 23786spec files in Fedora > > * 30396license tags in all spec files > > * 11182 tags have not been converted to SPDX yet > > * 5044 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 63,21% ░░░░░░████ 100% > > ELN subset: > > 112 out of 2411 packages are not converted yet (progress 95.35%) > Today we have: * 23821spec files in Fedora * 30463license tags in all spec files * 11091 tags have not been converted to SPDX yet * 4996 tags can be trivially converted using `license-fedora2spdx` * Progress: 63,59% ░░░░░░████ 100% ELN subset: 105 out of 2411 packages are not converted yet (progress 95.64%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List of packages from ELN subset that needs to be converted: https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt New version of fedora-license-data has been released. With: 1 new license (plus two public domain declarations). 16 licenses are waiting to be review by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. License analysis of remaining packages: http://miroslav.suchy.cz/fedora/spdx-reports/ New projection when we will be finished is 2025-02-22 (+21 days from last report). Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Why Book Smugglers? On this date, at 1846 was born Jurgis Bielinis who become successful book smugglers and even founded Garšviai Book Smuggling Society at the time of Lithuanian press ban. Bielinis is informally referred to as the King of Book Smugglers. Bielinis's birthday is commemorated as the Day of Book Smugglers. More reading about Lithuanian book smugglers: https://www.atlasobscura.com/articles/lithuanian-book-smugglers https://en.wikipedia.org/wiki/Jurgis_Bielinis (my favourite part is when he hid from police under his wife's skirt) Does it inspired you? You can become book smuggler even nowadays: https://wordsrated.com/global-book-banning-statistics/ Miroslav

1 0

Re: Trivy for licenses
by Maxwell G 05 Mar '24

05 Mar '24

On Tue Mar 5, 2024 at 04:06 +0000, Maxwell G wrote: > On Mon Mar 4, 2024 at 22:35 +0100, Sandro wrote: > > On 04-03-2024 07:59, Miroslav Suchý wrote: > > > It would welcome if anyone can help Robert here: > > > https://bugzilla.redhat.com/show_bug.cgi?id=2235055 > > > > I had a look and it seems the package is currently stuck on broken > > python-pymaven-patch, which requires python-lxml < 5~~. In rawhide and > > f40 python-lxml was updated to 5.1.0 two months ago. > > > > For about as long there has been a PR open for python-pymaven-patch > > removing that version constraint. Notably, the maintainer of > > python-pymaven-patch is the same person, who submitted the > > scancode-toolkit review request. > > > > There may be more trouble down the road. But for the moment, I don't see > > how others can help driving this forward. A proven packager could merge > > the PR. But I don't know how eclipseo, who's a proven packager, would > > feel about that. > > Fixing FTI bugs that are unaddressed by a package's maintainer > definitely falls under the purview of a provenpackager. > I rebased the PR [1] and will merge it once CI passes. > > [1] https://src.fedoraproject.org/rpms/python-pymaven-patch/pull-request/1 It also looks like a bunch of the tests are failing and have been skipped. That's not super ideal. It looks like [1] has been open upstream for some time. I have not yet looked closely at the failures, but Philippe, if you have any pointers to give, that would certainly be helpful. [1] https://github.com/nexB/scancode-toolkit/issues/3496

1 0

Re: Trivy for licenses
by Maxwell G 05 Mar '24

05 Mar '24

On Mon Mar 4, 2024 at 07:59 +0100, Miroslav Suchý wrote: > Dne 03. 03. 24 v 20:22 Philippe Ombredanne napsal(a): > > > If you want robust license detection, consider using ScanCode [2] and > > Scancode.io [3] for more complex pipelines. Both are tools that I > > co-maintain and are considered as better tools for this. Do not > > hesitate to reach out for help! > > *nod* > > It would welcome if anyone can help Robert here: > https://bugzilla.redhat.com/show_bug.cgi?id=2235055 Robert has not been very responsive as of late. It might be a good idea for someone else to pick it up and start a new review ticket.

