* [bug#61950] [PATCH] lint: Add 'copyleft' checker.
@ 2023-03-04 4:14 Antero Mejr via Guix-patches via
2023-03-04 4:22 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Antero Mejr via Guix-patches via
` (2 more replies)
0 siblings, 3 replies; 16+ messages in thread
From: Antero Mejr via Guix-patches via @ 2023-03-04 4:14 UTC (permalink / raw)
To: 61950; +Cc: Antero Mejr, ludo
* guix/lint.scm (check-copyleft, input->package, report-copyleft-violation,
linking-exception?, copyleft?): New procedures.
(%local-checkers): Add 'copyleft' checker.
* tests/lint.scm ("copyleft: incompatible copyleft input"): New tests.
* doc/guix.texi (Invoking guix lint): Mention it.
---
This new linter checks for copyleft license violations, where a copylefted
package is linked by a package with an incompatible license.
It found 2818 incompatible packages.
For example, GNU readline (GPL) is being linked by 71 permissively
licensed packages.
doc/guix.texi | 4 ++
guix/lint.scm | 109 +++++++++++++++++++++++++++++++++++++++++++++++++
tests/lint.scm | 10 +++++
3 files changed, 123 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 74658dbc86..be695967a2 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14723,6 +14723,10 @@ corresponding package. This aims to help migrate from the ``old input
style''. @xref{package Reference}, for more information on package
inputs and input styles. @xref{Invoking guix style}, on how to migrate
to the new style.
+
+@item copyleft
+Warn about packages with permissive licenses that are not compatible with
+the copyleft licenses of their dependencies.
@end table
The general syntax is:
diff --git a/guix/lint.scm b/guix/lint.scm
index 8e3976171f..30745b0930 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -40,6 +40,7 @@ (define-module (guix lint)
#:use-module (guix download)
#:use-module (guix ftp-client)
#:use-module (guix http-client)
+ #:use-module (guix licenses)
#:use-module (guix packages)
#:use-module (guix i18n)
#:use-module ((guix gexp)
@@ -108,6 +109,7 @@ (define-module (guix lint)
check-mirror-url
check-github-url
check-license
+ check-copyleft
check-vulnerabilities
check-for-updates
check-formatting
@@ -1451,6 +1453,12 @@ (define format
(with-store store
(do-check store))))
+
+\f
+;;;
+;;; Package licenses.
+;;;
+
(define (check-license package)
"Warn about type errors of the 'license' field of PACKAGE."
(match (package-license package)
@@ -1462,6 +1470,103 @@ (define (check-license package)
(make-warning package (G_ "invalid license field")
#:field 'license)))))
+(define (copyleft? licenses)
+ "Check if a list of licenses are copyleft."
+ (let ((lic (if (list? licenses) licenses (list licenses))))
+ (map (lambda (x)
+ (and (license? x) ;some license fields are not license objects
+ (member (license-name x)
+ '("AGPL 1" "AGPL 3" "AGPL 3+"
+ "CC-BY-SA 2.0" "CC-BY-SA 3.0" "CC-BY-SA 4.0"
+ "CeCILL" "copyleft-next"
+ "EUPL 1.1" "EUPL 1.2"
+ "GPL 1" "GPL 1+" "GPL 2" "GPL 2+" "GPL 3" "GPL 3+"
+ "Sleepycat"))
+ #t))
+ lic)))
+
+(define (linking-exception? package)
+ "Check if a package has a known copyleft linking exception or is not linked."
+ (and (member (package-name package)
+ '(;; linking exception
+ "classpath" "guile" "java-classpathx-servletapi" "icedtea"
+ "uwsgi"
+ ;; copyleft but not typically linked
+ "alsa-utils" "acpi" "acpica" "audit"
+ "bash" "bash-completion" "bash-minimal" "bash-static" "bc"
+ "bluez" "binutils" "bison" "btrfs-progs"
+ "catdoc" "cdparanoia" "colord" "colord-minimal" "coreutils"
+ "coreutils-minimal" "cpuid" "cpupower" "cryptsetup"
+ "dbus" "dbus-glib" "diffutils" "dmidecode" "dmraid" "dnsmasq"
+ "dosfstools" "dpkg"
+ "ebtables" "edac-utils" "egawk-next" "efibootmgr" "espeak"
+ "espeak-ng" "ethtool" "eudev"
+ "fcitx" "ffmpeg" "findutils" "fontforge"
+ "gawk" "gawk-mpfr" "geoclue" "gettext" "gettext-minimal"
+ "ghostscript" "git" "git-minimal" "gjs" "gnupg" "gnome-desktop"
+ "gpart" "gperf" "gpm" "grep" "groff" "gzip"
+ "hddtemp" "hwinfo" "kbd" "kexec-tools" "kmod"
+ "less" "lm-sensors" "lzip"
+ "i2c-tools" "inetutils" "inxi" "inxi-minimal" "iproute2"
+ "iptables" "iso-codes"
+ "m4" "make" "mariadb" "mawk" "mcelog" "mdadm" "memtester"
+ "miscfiles" "modem-manager" "module-init-tools" "mpv" "mysql"
+ "ndctl" "net-tools" "netcat" "nvme-cli"
+ "pandoc" "parted" "password-store" "pciutils" "perl"
+ "pkg-config" "postgresql" "procps" "psmisc" "pulseaudio"
+ "qemu" "qemu-minimal" "ragel" "rpm" "rsync"
+ "samba" "sane-backends" "sbc" "scummvm" "sed"
+ "shared-mime-info" "shepherd" "smartmontools" "socat"
+ "squashfs-tools" "sysstat"
+ "tar" "time" "torsocks"
+ "upower" "usbutils" "util-linux"
+ "valgrind" "vidstab" "volume-key"
+ "wget" "which" "wl-clipboard" "yelp" "xclip"
+ "linux-libre-headers" "gnumach-headers" "hurd-headers"
+ "gcc" "gcc-toolchain" "gfortran" "clang-toolchain"
+ "ld-wrapper" "ld.lld-wrapper" "lld-wrapper"))
+ #t))
+
+(define (report-copyleft-violation package input-name)
+ "Report information about a copyleft license violation."
+ (make-warning package
+ (G_ "The license of input ~a is copyleft, but the license \
+of package ~a is permissive.")
+ (list input-name (package-name package))
+ #:field 'license))
+
+(define (input->package input)
+ "Convert a package input into a package if possible."
+ (if (list? input)
+ (cadr input)
+ #f))
+
+(define (check-copyleft package)
+ "Check that PACKAGE does not violate copyleft licenses of its inputs."
+ ;; Assumes all copyleft licenses are compatible, which is true for now
+ (let* ((pkg-copyleft (member #t (copyleft? (package-license package)))))
+ (apply append
+ (map (lambda (input)
+ (let ((input-copyleft
+ ;; if any license is permissive, the input is.
+ ;; be lenient here to avoid false positives
+ (not (member #f (copyleft? (package-license input))))))
+ (if (and input-copyleft
+ (not pkg-copyleft)
+ (not (linking-exception? input)))
+ (list (report-copyleft-violation package
+ (package-name input)))
+ '())))
+ (filter package?
+ (map input->package
+ (append (package-inputs package)
+ (package-propagated-inputs package))))))))
+
+\f
+;;;
+;;; Vulnerabilities and updates.
+;;;
+
(define (current-vulnerabilities*)
"Like 'current-vulnerabilities', but return the empty list upon networking
or HTTP errors. This allows network-less operation and makes problems with
@@ -1885,6 +1990,10 @@ (define %local-checkers
(description "Make sure the 'license' field is a <license> \
or a list thereof")
(check check-license))
+ (lint-checker
+ (name 'copyleft)
+ (description "Check for copyleft license violations")
+ (check check-copyleft))
(lint-checker
(name 'optional-tests)
(description "Make sure tests are only run when requested")
diff --git a/tests/lint.scm b/tests/lint.scm
index ce22e2355a..1ae64510b6 100644
--- a/tests/lint.scm
+++ b/tests/lint.scm
@@ -40,6 +40,7 @@ (define-module (test-lint)
#:use-module (guix build-system emacs)
#:use-module (guix build-system gnu)
#:use-module (guix packages)
+ #:use-module ((guix licenses) #:prefix license:)
#:use-module (guix lint)
#:use-module (guix ui)
#:use-module (guix swh)
@@ -51,6 +52,7 @@ (define-module (test-lint)
#:use-module (gnu packages glib)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages python-build)
+ #:use-module (gnu packages readline)
#:use-module ((gnu packages bash) #:select (bash bash-minimal))
#:use-module (web uri)
#:use-module (web server)
@@ -665,6 +667,14 @@ (define hsab (string-append (assoc-ref inputs "hsab")
(single-lint-warning-message
(check-license (dummy-package "x" (license #f)))))
+(test-equal "copyleft: incompatible copyleft input"
+ "The license of input readline is copyleft, but the license of package x is permissive."
+ (single-lint-warning-message
+ (check-copyleft
+ (dummy-package "x"
+ (inputs `(("readline" ,readline)))
+ (license license:bsd-3)))))
+
(test-equal "home-page: wrong home-page"
"invalid value for home page"
(let ((pkg (package
--
2.38.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license.
2023-03-04 4:14 [bug#61950] [PATCH] lint: Add 'copyleft' checker Antero Mejr via Guix-patches via
@ 2023-03-04 4:22 ` Antero Mejr via Guix-patches via
2023-03-04 4:22 ` [bug#61950] [PATCH 2/3] gnu: libcap: Add bsd-3 license Antero Mejr via Guix-patches via
` (2 more replies)
2023-03-06 15:53 ` [bug#61950] [PATCH] lint: Add 'copyleft' checker Ludovic Courtès
2023-03-06 18:56 ` [bug#61950] [PATCH] gnu: nettle-2: Add lgpl3+ to licenses Antero Mejr via Guix-patches via
2 siblings, 3 replies; 16+ messages in thread
From: Antero Mejr via Guix-patches via @ 2023-03-04 4:22 UTC (permalink / raw)
To: 61950; +Cc: Antero Mejr, me
* gnu/packages/pulseaudio.scm (libsndfile)[license]: Change to lgpl2.1+.
---
Updating package licenses to avoid false positives.
gnu/packages/pulseaudio.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 75aca3d700..aff864eb99 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -119,7 +119,7 @@ (define-public libsndfile
as big-endian processor systems such as Motorola 68k, Power PC, MIPS and
SPARC. Hopefully the design of the library will also make it easy to extend
for reading and writing new sound file formats.")
- (license l:gpl2+)))
+ (license l:lgpl2.1+)))
(define-public libsamplerate
(package
--
2.38.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH 2/3] gnu: libcap: Add bsd-3 license.
2023-03-04 4:22 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Antero Mejr via Guix-patches via
@ 2023-03-04 4:22 ` Antero Mejr via Guix-patches via
2023-03-06 16:49 ` Leo Famulari
2023-03-04 4:22 ` [bug#61950] [PATCH 3/3] gnu: nettle-2: Add lgpl3+ to licenses Antero Mejr via Guix-patches via
2023-03-06 16:49 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Leo Famulari
2 siblings, 1 reply; 16+ messages in thread
From: Antero Mejr via Guix-patches via @ 2023-03-04 4:22 UTC (permalink / raw)
To: 61950; +Cc: Antero Mejr, me
* gnu/packages/linux.scm (libcap)[license]: Add bsd-3.
---
gnu/packages/linux.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 3ca2a79666..9f5a2fd84f 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3201,7 +3201,7 @@ (define-public libcap
Linux-based operating systems.")
;; License is BSD-3 or GPLv2, at the user's choice.
- (license license:gpl2)))
+ (license (list license:bsd-3 license:gpl2))))
(define-public bridge-utils
(package
--
2.38.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH 3/3] gnu: nettle-2: Add lgpl3+ to licenses.
2023-03-04 4:22 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Antero Mejr via Guix-patches via
2023-03-04 4:22 ` [bug#61950] [PATCH 2/3] gnu: libcap: Add bsd-3 license Antero Mejr via Guix-patches via
@ 2023-03-04 4:22 ` Antero Mejr via Guix-patches via
2023-03-06 16:50 ` Leo Famulari
2023-03-06 16:49 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Leo Famulari
2 siblings, 1 reply; 16+ messages in thread
From: Antero Mejr via Guix-patches via @ 2023-03-04 4:22 UTC (permalink / raw)
To: 61950; +Cc: Antero Mejr, me
* gnu/packages/nettle.scm (nettle-2)[license]: Add lgpl3+.
---
gnu/packages/nettle.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index ea26ba3b2d..ee2ea7487e 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -77,7 +77,7 @@ (define-public nettle-2
fit in easily in almost any context. It can be easily included in
cryptographic toolkits for object-oriented languages or in applications
themselves.")
- (license gpl2+)))
+ (license (list lgpl3+ gpl2+))))
(define-public nettle
;; This version is not API-compatible with version 2. In particular, lsh
--
2.38.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH] lint: Add 'copyleft' checker.
2023-03-04 4:14 [bug#61950] [PATCH] lint: Add 'copyleft' checker Antero Mejr via Guix-patches via
2023-03-04 4:22 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Antero Mejr via Guix-patches via
@ 2023-03-06 15:53 ` Ludovic Courtès
2023-03-06 16:21 ` Antero Mejr via Guix-patches via
2023-03-06 16:45 ` [bug#61950] " Leo Famulari
2023-03-06 18:56 ` [bug#61950] [PATCH] gnu: nettle-2: Add lgpl3+ to licenses Antero Mejr via Guix-patches via
2 siblings, 2 replies; 16+ messages in thread
From: Ludovic Courtès @ 2023-03-06 15:53 UTC (permalink / raw)
To: Antero Mejr; +Cc: 61950
Hello!
Antero Mejr <antero@mailbox.org> skribis:
> * guix/lint.scm (check-copyleft, input->package, report-copyleft-violation,
> linking-exception?, copyleft?): New procedures.
> (%local-checkers): Add 'copyleft' checker.
> * tests/lint.scm ("copyleft: incompatible copyleft input"): New tests.
> * doc/guix.texi (Invoking guix lint): Mention it.
> ---
> This new linter checks for copyleft license violations, where a copylefted
> package is linked by a package with an incompatible license.
> It found 2818 incompatible packages.
> For example, GNU readline (GPL) is being linked by 71 permissively
> licensed packages.
I’m skeptical for a couple of reasons:
1. It’s entirely fine for, say, a BSD-3 package to link against
Readline (GPLv3+). The combination is effectively GPLv3+, but
that’s perfectly valid legally speaking.
2. It’s tempting to view devise a “licensing calculus” of sorts and
automate assessments of licensing compatibility. However, I think
it’s overestimating both law and our own licensing annotations: how
law applies in a specific case isn’t entirely clear until one goes
to court, and our ‘license’ fields fail to represent all the
relevant nuances anyway (subcomponents having different licenses,
dual/multiple licensing, etc.).
But really, #1 is the main point here.
WDYT?
Ludo’.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH] lint: Add 'copyleft' checker.
2023-03-06 15:53 ` [bug#61950] [PATCH] lint: Add 'copyleft' checker Ludovic Courtès
@ 2023-03-06 16:21 ` Antero Mejr via Guix-patches via
2023-03-06 22:38 ` Ludovic Courtès
2023-03-22 2:48 ` Maxim Cournoyer
2023-03-06 16:45 ` [bug#61950] " Leo Famulari
1 sibling, 2 replies; 16+ messages in thread
From: Antero Mejr via Guix-patches via @ 2023-03-06 16:21 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 61950, Antero Mejr
Ludovic Courtès <ludo@gnu.org> writes:
> 1. It’s entirely fine for, say, a BSD-3 package to link against
> Readline (GPLv3+). The combination is effectively GPLv3+, but
> that’s perfectly valid legally speaking.
It's fine for FOSS packages, but if you have proprietary-licensed Guix
package where the code can't be open-sourced, bringing in a GPL
dependency is an issue.
This copyleft linter goes along with the other patch where guix lint
exits 1. So you can do something like this in a CI pipeline:
'guix lint -c copyleft my-proprietary-package'
to block developers from adding copyleft dependencies to a non-free package.
> 2. It’s tempting to view devise a “licensing calculus” of sorts and
> automate assessments of licensing compatibility. However, I think
> it’s overestimating both law and our own licensing annotations: how
> law applies in a specific case isn’t entirely clear until one goes
> to court, and our ‘license’ fields fail to represent all the
> relevant nuances anyway (subcomponents having different licenses,
> dual/multiple licensing, etc.).
True, this linter check is basic and would not constitute legal advice.
It's more of a broad "software license auditing" sort of thing,
to allow engineers to do quick compliance checks. In my experience
it's useful for development in regulated applications of software.
Thanks for the feedback, lmk what you think.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH] lint: Add 'copyleft' checker.
2023-03-06 15:53 ` [bug#61950] [PATCH] lint: Add 'copyleft' checker Ludovic Courtès
2023-03-06 16:21 ` Antero Mejr via Guix-patches via
@ 2023-03-06 16:45 ` Leo Famulari
1 sibling, 0 replies; 16+ messages in thread
From: Leo Famulari @ 2023-03-06 16:45 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 61950, Antero Mejr
On Mon, Mar 06, 2023 at 04:53:40PM +0100, Ludovic Courtès wrote:
> 2. It’s tempting to view devise a “licensing calculus” of sorts and
> automate assessments of licensing compatibility. However, I think
> it’s overestimating both law and our own licensing annotations: how
> law applies in a specific case isn’t entirely clear until one goes
> to court, and our ‘license’ fields fail to represent all the
> relevant nuances anyway (subcomponents having different licenses,
> dual/multiple licensing, etc.).
I emphasize this point. We should not overestimate our understanding of
free / open-source software licensing. The territory is uncharted and
largely untested in the courts.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license.
2023-03-04 4:22 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Antero Mejr via Guix-patches via
2023-03-04 4:22 ` [bug#61950] [PATCH 2/3] gnu: libcap: Add bsd-3 license Antero Mejr via Guix-patches via
2023-03-04 4:22 ` [bug#61950] [PATCH 3/3] gnu: nettle-2: Add lgpl3+ to licenses Antero Mejr via Guix-patches via
@ 2023-03-06 16:49 ` Leo Famulari
2 siblings, 0 replies; 16+ messages in thread
From: Leo Famulari @ 2023-03-06 16:49 UTC (permalink / raw)
To: 61950; +Cc: me, antero
On Sat, Mar 04, 2023 at 04:22:28AM +0000, Antero Mejr via Guix-patches via wrote:
> * gnu/packages/pulseaudio.scm (libsndfile)[license]: Change to lgpl2.1+.
Double-checked and pushed as 9c69b322ea85163a2bf9266bffb7edc3dbbc59ab
Thanks!
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH 2/3] gnu: libcap: Add bsd-3 license.
2023-03-04 4:22 ` [bug#61950] [PATCH 2/3] gnu: libcap: Add bsd-3 license Antero Mejr via Guix-patches via
@ 2023-03-06 16:49 ` Leo Famulari
0 siblings, 0 replies; 16+ messages in thread
From: Leo Famulari @ 2023-03-06 16:49 UTC (permalink / raw)
To: 61950; +Cc: me, antero
On Sat, Mar 04, 2023 at 04:22:29AM +0000, Antero Mejr via Guix-patches via wrote:
> * gnu/packages/linux.scm (libcap)[license]: Add bsd-3.
Double-checked and pushed as e8c25e389dc90b5dc941ba039ccf1e25cacbc6ab
Thanks!
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH 3/3] gnu: nettle-2: Add lgpl3+ to licenses.
2023-03-04 4:22 ` [bug#61950] [PATCH 3/3] gnu: nettle-2: Add lgpl3+ to licenses Antero Mejr via Guix-patches via
@ 2023-03-06 16:50 ` Leo Famulari
0 siblings, 0 replies; 16+ messages in thread
From: Leo Famulari @ 2023-03-06 16:50 UTC (permalink / raw)
To: 61950; +Cc: me, antero
On Sat, Mar 04, 2023 at 04:22:30AM +0000, Antero Mejr via Guix-patches via wrote:
> * gnu/packages/nettle.scm (nettle-2)[license]: Add lgpl3+.
> - (license gpl2+)))
> + (license (list lgpl3+ gpl2+))))
When listing more than one license, please add a code comment explaining
why there are multiple licenses. Can you send a revised patch?
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH] gnu: nettle-2: Add lgpl3+ to licenses.
2023-03-04 4:14 [bug#61950] [PATCH] lint: Add 'copyleft' checker Antero Mejr via Guix-patches via
2023-03-04 4:22 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Antero Mejr via Guix-patches via
2023-03-06 15:53 ` [bug#61950] [PATCH] lint: Add 'copyleft' checker Ludovic Courtès
@ 2023-03-06 18:56 ` Antero Mejr via Guix-patches via
2023-03-06 21:20 ` Leo Famulari
2 siblings, 1 reply; 16+ messages in thread
From: Antero Mejr via Guix-patches via @ 2023-03-06 18:56 UTC (permalink / raw)
To: 61950; +Cc: Antero Mejr, me, leo
* gnu/packages/nettle.scm (nettle-2)[license]: Add lgpl3+.
---
Revised patch with additional license information.
gnu/packages/nettle.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index ea26ba3b2d..131da1f329 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -77,7 +77,8 @@ (define-public nettle-2
fit in easily in almost any context. It can be easily included in
cryptographic toolkits for object-oriented languages or in applications
themselves.")
- (license gpl2+)))
+ (license (list lgpl3+ ;dual licensed, see COPYING.LIB/COPYING.LESSERv3 file
+ gpl2+)))) ;COPYING, renamed to COPYINGv2 in later versions
(define-public nettle
;; This version is not API-compatible with version 2. In particular, lsh
--
2.38.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH] gnu: nettle-2: Add lgpl3+ to licenses.
2023-03-06 18:56 ` [bug#61950] [PATCH] gnu: nettle-2: Add lgpl3+ to licenses Antero Mejr via Guix-patches via
@ 2023-03-06 21:20 ` Leo Famulari
0 siblings, 0 replies; 16+ messages in thread
From: Leo Famulari @ 2023-03-06 21:20 UTC (permalink / raw)
To: Antero Mejr; +Cc: 61950, me
On Mon, Mar 06, 2023 at 06:56:03PM +0000, Antero Mejr wrote:
> - (license gpl2+)))
> + (license (list lgpl3+ ;dual licensed, see COPYING.LIB/COPYING.LESSERv3 file
> + gpl2+)))) ;COPYING, renamed to COPYINGv2 in later versions
I don't understand the comment.
What is 'COPYING.LIB'? That file doesn't exist in the source code of
nettle 3.7.3.
Are users free to choose a license? Do they apply to different use
cases? Where do the Nettle authors explain the licensing?
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH] lint: Add 'copyleft' checker.
2023-03-06 16:21 ` Antero Mejr via Guix-patches via
@ 2023-03-06 22:38 ` Ludovic Courtès
2023-03-22 2:48 ` Maxim Cournoyer
1 sibling, 0 replies; 16+ messages in thread
From: Ludovic Courtès @ 2023-03-06 22:38 UTC (permalink / raw)
To: Antero Mejr; +Cc: 61950
Antero Mejr <antero@mailbox.org> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> 1. It’s entirely fine for, say, a BSD-3 package to link against
>> Readline (GPLv3+). The combination is effectively GPLv3+, but
>> that’s perfectly valid legally speaking.
>
> It's fine for FOSS packages, but if you have proprietary-licensed Guix
> package where the code can't be open-sourced, bringing in a GPL
> dependency is an issue.
Maybe, but it’s not an issue for the Guix project. :-)
> This copyleft linter goes along with the other patch where guix lint
> exits 1. So you can do something like this in a CI pipeline:
>
> 'guix lint -c copyleft my-proprietary-package'
>
> to block developers from adding copyleft dependencies to a non-free package.
I recommend having this out-of-tree. If it helps, changing ‘guix lint’
to it can discover new “checkers”, using (guix discovery), might be okay.
>> 2. It’s tempting to view devise a “licensing calculus” of sorts and
>> automate assessments of licensing compatibility. However, I think
>> it’s overestimating both law and our own licensing annotations: how
>> law applies in a specific case isn’t entirely clear until one goes
>> to court, and our ‘license’ fields fail to represent all the
>> relevant nuances anyway (subcomponents having different licenses,
>> dual/multiple licensing, etc.).
>
> True, this linter check is basic and would not constitute legal advice.
>
> It's more of a broad "software license auditing" sort of thing,
> to allow engineers to do quick compliance checks. In my experience
> it's useful for development in regulated applications of software.
>
> Thanks for the feedback, lmk what you think.
Thanks for explaining. I think I understand the need now but (1) I
think this need is outside the scope of Guix, and (2) I remain wary of
conclusions drawn from automated ‘license’ field inspection.
I hope that makes sense!
Ludo’.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH] lint: Add 'copyleft' checker.
2023-03-06 16:21 ` Antero Mejr via Guix-patches via
2023-03-06 22:38 ` Ludovic Courtès
@ 2023-03-22 2:48 ` Maxim Cournoyer
2023-03-22 21:56 ` Antero Mejr via Guix-patches via
1 sibling, 1 reply; 16+ messages in thread
From: Maxim Cournoyer @ 2023-03-22 2:48 UTC (permalink / raw)
To: Antero Mejr; +Cc: 61950, Ludovic Courtès
Hello Antero,
Antero Mejr <antero@mailbox.org> writes:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> 1. It’s entirely fine for, say, a BSD-3 package to link against
>> Readline (GPLv3+). The combination is effectively GPLv3+, but
>> that’s perfectly valid legally speaking.
>
> It's fine for FOSS packages, but if you have proprietary-licensed Guix
> package where the code can't be open-sourced, bringing in a GPL
> dependency is an issue.
>
> This copyleft linter goes along with the other patch where guix lint
> exits 1. So you can do something like this in a CI pipeline:
>
> 'guix lint -c copyleft my-proprietary-package'
>
> to block developers from adding copyleft dependencies to a non-free package.
I think that goes against the spirit of the GNU project: it's a tool
that helps finding licensing concerns for proprietary software, with the
end goal of weeding out GPL components. We may be better off if no such
tool exists and more companies embrace the idea that is GPL instead of
helping them spot GPL dependencies so they can rewrite them under some
non-copyleft license.
>> 2. It’s tempting to view devise a “licensing calculus” of sorts and
>> automate assessments of licensing compatibility. However, I think
>> it’s overestimating both law and our own licensing annotations: how
>> law applies in a specific case isn’t entirely clear until one goes
>> to court, and our ‘license’ fields fail to represent all the
>> relevant nuances anyway (subcomponents having different licenses,
>> dual/multiple licensing, etc.).
>
> True, this linter check is basic and would not constitute legal advice.
>
> It's more of a broad "software license auditing" sort of thing,
> to allow engineers to do quick compliance checks. In my experience
> it's useful for development in regulated applications of software.
>
> Thanks for the feedback, lmk what you think.
I think I'd rather not see this tool in Guix, but I think it could live
happily as a channel or as an extension.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#61950] [PATCH] lint: Add 'copyleft' checker.
