As announced in [1] the message on devel list, I have retired celestia and celestia-data due to some files have been discovered to be covered under CC-BY-NC-SA-3.0 (plus some other are still waiting for a full check by upstream).
I wonder if I need to ask fedora-infra to remove all the sources from the lookaside cache?
Mattia
[1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…
Hey everyone,
It looks like Redis, Inc. has announced that future versions of Redis
are no longer OSS and will be dual-licensed SSPL and RSAL[1]. Absent a
fork of Redis coming up, we will likely need to remove Redis from
Fedora.
All I can say is... :(
[1]: https://redis.com/blog/redis-adopts-dual-source-available-licensing/
--
真実はいつも一つ!/ Always, there's only one truth!
On Wed, Mar 20, 2024 at 6:26 PM Jonathan Wright via devel
<devel(a)lists.fedoraproject.org> wrote:
>
> We can potentially look to https://github.com/Snapchat/KeyDB which I've been loosely working on packaging anyway.
>
I'll want to test this for Pagure at least, since we're going to have
to switch our recommendations around soon because of this.
--
真実はいつも一つ!/ Always, there's only one truth!
On Tue Mar 5, 2024 at 04:06 +0000, Maxwell G wrote:
> On Mon Mar 4, 2024 at 22:35 +0100, Sandro wrote:
> > On 04-03-2024 07:59, Miroslav Suchý wrote:
> > > It would welcome if anyone can help Robert here:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2235055
> >
> > I had a look and it seems the package is currently stuck on broken
> > python-pymaven-patch, which requires python-lxml < 5~~. In rawhide and
> > f40 python-lxml was updated to 5.1.0 two months ago.
> >
> > For about as long there has been a PR open for python-pymaven-patch
> > removing that version constraint. Notably, the maintainer of
> > python-pymaven-patch is the same person, who submitted the
> > scancode-toolkit review request.
> >
> > There may be more trouble down the road. But for the moment, I don't see
> > how others can help driving this forward. A proven packager could merge
> > the PR. But I don't know how eclipseo, who's a proven packager, would
> > feel about that.
>
> Fixing FTI bugs that are unaddressed by a package's maintainer
> definitely falls under the purview of a provenpackager.
> I rebased the PR [1] and will merge it once CI passes.
>
> [1] https://src.fedoraproject.org/rpms/python-pymaven-patch/pull-request/1
It also looks like a bunch of the tests are failing and have been
skipped. That's not super ideal. It looks like [1] has been open
upstream for some time. I have not yet looked closely at the failures,
but Philippe, if you have any pointers to give, that would certainly be
helpful.
[1] https://github.com/nexB/scancode-toolkit/issues/3496
On Mon Mar 4, 2024 at 07:59 +0100, Miroslav Suchý wrote:
> Dne 03. 03. 24 v 20:22 Philippe Ombredanne napsal(a):
>
> > If you want robust license detection, consider using ScanCode [2] and
> > Scancode.io [3] for more complex pipelines. Both are tools that I
> > co-maintain and are considered as better tools for this. Do not
> > hesitate to reach out for help!
>
> *nod*
>
> It would welcome if anyone can help Robert here:
> https://bugzilla.redhat.com/show_bug.cgi?id=2235055
Robert has not been very responsive as of late. It might be a good idea
for someone else to pick it up and start a new review ticket.
Hi,
Has anyone every used trivy [1] to scan for licenses? It appears more
robust and better maintained than askalono-cli and can detect files with
multiple licenses and licenses embedded in file headers. I have been
running it with "trivy fs --scanners license --license-full ."
[1] https://github.com/aquasecurity/trivy
--
Maxwell G (@gotmax23)
Pronouns: He/They
Hi,
A while ago I opened issue #39[1] on GitLab. There have been some recent
developments regarding the license. Upstream is welcoming a PR for
fixing/clarifying the license situation.
I have prepared a draft PR, but before I submit that for upstream to
review and hopefully merge, I'd like someone from legal to go over my
proposal and tell me if that PR would allow me to proceed with the
package review of python-pyuca.
