From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YKxVOUGJlWAYdgAAgWs5BA (envelope-from ) for ; Fri, 07 May 2021 20:38:57 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id uHgSNUGJlWBYLQAA1q6Kng (envelope-from ) for ; Fri, 07 May 2021 18:38:57 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4505421EE3 for ; Fri, 7 May 2021 20:38:57 +0200 (CEST) Received: from localhost ([::1]:58396 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lf5NI-0001Li-6K for larch@yhetil.org; Fri, 07 May 2021 14:38:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34588) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lf5Gh-0002Z9-87 for guix-devel@gnu.org; Fri, 07 May 2021 14:32:07 -0400 Received: from mail-pg1-x52c.google.com ([2607:f8b0:4864:20::52c]:33390) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lf5Ge-00059u-Un for guix-devel@gnu.org; Fri, 07 May 2021 14:32:06 -0400 Received: by mail-pg1-x52c.google.com with SMTP id i5so3045794pgm.0 for ; Fri, 07 May 2021 11:32:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=yk+XZpMLuITSQc+vAqGZiQiu9/I8Hiz1ukqA2icqhCQ=; b=cGut6exaqU3UOmeh3jT9Z+cMzXct2kF3FMWgz4dEiQmC6469dh6CVgm+MtN7JTOQii /sHgIHl9Q5dusnhAkIxYgMetcctWqkVUAQ0MOqznVinvfpae7xJ5P/Ks7PY2CnmGekZy wbI54V4GIDBG0noC6oDMmDLexT+bF5Ph1mRHHacMBQSGR5rIrMyH24AhMu+Pr58f2kcG 5mtkqSYonkkYx5es2T1/fF/TrjBaAGxoLO1sdC7ALZBFLy7Umvoubq6DHJ4ASlB90f9w ycOoG0M4S6gr8bBF6vVr5Zg8wo4C4q2qSvRUrONaUIaEMuwlbiH6sWgAY7UiYH0O8czb Ij2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=yk+XZpMLuITSQc+vAqGZiQiu9/I8Hiz1ukqA2icqhCQ=; b=Nbf1+2g83ODF5mP/GqJaZCsa7FT+fouelIWYbxTMgUq9be9Ixwb3lPxq2q6jAJirHP KiqhdiBruPhKtCdPzH4QYtt/MmwYcC9W1L3gHe17HmcPuI1/wJUvkFyeS56MMUipUvPy dHR1dtS+/hlHH5rtyQchAuOD2PASBLb4pstZXvhQi0OzDZHSB3YiBQsUfuVg7wqpZ36u TMJj35Ry0eajNIr5zqMw6sMU2EyETjkv9Eler1HzRK+wIF/bKVymOyGD07svH0iLT8fd nrhVft5kYxB39SxuP8/lz5UYlK0P2a5f3IpQhuYJpezC+FlQ4lQKD3/+vn5HDqVTRBxQ 9UsA== X-Gm-Message-State: AOAM533Nr/vWyMs7b8aUFB108UcglQUcBkvtN4aPaupfpwRJEgLCuKHj oTDJYOePDrQDTd7CNe8ZyThKtzS1072uWA== X-Google-Smtp-Source: ABdhPJw97dI58iJOt5bYKZDe9ZrcgFXVNJ7IfOZvByvdnbMuItBZAJ80/KMdJHxLQncZsPr5mB1I9g== X-Received: by 2002:a63:1e1e:: with SMTP id e30mr11267746pge.77.1620412321986; Fri, 07 May 2021 11:32:01 -0700 (PDT) Received: from garuda-lan (c-24-18-44-142.hsd1.wa.comcast.net. [24.18.44.142]) by smtp.gmail.com with ESMTPSA id j7sm4895727pfc.164.2021.05.07.11.32.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 May 2021 11:32:00 -0700 (PDT) From: Chris Marusich To: Leo Famulari Subject: The purpose of the "license" list of a Guix package (Was: Re: Jam: which licence is this?) References: <87tunuq1ei.fsf@elephly.net> <87sg3ejmxv.fsf@netris.org> <87h7juje1a.fsf@netris.org> <874kflrb1t.fsf@netris.org> Date: Fri, 07 May 2021 11:31:56 -0700 In-Reply-To: (Leo Famulari's message of "Sun, 2 May 2021 11:20:51 -0400") Message-ID: <871rai2y5f.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2607:f8b0:4864:20::52c; envelope-from=cmmarusich@gmail.com; helo=mail-pg1-x52c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1620412737; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=yk+XZpMLuITSQc+vAqGZiQiu9/I8Hiz1ukqA2icqhCQ=; b=Q4XKTX3bl0JO6zQ9BbjN/QddImWN1rxvu4R/RTas+TwPGxKfHrNLNm4J7l4E8l3p/fO+8n WAcY956H1oWDavQkiHYq+VUe/zkt/FaQ9LWHpEtKezigSFW1Z6DU3+ekSQa546K0Ypiz// IsNCUOcDPKyN0v32SEAQf6B+ankXD7weyDL4AN53HQtVq0YR7sq+wOpbjdHUMr0LBm9he1 3B6+G/7O/9DBQmHIiDXzEBUL7Bg30kaXNx0MC87l/30H2IowWCF1UfE//DM8SWU7IeqMB/ D7+ARJeyIr90dEWfDDbpiVKrLz/Q1dKHaAeHnxNEApt2oVD0Ctri+UN4Jd5Rrg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1620412737; a=rsa-sha256; cv=none; b=lPkA/n3Ps0S2uZFbcGSe4MieeK9EGV7PoqZ3N5CZwykgLKbvgoCfLr4pZyuCX40MZomTFi MjPr0xeQ+UskyI8p3kQqKSsRSN9o80TYxNv7CnWnUmiO94AtGqj33UDR3417Sikt4U0iUW Hk4w9Pt7fUOzXB5wDTzNSA6X3ualuTgu6Vnxw76R5pxeYsZ5kASrfRxkKRjp1HeOgFZ/GV nhzTbynIWTJgalQKd+QydhuzlhRM4ESByfRXY/s1UNkLvdMrYPEk1DgRuW+az9bLlVsrV8 HvzhUeSei+6E6hUFDLFy0qV80oZQEmokDrzgRoHlEIqm+E2DQJqdvuqRPLUXtw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=cGut6exa; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -0.95 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=cGut6exa; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 4505421EE3 X-Spam-Score: -0.95 X-Migadu-Scanner: scn0.migadu.com X-TUID: CgW9Y0DdC4tm --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Leo Famulari writes: > On Sun, May 02, 2021 at 12:53:07AM -0400, Mark H Weaver wrote: >> My understanding is that the 'license' field of a package in Guix has >> _always_ been meant to summarize the license restrictions associated >> with the package source (the output of "guix build --source"), and >> *not* merely the package outputs. > > My understanding is that the license field describes the license that > the package is redistributed under, which is typically a single license, > but could be a dual (or multiple) license if that is the case. > > The manual section "package Reference" says: > > The license of the package; a value from (guix licenses), or a list of > such values. > > It's the license of the package, overall. Not of every single file in > the source code. > >> Really? Can you give some examples of this from our core packages? > > The 'hello' package is not core, but it is a typical Autotools-based > package, and the core packages will be similar. > > It is, overall, GPL3 or later. However, the component source files bear > these other licenses too: > > aclocal.m4: An unnamed permissive license > AUTHORS: An unnamed permissive license > configure: An unnamed permissive license > configure.ac: An unnamed permissive license > INSTALL: An unnamed permissive license > maint.mk: An unnamed permissive license > Makefile.am, Makefile.in: An unnamed permissive license > README, README-dev: An unnamed permissive license > THANKS: An unnamed permissive license > > build-aux/compile: GPL2+ > build-aux/config.rpath: An unnamed permissive license > build-aux/depcomp: GPL2+ > build-aux/install-sh: Expat license > build-aux/mdate-sh: GPL2+ > build-aux/missing: GPL2+ > build-aux/test-driver: GPL2+ > > doc: Some files bear the GFDL > > m4: Maybe unnamed permissive licenses (I'm getting tired) > > po/Makefile.in.in: The "GPL" with no version mentioned. I assume GPL1. > po/POTFILES.in: An unnamed permissive license > > tests/*: An unnamed permissive license > > Some of those unnamed permissive licenses are the same as each other, > some are different. > > It would be unhelpful if the package definition's license field said > "gpl3+ gpl2+ gpl1 non-copyleft expat gfdl". Nobody would be able to > answer the question "What is the license of the 'hello' package?" > >> The 'license' field can only mean one of these two things, and I think >> it's fairly clear which one it should be. Moreover, I think that this >> is what it has always meant in Guix. If not, that's a problem. > > My survey of the "hello" package shows that the license field in Guix is > about the overall license of the program, not an exhaustive list of the > many licenses used for various components of the source code. > > I don't think it's a problem to not mention those licenses in the > package definition. When the user acquires the source code, they still > get the benefits of the freely licensed components. Nothing is being > hidden. > > The suggestion that our package definitions' license field should > mention every license contain in the source code has no precedent in > Guix, at least since I joined. I don't there is a demonstrated benefit > to making that change. I agree with Leo. My understanding is that the intent of the "license" field (which can be a list) in a Guix package is to call out the "main" (deliberately vague here) licenses related to the code, not to provide an exhaustive or authoritative description of all the licenses affecting every file in every possible situation. As Leo has demonstrated, a package's license field (like probably most summaries of license information) is surely not exhaustive or authoritative; the licenses in the source code files themselves are authoritative. My understanding is that a packager is expected to audit the licenses in the files when adding the package. If an exhaustive audit is not feasible (which is often the case), they should perform a reasonable spot check and then list the "main" licenses in play in the licenses file. As in the GNU Hello case, there is clearly a judgment call regarding what goes into the Guix package's licenses list, since a simple list cannot describe everything. In general, even if hypothetically you did do an exhaustive audit of all files, it is not practical to try to describe all the licensing implications in the Guix package definition. I don't think that's the purpose of the license field. One more thing. I have always felt that the license field of a Guix package is intended to call out the licenses that apply to the built output of the package in particular. In other words, I think the license field is intended to call out the licenses that are most likely to apply in the situation where you "link" with the built output of the package. That is the purpose of many packages: to be "linked" from other source code. Since it is often the case that software you write will not be "linking" with the package's build scripts, but rather with the package's built output, the license of the build scripts are less relevant for that use case. In the end, I think a packager is expected to be operating in good faith, in accordance with the FSDG. This means that packagers look for freedom issues and address them when found. It does not mean that packagers are expected to provide a detailed "bill of materials" for every single package, although that is certainly something that some people think is important (and some people don't). This reminds me of the following fun debate from FOSDEM 2020: "Does Careful Inventory of Licensing Bill of Materials Have Real Impact on FOSS License Compliance?" https://archive.fosdem.org/2020/schedule/event/debate_license_compliance/ I think you might enjoy watching it. Basically, the "negative" argument (careful inventory of licensing bill of materials does NOT have a real impact on FOSS license compliance) is somewhat relevant here, and it went something like this: the transitive closure of required source code itself is a kind of "bill of materials", and if you only use free software, it is always easy to comply - just provide the source code. It was a fun debate. I happened to be in the audience, and I mentioned in a question at the end that Guix makes it easy to provide the transitive closure of source for any given piece of software. I don't know of any other tool that does this for all software in an operating system, except maybe Nix. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAmCVh5wVHGNtbWFydXNp Y2hAZ21haWwuY29tAAoJEN1AmhXYIkado+MP/1QVScEo4SreIWHw9Ko3Qx2tXqHX 5rJVP2J4hTfElUYa0lLwXv9SlKyH2kRv+P3nT/Ay1Xri93zn1QkVs7X9Sy0+WI6r ip6ElyT+lo5BfhzB1inBeRfBE9aHxfaI009eqWDqXPBWp/bfNqnzrSqI6cduUVZJ SKRwSYqNoFt2fEdtpoCQpAth8LIqigIuVlRqQGKWsqv8XiCZyzPwYSJy8IzN6ODJ 3eY+ILtiW0P267419yl8DKpO4+DknYO1DjxPmn+u9HcT4wNnSvsY+gDGyC4NCpgj 3TTG5OZKRQBZxDug3REwU1UvyGTDFylgJpCZvR7sP+K6VF9MLCCGcxrqdShrDWbw v3Rbrl40O2cMZiDJ8sZQ1IOp2JKCWHJwNFJcPKNIojzbYouqZx08smkjmIdGvczf oBNzwV8ocZjUZcHdcPT9Jsjrat/4b3nr/lOcC6TCxmzsGZZHNKxBFBlo87nrqN60 5KsT3Tl6PtQpW7nSQruk4nxKJHMpBv7uesE8zG5UcvjlRZ3MHON/Xw+CscXOL41J c38Zo5qQTP2CGJkPty8z5fqnsoTItWUWxXw/kxprqbcpFvecgjc89uGqk+sOvLLV 8hl28XMl20BeyVitDqPPc3FMaB4AP5IWyU47Bg935/Pl0St+fk/jLzpYtPswI97I kkhfC2Dk+q2JoMoG =f/2r -----END PGP SIGNATURE----- --=-=-=--