From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) by sourceware.org (Postfix) with ESMTPS id A8A0F3858D1E for ; Fri, 11 Aug 2023 23:29:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A8A0F3858D1E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=Shaw.ca Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=shaw.ca Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTP id UQjfqu2KF6NwhUbZqqLjFR; Fri, 11 Aug 2023 23:29:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=shaw.ca; s=s20180605; t=1691796594; bh=OdcWJjjYlCUQZMxYR1cKNNZa8htd2ie4sKe4UeB1uT8=; h=Date:Reply-To:Subject:To:Cc:References:From:In-Reply-To; b=EmJkTYS5iG+sZ3YC19JNOGIjWroDff4HDwqnpCKkUUeoBDUTySc+LFk4nQFcCFt9F zyVkMJ14rqS6QsAEl1BcAbO1hOl/XPL210+pFDo2PjJvGYWryi+PKYSpuknwQZ0W/q bUHh8/MSxm9TzWHtGahd4ngWncUMEUyg74qqpfB0QGgxAaCEcl+NAU0fTqfx5dos9J zRq2mwy81mPfdvt50HD24s3XWHEUVoYZGNeG15LNVr2huaqGEerHnvjIE0u61t4IYx 7U6LS8v7GM8pHUHv701KGX63eIAcwfgnzlx2gUOG7k2osbGCV85Srqe0HrAr1dsbNv yWp3sUHmZv2Qw== Received: from [10.0.0.5] ([184.64.102.149]) by cmsmtp with ESMTP id UbZpqlfEIcyvuUbZpqIgFw; Fri, 11 Aug 2023 23:29:54 +0000 X-Authority-Analysis: v=2.4 cv=VbHkgXl9 c=1 sm=1 tr=0 ts=64d6c472 a=DxHlV3/gbUaP7LOF0QAmaA==:117 a=DxHlV3/gbUaP7LOF0QAmaA==:17 a=IkcTkHD0fZMA:10 a=CCpqsmhAAAAA:8 a=93Ubh6UdAAAA:8 a=SI7o7SdoLbu6s9INbqAA:9 a=QEXdDO2ut3YA:10 a=RVmHIydaz68A:10 a=ul9cdbp4aOFLsgKbc677:22 a=q-6THwuxr82FYj4XiUVi:22 a=HKxPcSnskRBcAcudMJ67:22 Message-ID: <37a58be8-9aa4-c7ea-b814-fe2b89517bad@Shaw.ca> Date: Fri, 11 Aug 2023 17:29:53 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 Reply-To: newlib@sourceware.org Subject: Re: (was: Newlib copyright review) and SPDX tagging to REUSE spec RFC Content-Language: en-CA To: newlib@sourceware.org Cc: John Scott References: From: Brian Inglis Organization: Inglis In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4xfI7gLqvtykHjksDN3f9PuafQI3nDawwTVIBoC4iqa6s8amLAIxMxi5M3+ycleRn9XuMIBo/exrpiD97lk77VLVix4Z0MLLMddsKadN/gqtSZr6puqP7r 0yURRUzgDbySbWkk40FMQUD7vo/1eGgJWqgpcaUZQtBnu/XnHOcDfdU3J8JoTSJcjU/UyOJQgITl7Q0w4v8LbNhp2YGgQYOxlj6Oyl99z/58EWlrvzyqpLN6 X-Spam-Status: No, score=-3.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-08-11 16:18, Joel Sherrill wrote: > On Fri, Aug 11, 2023 at 1:23 PM Brian Inglis wrote: >> On 2023-08-11 06:14, John Scott wrote: >>> I'm re-doing the packaging of Newlib for Debian, and that means I'm >>> doing a full-blown copyright review where I'm recording the copyright >>> holders and license terms for every last file. It would be a shame if folks >>> in other distros had to duplicate my effort. I was thinking, if I'm going >>> to be doing this anyway perhaps I can upstream my efforts and make Newlib >>> comply with the REUSE specification? >>> >>> If you haven't heard of it, REUSE uses SPDX-FileCopyrightText and >>> SPDX-License-Identifier to make all the copyright and license information >>> machine-readable. It's a specification from the Free Software Foundation >>> Europe. If you're okay with me doing this, please let me know whether you >>> want these tags to replace the existing copyright and license notices, or >>> to be in addition to them and tagged on to what's already there. >>> >>> If you're not interested, please let me know so I know to resume my >>> efforts in Debian. But I'm offering to put in all of the work and since >>> Newlib has so many different copyright holders and licenses it seems like >>> you could really benefit. >> You may want to resend this as a newlib RFC, similar to my subject change, >> adding some of the info below. >> >> You could provide a few links to REUSE (try web searching that!) and SPDX >> materials to explain what you are doing to those who have not yet >> encountered >> the REUSE and SPDX projects and tools. >> >> REUSE specifies the outdated 7 year old SPDX 2.1 spec: will newer versions >> (currently 2.3) be allowed and supported? >> [SPDX are still discussing Data License which is a bone of contention for >> commercial contributors, of which there are many in newlib.] >> >> Are you okay with providing your changes, including any REUSE and SPDX >> cataloguing documents you may create which apply to the project, under >> some >> non-GPL licence attribution, that allows the library to continue to be >> used by >> contributing and other corps for their commercial purposes? >> >> Could you please outline any changes that you contemplate making to the >> document >> tree, such as LICENSES, REUSE, SPDX, etc. directory additions and likely >> contents? >> >> Are you using one of the SPDX tools to match the licence texts, as the >> variations in BSD, MIT, and Verbatim licences can be confusing, and even >> when it >> states a name, it may be called something else by SPDX? >> >> Could you please document the sources of these tools and how you intend to >> use >> them? >> >> What do you plan to do about uncatalogued licence texts: submit them to >> SPDX for >> review and (re-)naming, and/or just create a LicenseRef-Debian-NAME or >> (preferably?) LicenseRef-newlib-NAME or ExceptionRef-newlib-NAME >> placeholder? >> >> Any other considerations from those involved in licensing and cataloguing? >> >> Would probably be okay if you just added any SPDX-License-Identifier: ... >> below >> the existing licence text, then folks can see how it goes. > Thanks for the great questions Brian. We have been adding SPDX annotation to > RTEMS source code but have not used any tooling yet. I'm hoping to learn > from this process. Hopefully Scott doesn't mind educating as the process > works through. Ditto for Cygwin but we are using some tooling on package builds, checkins running CI, and package uploads. One issue to address may be newlib prohibiting GPL and Cygwin being licensed under it within the same repo. Noticed FreeBSD imports for newlib and Cygwin and recent checkins are annotated: https://sourceware.org/git/?p=newlib-cygwin.git&a=search&h=HEAD&st=pickaxe&s=SPDX-License-Identifier%3A and noticed the first licence in COPYING.NEWLIB may cause problems, as "Red Hat" is a trademark used in the copyright of these files, so the Red Hat trademark restriction may make it non-free for SPDX but IANAL: (1) Red Hat Incorporated Copyright (c) 1994-2009 Red Hat, Inc. All rights reserved. "This copyrighted material is made available to anyone wishing to use, modify, copy, or redistribute it subject to the terms and conditions of the BSD License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. A copy of this license is available at http://www.opensource.org/licenses. *Any Red Hat trademarks that are incorporated in the source code or documentation are not subject to the BSD License and may only be used or replicated with the express permission of Red Hat, Inc.*" whereas other RH documents explicitly say "If the document is modified, all Red Hat trademarks must be removed." which may imply any use of the words "Red Hat"? -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry