From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id YKxVOUGJlWAYdgAAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 07 May 2021 20:38:57 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id uHgSNUGJlWBYLQAA1q6Kng
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 07 May 2021 18:38:57 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 4505421EE3
	for <larch@yhetil.org>; Fri,  7 May 2021 20:38:57 +0200 (CEST)
Received: from localhost ([::1]:58396 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lf5NI-0001Li-6K
	for larch@yhetil.org; Fri, 07 May 2021 14:38:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:34588)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cmmarusich@gmail.com>)
 id 1lf5Gh-0002Z9-87
 for guix-devel@gnu.org; Fri, 07 May 2021 14:32:07 -0400
Received: from mail-pg1-x52c.google.com ([2607:f8b0:4864:20::52c]:33390)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <cmmarusich@gmail.com>)
 id 1lf5Ge-00059u-Un
 for guix-devel@gnu.org; Fri, 07 May 2021 14:32:06 -0400
Received: by mail-pg1-x52c.google.com with SMTP id i5so3045794pgm.0
 for <guix-devel@gnu.org>; Fri, 07 May 2021 11:32:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=yk+XZpMLuITSQc+vAqGZiQiu9/I8Hiz1ukqA2icqhCQ=;
 b=cGut6exaqU3UOmeh3jT9Z+cMzXct2kF3FMWgz4dEiQmC6469dh6CVgm+MtN7JTOQii
 /sHgIHl9Q5dusnhAkIxYgMetcctWqkVUAQ0MOqznVinvfpae7xJ5P/Ks7PY2CnmGekZy
 wbI54V4GIDBG0noC6oDMmDLexT+bF5Ph1mRHHacMBQSGR5rIrMyH24AhMu+Pr58f2kcG
 5mtkqSYonkkYx5es2T1/fF/TrjBaAGxoLO1sdC7ALZBFLy7Umvoubq6DHJ4ASlB90f9w
 ycOoG0M4S6gr8bBF6vVr5Zg8wo4C4q2qSvRUrONaUIaEMuwlbiH6sWgAY7UiYH0O8czb
 Ij2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=yk+XZpMLuITSQc+vAqGZiQiu9/I8Hiz1ukqA2icqhCQ=;
 b=Nbf1+2g83ODF5mP/GqJaZCsa7FT+fouelIWYbxTMgUq9be9Ixwb3lPxq2q6jAJirHP
 KiqhdiBruPhKtCdPzH4QYtt/MmwYcC9W1L3gHe17HmcPuI1/wJUvkFyeS56MMUipUvPy
 dHR1dtS+/hlHH5rtyQchAuOD2PASBLb4pstZXvhQi0OzDZHSB3YiBQsUfuVg7wqpZ36u
 TMJj35Ry0eajNIr5zqMw6sMU2EyETjkv9Eler1HzRK+wIF/bKVymOyGD07svH0iLT8fd
 nrhVft5kYxB39SxuP8/lz5UYlK0P2a5f3IpQhuYJpezC+FlQ4lQKD3/+vn5HDqVTRBxQ
 9UsA==
X-Gm-Message-State: AOAM533Nr/vWyMs7b8aUFB108UcglQUcBkvtN4aPaupfpwRJEgLCuKHj
 oTDJYOePDrQDTd7CNe8ZyThKtzS1072uWA==
X-Google-Smtp-Source: ABdhPJw97dI58iJOt5bYKZDe9ZrcgFXVNJ7IfOZvByvdnbMuItBZAJ80/KMdJHxLQncZsPr5mB1I9g==
X-Received: by 2002:a63:1e1e:: with SMTP id e30mr11267746pge.77.1620412321986; 
 Fri, 07 May 2021 11:32:01 -0700 (PDT)
Received: from garuda-lan (c-24-18-44-142.hsd1.wa.comcast.net. [24.18.44.142])
 by smtp.gmail.com with ESMTPSA id
 j7sm4895727pfc.164.2021.05.07.11.32.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 07 May 2021 11:32:00 -0700 (PDT)
From: Chris Marusich <cmmarusich@gmail.com>
To: Leo Famulari <leo@famulari.name>
Subject: The purpose of the "license" list of a Guix package (Was: Re: Jam:
 which licence is this?)
References: <alpine.DEB.2.21.2104250213150.8414@marsh.hcoop.net>
 <87tunuq1ei.fsf@elephly.net> <87sg3ejmxv.fsf@netris.org>
 <YIWoR/K8IgSNQww/@jasmine.lan> <87h7juje1a.fsf@netris.org>
 <YIbpN/ksDF/6fhmy@jasmine.lan> <874kflrb1t.fsf@netris.org>
 <YI7DU4IF51feZymI@jasmine.lan>
Date: Fri, 07 May 2021 11:31:56 -0700
In-Reply-To: <YI7DU4IF51feZymI@jasmine.lan> (Leo Famulari's message of "Sun, 2
 May 2021 11:20:51 -0400")
Message-ID: <871rai2y5f.fsf_-_@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
Received-SPF: pass client-ip=2607:f8b0:4864:20::52c;
 envelope-from=cmmarusich@gmail.com; helo=mail-pg1-x52c.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: guix-devel@gnu.org
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1620412737;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=yk+XZpMLuITSQc+vAqGZiQiu9/I8Hiz1ukqA2icqhCQ=;
	b=Q4XKTX3bl0JO6zQ9BbjN/QddImWN1rxvu4R/RTas+TwPGxKfHrNLNm4J7l4E8l3p/fO+8n
	WAcY956H1oWDavQkiHYq+VUe/zkt/FaQ9LWHpEtKezigSFW1Z6DU3+ekSQa546K0Ypiz//
	IsNCUOcDPKyN0v32SEAQf6B+ankXD7weyDL4AN53HQtVq0YR7sq+wOpbjdHUMr0LBm9he1
	3B6+G/7O/9DBQmHIiDXzEBUL7Bg30kaXNx0MC87l/30H2IowWCF1UfE//DM8SWU7IeqMB/
	D7+ARJeyIr90dEWfDDbpiVKrLz/Q1dKHaAeHnxNEApt2oVD0Ctri+UN4Jd5Rrg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1620412737; a=rsa-sha256; cv=none;
	b=lPkA/n3Ps0S2uZFbcGSe4MieeK9EGV7PoqZ3N5CZwykgLKbvgoCfLr4pZyuCX40MZomTFi
	MjPr0xeQ+UskyI8p3kQqKSsRSN9o80TYxNv7CnWnUmiO94AtGqj33UDR3417Sikt4U0iUW
	Hk4w9Pt7fUOzXB5wDTzNSA6X3ualuTgu6Vnxw76R5pxeYsZ5kASrfRxkKRjp1HeOgFZ/GV
	nhzTbynIWTJgalQKd+QydhuzlhRM4ESByfRXY/s1UNkLvdMrYPEk1DgRuW+az9bLlVsrV8
	HvzhUeSei+6E6hUFDLFy0qV80oZQEmokDrzgRoHlEIqm+E2DQJqdvuqRPLUXtw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=cGut6exa;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -0.95
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=cGut6exa;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 4505421EE3
X-Spam-Score: -0.95
X-Migadu-Scanner: scn0.migadu.com
X-TUID: CgW9Y0DdC4tm

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi,

Leo Famulari <leo@famulari.name> writes:

> On Sun, May 02, 2021 at 12:53:07AM -0400, Mark H Weaver wrote:
>> My understanding is that the 'license' field of a package in Guix has
>> _always_ been meant to summarize the license restrictions associated
>> with the package source (the output of "guix build --source"), and
>> *not* merely the package outputs.
>
> My understanding is that the license field describes the license that
> the package is redistributed under, which is typically a single license,
> but could be a dual (or multiple) license if that is the case.
>
> The manual section "package Reference" says:
>
> The license of the package; a value from (guix licenses), or a list of
> such values.
>
> It's the license of the package, overall. Not of every single file in
> the source code.
>
>> Really?  Can you give some examples of this from our core packages?
>
> The 'hello' package is not core, but it is a typical Autotools-based
> package, and the core packages will be similar.
>
> It is, overall, GPL3 or later. However, the component source files bear
> these other licenses too:
>
> aclocal.m4: An unnamed permissive license
> AUTHORS: An unnamed permissive license
> configure: An unnamed permissive license
> configure.ac: An unnamed permissive license
> INSTALL: An unnamed permissive license
> maint.mk: An unnamed permissive license
> Makefile.am, Makefile.in: An unnamed permissive license
> README, README-dev: An unnamed permissive license
> THANKS: An unnamed permissive license
>
> build-aux/compile: GPL2+
> build-aux/config.rpath: An unnamed permissive license
> build-aux/depcomp: GPL2+
> build-aux/install-sh: Expat license
> build-aux/mdate-sh: GPL2+
> build-aux/missing: GPL2+
> build-aux/test-driver: GPL2+
>
> doc: Some files bear the GFDL
>
> m4: Maybe unnamed permissive licenses (I'm getting tired)
>
> po/Makefile.in.in: The "GPL" with no version mentioned. I assume GPL1.
> po/POTFILES.in: An unnamed permissive license
>
> tests/*: An unnamed permissive license
>
> Some of those unnamed permissive licenses are the same as each other,
> some are different.
>
> It would be unhelpful if the package definition's license field said
> "gpl3+ gpl2+ gpl1 non-copyleft expat gfdl". Nobody would be able to
> answer the question "What is the license of the 'hello' package?"
>
>> The 'license' field can only mean one of these two things, and I think
>> it's fairly clear which one it should be.  Moreover, I think that this
>> is what it has always meant in Guix.  If not, that's a problem.
>
> My survey of the "hello" package shows that the license field in Guix is
> about the overall license of the program, not an exhaustive list of the
> many licenses used for various components of the source code.
>
> I don't think it's a problem to not mention those licenses in the
> package definition. When the user acquires the source code, they still
> get the benefits of the freely licensed components. Nothing is being
> hidden.
>
> The suggestion that our package definitions' license field should
> mention every license contain in the source code has no precedent in
> Guix, at least since I joined. I don't there is a demonstrated benefit
> to making that change.

I agree with Leo.  My understanding is that the intent of the "license"
field (which can be a list) in a Guix package is to call out the "main"
(deliberately vague here) licenses related to the code, not to provide
an exhaustive or authoritative description of all the licenses affecting
every file in every possible situation.  As Leo has demonstrated, a
package's license field (like probably most summaries of license
information) is surely not exhaustive or authoritative; the licenses in
the source code files themselves are authoritative.

My understanding is that a packager is expected to audit the licenses in
the files when adding the package.  If an exhaustive audit is not
feasible (which is often the case), they should perform a reasonable
spot check and then list the "main" licenses in play in the licenses
file.  As in the GNU Hello case, there is clearly a judgment call
regarding what goes into the Guix package's licenses list, since a
simple list cannot describe everything.  In general, even if
hypothetically you did do an exhaustive audit of all files, it is not
practical to try to describe all the licensing implications in the Guix
package definition.  I don't think that's the purpose of the license
field.

One more thing.  I have always felt that the license field of a Guix
package is intended to call out the licenses that apply to the built
output of the package in particular.  In other words, I think the
license field is intended to call out the licenses that are most likely
to apply in the situation where you "link" with the built output of the
package.  That is the purpose of many packages: to be "linked" from
other source code.  Since it is often the case that software you write
will not be "linking" with the package's build scripts, but rather with
the package's built output, the license of the build scripts are less
relevant for that use case.

In the end, I think a packager is expected to be operating in good
faith, in accordance with the FSDG.  This means that packagers look for
freedom issues and address them when found.  It does not mean that
packagers are expected to provide a detailed "bill of materials" for
every single package, although that is certainly something that some
people think is important (and some people don't).

This reminds me of the following fun debate from FOSDEM 2020:

"Does Careful Inventory of Licensing Bill of Materials Have Real Impact
on FOSS License Compliance?"
https://archive.fosdem.org/2020/schedule/event/debate_license_compliance/

I think you might enjoy watching it.  Basically, the "negative" argument
(careful inventory of licensing bill of materials does NOT have a real
impact on FOSS license compliance) is somewhat relevant here, and it
went something like this: the transitive closure of required source code
itself is a kind of "bill of materials", and if you only use free
software, it is always easy to comply - just provide the source code.

It was a fun debate.  I happened to be in the audience, and I mentioned
in a question at the end that Guix makes it easy to provide the
transitive closure of source for any given piece of software.  I don't
know of any other tool that does this for all software in an operating
system, except maybe Nix.

=2D-=20
Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAmCVh5wVHGNtbWFydXNp
Y2hAZ21haWwuY29tAAoJEN1AmhXYIkado+MP/1QVScEo4SreIWHw9Ko3Qx2tXqHX
5rJVP2J4hTfElUYa0lLwXv9SlKyH2kRv+P3nT/Ay1Xri93zn1QkVs7X9Sy0+WI6r
ip6ElyT+lo5BfhzB1inBeRfBE9aHxfaI009eqWDqXPBWp/bfNqnzrSqI6cduUVZJ
SKRwSYqNoFt2fEdtpoCQpAth8LIqigIuVlRqQGKWsqv8XiCZyzPwYSJy8IzN6ODJ
3eY+ILtiW0P267419yl8DKpO4+DknYO1DjxPmn+u9HcT4wNnSvsY+gDGyC4NCpgj
3TTG5OZKRQBZxDug3REwU1UvyGTDFylgJpCZvR7sP+K6VF9MLCCGcxrqdShrDWbw
v3Rbrl40O2cMZiDJ8sZQ1IOp2JKCWHJwNFJcPKNIojzbYouqZx08smkjmIdGvczf
oBNzwV8ocZjUZcHdcPT9Jsjrat/4b3nr/lOcC6TCxmzsGZZHNKxBFBlo87nrqN60
5KsT3Tl6PtQpW7nSQruk4nxKJHMpBv7uesE8zG5UcvjlRZ3MHON/Xw+CscXOL41J
c38Zo5qQTP2CGJkPty8z5fqnsoTItWUWxXw/kxprqbcpFvecgjc89uGqk+sOvLLV
8hl28XMl20BeyVitDqPPc3FMaB4AP5IWyU47Bg935/Pl0St+fk/jLzpYtPswI97I
kkhfC2Dk+q2JoMoG
=f/2r
-----END PGP SIGNATURE-----
--=-=-=--