From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) by sourceware.org (Postfix) with ESMTPS id 369483857B80 for ; Wed, 12 Oct 2022 15:45:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 369483857B80 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=systematicsw.ab.ca Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227]) by cmsmtp with ESMTP id iYv7oAsv0S8WridvMonKGY; Wed, 12 Oct 2022 15:45:36 +0000 Received: from [10.0.0.5] ([184.64.124.72]) by cmsmtp with ESMTP id idvLocIVFlz8pidvMo3Maq; Wed, 12 Oct 2022 15:45:36 +0000 X-Authority-Analysis: v=2.4 cv=VvEwvs6n c=1 sm=1 tr=0 ts=6346e120 a=oHm12aVswOWz6TMtn9zYKg==:117 a=oHm12aVswOWz6TMtn9zYKg==:17 a=IkcTkHD0fZMA:10 a=NEAV23lmAAAA:8 a=wECf3xPYAAAA:8 a=w_pzkKWiAAAA:8 a=Z1zZZZ-hAAAA:8 a=ivS0oBdCbQxT8wXOo-YA:9 a=QEXdDO2ut3YA:10 a=ccNonjl4-tybilS9-zgM:22 a=sRI3_1zDfAgwuvI8zelB:22 a=M8gnkfPzeq3WU7S8UTEw:22 Message-ID: <1ee733d1-6c0b-175c-f6f7-15b9a06989f1@SystematicSw.ab.ca> Date: Wed, 12 Oct 2022 09:45:35 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.1 To: cygwin-apps@cygwin.com References: <20221012090011.jpba5xxajs7foijb@lucy.dinwoodie.org> Subject: Re: LICENSE values for non-standard OSS licenses Reply-To: cygwin-apps@cygwin.com Content-Language: en-CA From: Brian Inglis Organization: Systematic Software In-Reply-To: <20221012090011.jpba5xxajs7foijb@lucy.dinwoodie.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4xfC+/fOfarhybnzQGEQjsaAFpEXmZ4GyE1bfrRNbdfzXgjKpO9GDo1GdPTiHYS3wGXQQ66B75BIVce5Yaan2UZzMuZ87Pb1obd/QqUmm+4o4ZLJ6+lyif QKaEYbd4zWI8xsSQwgigdxxDiQDE0GqP7JtgS7dv2TpiDhLH5uFD4rxDqjmC8QvgagmwzU82Cqcftmtc2wq1BigMXGrGy9cCxl4= X-Spam-Status: No, score=-1164.4 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2022-10-12 9:00 UTC, Adam Dinwoodie wrote:> On Tue, Oct 11, 2022 at 02:13:00PM -0600, Brian Inglis wrote: >> On Tue, 11 Oct 2022 09:37:23 +0100, Adam Dinwoodie wrote: >> > I'm trying to upload a new version of git-filter-repo, and took the >> > opportunity to set the LICENSE value in the cygport file. The new value >> > looks valid according to my reading of the SPDX specification, but is >> > being rejected by calm. >> > The license for git-filter-repo is a bit complicated, because different >> > parts have different licenses, and several of them aren't "normal" >> > licenses. The license is described at [0] and files referenced / linked >> > from there. >> > [0]: https://github.com/newren/git-filter-repo/blob/main/COPYING >> > I've encoded this as the somewhat verbose >> > LICENSE='(MIT OR LicenseRef-inherit-git OR LicenseRef-inherit-libgit2) AND (MIT OR LicenseRef-inherit-git OR LicenseRef-inherit-libgit2 OR LicenseRef-inherit-libgit2-examples) AND GPL-2.0-only' >> > The error I'm getting from calm is as follows: >> > ``` >> > ERROR: invalid hints git-filter-repo-2.38.0-1-src.hint >> > ERROR: package 'git-filter-repo': errors in license expression: ['Unknown license key(s): LicenseRef-inherit-git, LicenseRef-inherit-libgit2, LicenseRef-inherit-libgit2-examples'] >> > ERROR: errors while parsing hints for package 'git-filter-repo' >> > ERROR: error parsing /sourceware/cygwin-staging/home/Adam Dinwoodie/noarch/release/git-filter-repo/git-filter-repo-2.38.0-1-src.hint >> > ERROR: error while reading uploaded arch noarch packages from maintainer Adam Dinwoodie >> > SUMMARY: 5 ERROR(s) >> > ``` >> > So it looks like the issue is the way I've encoded the non-standard >> > licensing options. "LicenseRef-"(idstring) seems to be the way to >> > encode this sort scenario, per [1] and [2], but that doesn't seem to be >> > acceptable to calm. >> > [1]: https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/ >> > [2]: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/ >> > Are there any suggestions about how to resolve this? I don't think I >> > can just use the standard license strings: even if we used GPL-2.0-only >> > in place of LicenseRef-inherit-git -- incorrect as that's the license >> > *currently* used by Git, but the license for git-filter-repo explicitly >> > incorporates any future OSS license Git might use -- that still leaves >> > the problem of LicenseRef-inherit-libgit2, which is currently GPL 2.0 >> > with an exception that's not covered by any of the SPDX standard >> > exceptions. >> > For now I can just remove the LICENSE values to get the build released, >> > but that seems like a temporary approach at best... As well as SPDX standard script comments e.g "# SPDX-License-Identifier: ...", the same in a variable LICENSE_SPDX="SPDX-License-Identifier: ...", and LICENCE_URI="COPYING..." which documents the basis, I've started using _LICENSE... variables for the different subpackages, which may not be currently checked, but simplifies using SPDX terms e.g. >> To a similar issue of mine in another thread here (search license) Jon >> replied calm uses: >> https://github.com/nexB/license-expression >> produced by the same project/dev as scancode (which scans a codebase to >> identify licences as part of project AboutCode), which has registered an >> SPDX namespace for its own LicenceRefs available at: >> https://scancode-licensedb.aboutcode.org/ >> which makes me believe Cygwin should use LicenseRef-scancode-public-domain >> or as referenced there LicenseRef-PublicDomain, and license-expression >> should be able to use the scancode list. > I'm not sure I understand your point. Neither > LicenseRef-scancode-public-domain nor LicenseRef-PublicDomain look > appropriate here, as none of the code has been placed in the public > domain. That was a data point about the code used by Cygwin/calm, and an example about a non-standard exception licence name in the other thread, how it could be made non-exceptional, and the list extended for now, by using the scancode DB licences, while SPDX makes its way thru the scancode namespace licences, which have been submitted to them for consideration. SPDX keeps closing (e.g. PD) licence requests as they seem to be equating (e.g. PD) licenses to invariant licence texts, which are often simple and embedded in files, e.g. "This code is in the public domain", or "This code is a product of the US Government and in the public domain", sometimes with minor variations across a project, sometimes implicit, or not stated, just copyrights, sometimes without even disclaimers, rather than considering the licence intents of projects, e.g. US-PD, US-Gov-PD. With that bureaucratic attitude and hurdle, who knows how many projects will ever "officially qualify" for SPDX licences, if they don't already have clear licences, as many will not bother to spend precious time to standardize the statements across all files, or contact all known existing copyright holders to get agreement on relicensing, even if it were possible to contact them all and get a response. Of course, licence compliance is a nice "simple" (in theory, but you see the problems) bureaucratic exercise that orgs like to do, but doesn't actually address the main problems of libre software supply chain reliability, security, whether products are adequately maintained or even maintainable, or abandoned. -- La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry