From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 426D6385E017; Mon, 30 May 2022 15:32:07 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 426D6385E017 From: "fweimer at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/28007] Add SPDX license identifiers Date: Mon, 30 May 2022 15:32:07 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2022 15:32:07 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D28007 --- Comment #11 from Florian Weimer --- (In reply to richard.purdie from comment #8) > (In reply to Florian Weimer from comment #6) > > Why is this important to you? >=20 > I think you mean why is this important to Yocto Project. We have a lot of > diverse users of the project and they have different legals departments a= nd > uses of the project. One thing they need to know is the software license = the > components of system they're building are under. As such, Yocto Project > recipes advertise the license we believe a given piece of software is und= er. >=20 > We don't make any comment on what people should/shouldn't do with that > information but I think we can agree that having correct information is > important. For some project users it is particularly important where they > need to avoid things like GPL-3.0 for example (rightly or wrongly, I make= no > comment on that). >=20 > Recently it was brought to our attention that glibc isn't just under GPL-= 2.0 > but also has other license components and as such our overall license for > glibc wasn't correct. We looked into it and found that we do need to tweak > our metadata. Had there been SPDX license identifiers, we'd likely have > avoided that issue in the first place and also been able to detect that it > had happened. In this case I don't think it changes decisions people shou= ld > be making but we want our license information to be complete so people ha= ve > confidence in it. The identifiers help with that. Based on that, I don't think you actually need per-file SPDX identifiers. O= ne file with all the identifiers that to pertain to any code in glibc should be sufficient for analysis tooling to pick them up. I think this would avoid the future maintenance burden. We can also clarify that we (as the project maintainers) believe that the SPDX identifiers are a convenient approximation to the actual licensing state of glibc for use with SPDX tools, but may not be completely accurate. --=20 You are receiving this mail because: You are on the CC list for the bug.=