More information can be found in the ticket, in particular my latest
comment.
[1] https://gitlab.com/fedora/legal/fedora-license-data/-/issues/379
Cheers,
--
Sandro
FAS: gui1ty
Matrix: Penguinpee
Elsewhere: [Pp]enguinpee
-------- Přeposlaná zpráva --------
Předmět: SPDX Statistics - Beginning of the year edition
Datum: Fri, 1 Mar 2024 09:27:48 +0100
Od: Miroslav Suchý <msuchy(a)redhat.com>
Společnost: Red Hat Czech, s.r.o.
Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org>
Hot news:
fedora-license-data has Copr project https://copr.fedorainfracloud.org/coprs/g/osci/fedora-license-data where new
package is built whenever new PR is merged
The last phase is ready for wrangler https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_4 and we will
proceed when approved with FESCO.
I corrected lots of SPDX formula where you used lowercase "and", "or". The specification allows only "AND", "OR".
This will likely change in specification version 3, but now the operator has to be upper case.
Two weeks ago we had:
> * 23737spec files in Fedora
>
> * 30335license tags in all spec files
>
> * 11314 tags have not been converted to SPDX yet
>
> * 5105 tags can be trivially converted using `license-fedora2spdx`
>
> * Progress: 62,70% ░░░░░░████ 100%
>
> ELN subset:
>
> 128 out of 2412 packages are not converted yet (progress 94.69%)
>
Today we have:
* 23786spec files in Fedora
* 30396license tags in all spec files
* 11182 tags have not been converted to SPDX yet
* 5044 tags can be trivially converted using `license-fedora2spdx`
* Progress: 63,21% ░░░░░░████ 100%
ELN subset:
112 out of 2411 packages are not converted yet (progress 95.35%)
Graph of these data with the burndown chart:
https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r…
The list of packages needed to be converted is here:
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
List by package maintainers is here
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
List of packages from ELN subset that needs to be converted:
https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt
New version of fedora-license-data has been released. With:
7 new licenses (plus some public domain declarations).
17 licenses are waiting to be review by SPDX.org (and then to be added to fedora-license-data)
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B…
Legal docs and especially
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
was updated too.
License analysis of remaining packages: http://miroslav.suchy.cz/fedora/spdx-reports/
New projection when we will be finished is 2025-02-01 (+17 days from last report). Pure linear approximation.
If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license
tag matches SPDX formula, you can put your package on ignore list
https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt
Either pull-request or direct email to me is fine.
Why Beggining of the year? That should be January 1st, right? Before the advent of the Gregorian calendar, March 1st was
considered the beginning of the year. Hence Septemeber as the "seventh month" despite the fact it is 9th now. But in the
Republic of Venice, for example, March was considered the beginning of the year until 1797. So in Venice, March 1790 <
January 1790. For more interesting facts about time (and time zones) see this legendary video
https://www.youtube.com/watch?v=-5wpm-gesOY
Miroslav
Hi,
I have been preparing a new update to dictd, and while doing it, I ran
the licensecheck to double-check and cleanup the license tag.
I found out that the licenses involved in the source code for the new
1.13.1 are more than originally specified in 1.12.x. There is a COPYING
file with GPL-2.0-only, but the source code files have more. The final
list is:
GPL-2.0-only AND GPL-1.0-or-later AND GPL-3.0-or-later
AND MIT AND GPL-2.0-or-later AND BSD-3-Clause
There is one file in the source code that claims to be "public domain" [1]:
This code was written by Colin Plumb in 1993, no copyright is claimed.
This code is in the public domain; do with it what you wish
This file is indeed code, so the allowed content exception for CC0-1.0
doesn't apply. The file is not written by the upstream maintainer but
appears to be authored by someone else not in the maintainer list. I'm
not sure how to proceed here. I could request the upstream developer to
see if he can change the license but not sure will be able since it is
not his. Would this be a valid case for Unlicense?
[1] https://github.com/cheusov/dictd/blob/1.13.1/md5.c
Thank you,
Carlos R.F.