2023-03-22 2:48 ` Maxim Cournoyer
@ 2023-03-22 21:56 ` Antero Mejr via Guix-patches via
2023-03-23 2:48 ` bug#61950: " Maxim Cournoyer
0 siblings, 1 reply; 16+ messages in thread
From: Antero Mejr via Guix-patches via @ 2023-03-22 21:56 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 61950, Ludovic Courtès
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
> I think that goes against the spirit of the GNU project: it's a tool
> that helps finding licensing concerns for proprietary software, with the
> end goal of weeding out GPL components.
I see this completely differently: this is a harm-reduction tool for
those who would violate GPL, possibly unknowingly. By adding compliance
auditing abilities to Guix, developers can avoid that.
> I think I'd rather not see this tool in Guix, but I think it could live
> happily as a channel or as an extension.
Yes I am making this patch (and a couple other compliance features) into
Guix extensions out-of-tree. I would like to upstream the extensions as
a package when they are ready, since the extensions would be FOSS. So I
think this issue can be closed.
> We may be better off if no such
> tool exists and more companies embrace the idea that is GPL instead of
> helping them spot GPL dependencies so they can rewrite them under some
> non-copyleft license.
Making companies rewrite GPL software is a good thing. It forces them to
pay programmers, then those programmers can contribute to Guix in the
evenings :-). Not many people can work on open source full-time,
unfortunately. That said I understand the concerns with merging this
patch, thank you both for taking the time to look at it.
^ permalink raw reply [flat|nested] 16+ messages in thread
* bug#61950: [PATCH] lint: Add 'copyleft' checker.
2023-03-22 21:56 ` Antero Mejr via Guix-patches via
@ 2023-03-23 2:48 ` Maxim Cournoyer
0 siblings, 0 replies; 16+ messages in thread
From: Maxim Cournoyer @ 2023-03-23 2:48 UTC (permalink / raw)
To: Antero Mejr; +Cc: 61950-done, Ludovic Courtès
Hey,
Antero Mejr <antero@mailbox.org> writes:
[...]
> Making companies rewrite GPL software is a good thing. It forces them to
> pay programmers, then those programmers can contribute to Guix in the
> evenings :-). Not many people can work on open source full-time,
> unfortunately. That said I understand the concerns with merging this
> patch, thank you both for taking the time to look at it.
OK; I'm thus closing this issue, thanks for sharing this endeavor with
us!
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2023-03-23 2:49 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-04 4:14 [bug#61950] [PATCH] lint: Add 'copyleft' checker Antero Mejr via Guix-patches via
2023-03-04 4:22 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Antero Mejr via Guix-patches via
2023-03-04 4:22 ` [bug#61950] [PATCH 2/3] gnu: libcap: Add bsd-3 license Antero Mejr via Guix-patches via
2023-03-06 16:49 ` Leo Famulari
2023-03-04 4:22 ` [bug#61950] [PATCH 3/3] gnu: nettle-2: Add lgpl3+ to licenses Antero Mejr via Guix-patches via
2023-03-06 16:50 ` Leo Famulari
2023-03-06 16:49 ` [bug#61950] [PATCH 1/3] gnu: libsndfile: Correct license Leo Famulari
2023-03-06 15:53 ` [bug#61950] [PATCH] lint: Add 'copyleft' checker Ludovic Courtès
2023-03-06 16:21 ` Antero Mejr via Guix-patches via
2023-03-06 22:38 ` Ludovic Courtès
2023-03-22 2:48 ` Maxim Cournoyer
2023-03-22 21:56 ` Antero Mejr via Guix-patches via
2023-03-23 2:48 ` bug#61950: " Maxim Cournoyer
2023-03-06 16:45 ` [bug#61950] " Leo Famulari
2023-03-06 18:56 ` [bug#61950] [PATCH] gnu: nettle-2: Add lgpl3+ to licenses Antero Mejr via Guix-patches via
2023-03-06 21:20 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).