1 0

Trivy for licenses
by Maxwell G 05 Mar '24

05 Mar '24

Hi, Has anyone every used trivy [1] to scan for licenses? It appears more robust and better maintained than askalono-cli and can detect files with multiple licenses and licenses embedded in file headers. I have been running it with "trivy fs --scanners license --license-full ." [1] https://github.com/aquasecurity/trivy -- Maxwell G (@gotmax23) Pronouns: He/They

2 2

License check for pyuca
by Sandro 01 Mar '24

01 Mar '24

Hi, A while ago I opened issue #39[1] on GitLab. There have been some recent developments regarding the license. Upstream is welcoming a PR for fixing/clarifying the license situation. I have prepared a draft PR, but before I submit that for upstream to review and hopefully merge, I'd like someone from legal to go over my proposal and tell me if that PR would allow me to proceed with the package review of python-pyuca. More information can be found in the ticket, in particular my latest comment. [1] https://gitlab.com/fedora/legal/fedora-license-data/-/issues/379 Cheers, -- Sandro FAS: gui1ty Matrix: Penguinpee Elsewhere: [Pp]enguinpee

1 0

Fwd: SPDX Statistics - Beginning of the year edition
by Miroslav Suchý 01 Mar '24

01 Mar '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - Beginning of the year edition Datum: Fri, 1 Mar 2024 09:27:48 +0100 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: fedora-license-data has Copr project https://copr.fedorainfracloud.org/coprs/g/osci/fedora-license-data where new package is built whenever new PR is merged The last phase is ready for wrangler https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_4 and we will proceed when approved with FESCO. I corrected lots of SPDX formula where you used lowercase "and", "or". The specification allows only "AND", "OR". This will likely change in specification version 3, but now the operator has to be upper case. Two weeks ago we had: > * 23737spec files in Fedora > > * 30335license tags in all spec files > > * 11314 tags have not been converted to SPDX yet > > * 5105 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 62,70% ░░░░░░████ 100% > > ELN subset: > > 128 out of 2412 packages are not converted yet (progress 94.69%) > Today we have: * 23786spec files in Fedora * 30396license tags in all spec files * 11182 tags have not been converted to SPDX yet * 5044 tags can be trivially converted using `license-fedora2spdx` * Progress: 63,21% ░░░░░░████ 100% ELN subset: 112 out of 2411 packages are not converted yet (progress 95.35%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List of packages from ELN subset that needs to be converted: https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt New version of fedora-license-data has been released. With: 7 new licenses (plus some public domain declarations). 17 licenses are waiting to be review by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. License analysis of remaining packages: http://miroslav.suchy.cz/fedora/spdx-reports/ New projection when we will be finished is 2025-02-01 (+17 days from last report). Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Why Beggining of the year? That should be January 1st, right? Before the advent of the Gregorian calendar, March 1st was considered the beginning of the year. Hence Septemeber as the "seventh month" despite the fact it is 9th now. But in the Republic of Venice, for example, March was considered the beginning of the year until 1797. So in Venice, March 1790 < January 1790. For more interesting facts about time (and time zones) see this legendary video https://www.youtube.com/watch?v=-5wpm-gesOY Miroslav

1 0

Question about public domain file in dictd
by Carlos Rodriguez-Fernandez 29 Feb '24

29 Feb '24

Hi, I have been preparing a new update to dictd, and while doing it, I ran the licensecheck to double-check and cleanup the license tag. I found out that the licenses involved in the source code for the new 1.13.1 are more than originally specified in 1.12.x. There is a COPYING file with GPL-2.0-only, but the source code files have more. The final list is: GPL-2.0-only AND GPL-1.0-or-later AND GPL-3.0-or-later AND MIT AND GPL-2.0-or-later AND BSD-3-Clause There is one file in the source code that claims to be "public domain" [1]: This code was written by Colin Plumb in 1993, no copyright is claimed. This code is in the public domain; do with it what you wish This file is indeed code, so the allowed content exception for CC0-1.0 doesn't apply. The file is not written by the upstream maintainer but appears to be authored by someone else not in the maintainer list. I'm not sure how to proceed here. I could request the upstream developer to see if he can change the license but not sure will be able since it is not his. Would this be a valid case for Unlicense? [1] https://github.com/cheusov/dictd/blob/1.13.1/md5.c Thank you, Carlos R.F.

3 4

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal