Re: Clarify the license field of the package

[宋文武 <iyzsong@envs.net>]

Maxime Devos <maximedevos@telenet.be> writes:

> On 22-08-2022 11:02, 宋文武 wrote:
>
>> Hello list, I have some questions about the 'license' of a package,
>> currently defined as:
>>
>>      The license of the package; a value from ‘(guix licenses)’, or a
>>      list of such values.
>>
>> 1. It's the license of source files (guix build -S) or built binary
>>     files?
>
> (If 'built binary files', I would include generated or copied
> documentation in the list. And icons, .desktop files, ..., I'm not
> restricting myself to _executable_ binaries here and also not to
> binaries that aren't sources as well.)

Sure, it should be clear what license any file has.  Below, I'd refer
them as sources and outputs.
>
> Rarely, there is some weirdness where the source code is free
> (VSCodium?) but the official build has a non-free license
> (VSCode?). At least for that example, it doesn't apply to Guix though
> (because VSCodium is not packaged, and because with some rare
> exceptions we build from source).
>
> However, in my experience, in free software they almost always have
> the same license, so the distinction appears meaningless to me with
> the possible exception of build scripts and test files (including, but
> not limited to, test code).

There are 2 main cases which the licenses of sources and outputs of a
package can be different:

  1. statically linked binaries (eg: golang, rust), leading outputs has
  more licenses than the package's sources (should be all sources), see:
  https://artemis.sh/2022/08/21/this-program-is-illegally-packaged-in-14-distributions.html

  2. not used sources or when licenses not propagated to outputs during
  build (eg: tests, build tools, sources generator), leading outputs has
  less licenses than sources.

I think this distinction will be important when we audit the license
compatibility issues for outputs, since we also distribute outputs via
substitutes.
>
> I think it should include the source files, as the license of the
> source is important for people doing 'guix build --source'.

I agree too.
>
>> 2. When its value is a list of multiple licenses, it's files under
>>     different licenses (eg: lib/*.so under LGPL, while bin/* under GPL),
>>     or files under one license select from choices?
>>
>> My guess is that the license field is for source files since we can
>> disable binary substitutes, and list is used for files under different
>> licenses.
>>
>> Does my guess is correct?  Thank you!
>
> As answered in a reply to a patch, myself I go for 'files under
> different licenses' -- to me it seems hard to go wrong with 'just
> include all participating licenses' instead of trying to make a
> selection.
>
> However, keep in mind that sometimes a file is part licensed as, say,
> BSD(*), part as Expat, with modifications under the GPL -- to me it
> appears that for practical purposes you could consider such a thing to
> be 'effectively GPL', but that's not 100% accurate, as it appears
> required to preserve the BSD and Expat license text. (Such things can
> happen when incorporating code from other, differently-licensed,
> projects).
>
> (*) let's say without the advertising clause or whatever it was (IIRC
> and IIUC the original BSD was incompatible with the GPL?).
>
> If there's some consensus, I think it would be nice to clarify this
> matter in the manual.

Yes, after read
<https://www.gnu.org/licenses/license-compatibility.html> (Combining code),
I think we should list all licenses of sources files in the package's
license field.  

And for license choices, write in comments, since we lacking "OR", our
list of multiple license is same as "AND" in SPDX license expressions.

https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
https://wiki.spdx.org/view/FileNoticeExamples

Later, I think we can introduce a "OR" form for license field or use SPDX license
expressions directly.


In summary, I think our next steps are:

1. Clarify the license field is for sources and the list is for files
under multiple license (required to simultaneously comply with two or
more licenses) in our manual.

2. Consider extend the license field with "OR" form or use SPDX license
expressions.

3. Introduce some ways to show and check licenses for package's outputs.


What do you think?  Thanks for help!