From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id sIkpJHw2DGMQaQAAbAwnHQ (envelope-from ) for ; Mon, 29 Aug 2022 05:46:04 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id 2L1BI3w2DGPOcgEAG6o9tA (envelope-from ) for ; Mon, 29 Aug 2022 05:46:04 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 271B43BE6A for ; Mon, 29 Aug 2022 05:46:03 +0200 (CEST) Received: from localhost ([::1]:35216 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oSVis-00038N-Mj for larch@yhetil.org; Sun, 28 Aug 2022 23:46:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35760) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oSVd3-00016d-3u for guix-devel@gnu.org; Sun, 28 Aug 2022 23:40:01 -0400 Received: from envs.net ([89.163.145.170]:42500 helo=mail.envs.net) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oSVd0-00061l-Ei for guix-devel@gnu.org; Sun, 28 Aug 2022 23:40:00 -0400 Received: from localhost (mail.envs.net [127.0.0.1]) by mail.envs.net (Postfix) with ESMTP id B679E38A1F47; Mon, 29 Aug 2022 03:39:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=envs.net; s=modoboa; t=1661744395; bh=1DQOIdr/Y/g9bqg1vnh+5sIm8FSgWZ3LsgbV7UXZe5U=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=IcPCAYLvoSMvBzdjg9/a5Q5T40FS0+5lIQcU57fNW7ty5owzrCk/geARK0UmLru13 wsOIQOTQ0BTL7i1kLSRthUErPjx5EEwobdUBAXHDlgUicqB/n2KnKP/D7du6iP6jSP OJyJY2/KHq2EwgwxIlwlgceAl9yoRRsug3f9LSggOLbjIRdguiYRhikozc9y764qts RlfssTwG0KpvUlNgiGohPvBNp48SmxbhZmFLPRDRoRTF3fertSPGz1O1yorq0lFamC p/Z6AZ1IyFbrjV3qg4KlGTog9nVyZEuzqCEzPKbDyM1kdznLlhmZZvqxuiHD9IfldP jlYzRDUvsc374aRfDlMxvTncH8OZ+Y3XG7aiF/bZO61Cnxf/PLg+Y0CPx1GvqsBI1n amSQSCZkfCGiercxa5y0qYqsp20cQNx61BLVwsg/BeB26Kc+D2Bj2QSy4yRm0hCoZK wi+Y9J7FMtppXKodVX8eh/PoMVhVEOBi9JPZxYKJriSDbnU07cysr3BNgxueVrlefI cUWYxoYQFBhQIej8eDb3rR65NcSSLrDkYM0xqX4aE/fPGMmBiIfPLX13gIUeMRc9KL IKkzSaM7nMve1CyyWbvUAlO+HKIsVf3C3eHVd3lQHIK6DpdSu1bUqCy7LPhPeY+hYa f5nOGkT74+G5uGDi7Yaa9oa4= X-Virus-Scanned: Debian amavisd-new at mail.envs.net Received: from mail.envs.net ([127.0.0.1]) by localhost (mail.envs.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id w4VBdgG9ooKq; Mon, 29 Aug 2022 03:39:53 +0000 (UTC) Received: from localhost (unknown [182.150.116.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: iyzsong@envs.net) by mail.envs.net (Postfix) with ESMTPSA; Mon, 29 Aug 2022 03:39:53 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 23e41dba; Mon, 29 Aug 2022 03:39:50 +0000 (UTC) From: =?utf-8?B?5a6L5paH5q2m?= To: Maxime Devos Cc: guix-devel@gnu.org Subject: Re: Clarify the license field of the package References: <87a67wabwf.fsf@envs.net> <446d3577-8137-8346-a87b-6453c999eb1c@telenet.be> Date: Mon, 29 Aug 2022 11:39:50 +0800 In-Reply-To: <446d3577-8137-8346-a87b-6453c999eb1c@telenet.be> (Maxime Devos's message of "Fri, 26 Aug 2022 20:38:10 +0200") Message-ID: <87fshfd8ft.fsf@envs.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=89.163.145.170; envelope-from=iyzsong@envs.net; helo=mail.envs.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1661744764; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=1DQOIdr/Y/g9bqg1vnh+5sIm8FSgWZ3LsgbV7UXZe5U=; b=QNpJSPLM3bORrA9sI9Vr/x7vr3OO99mdQYFO/opVELr6u38s0DOKAq6LOp7zThqCanGV2e alQd6hFtj31LA21OtGud+JZofuc9nTDTEdm+EHgsxChRlqUDVjXEqXRaVIGc9gPx1s8IN3 V9uf8BACiI6B4JOZDHpia5uZFxJjkzM1XAODYR6gyXhiefvgsGBTjraY3OSiQR8BHfl5E8 FgopYP7T1Vh+dKADR1lEla3lWay2hjh+z2XrZ88iYqCukyYqxSNqTcCgQF0DXBi9KM8/a4 ciZ//2c0euKfZViblbzgcRzpNewoJxm2JqzSUtodQGkAmk2/InO1NWd0MUdWaA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1661744764; a=rsa-sha256; cv=none; b=a9haBww6GCfARuoOIdaVPR3htiYPL02v3jv59EZZ8mO0W3l4IBjWAKX/bh3Hu22lGadc8f p/yA/1j8/pKNKnY7GQjOhKigC2rJB+sq1S3zEaLakk2ZrVo3+z3DXtDf4Ek8T8/NrNiqTy BieBXmZp8fCxbd9vmu6BGV/aeP/DeA1JUpp9QnNC8+233522rh2byoO4vWftzge5hCZ+oC T9i50sF3qtuRtkuoMZoM79HLAQyvWRQCdLOQFXRP1sYEZtfNSE8HqOmxsGh1Kqep0ozLNd 9pYdGwBhaCBDcAqcK/7G8knKxWbueZ09tjq/6gydAxWJWwX2Gzt++PjqMJIyJA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=envs.net header.s=modoboa header.b=IcPCAYLv; dmarc=pass (policy=quarantine) header.from=envs.net; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -9.10 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=envs.net header.s=modoboa header.b=IcPCAYLv; dmarc=pass (policy=quarantine) header.from=envs.net; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 271B43BE6A X-Spam-Score: -9.10 X-Migadu-Scanner: scn0.migadu.com X-TUID: eZw0RvOwiLoi Maxime Devos writes: > On 22-08-2022 11:02, =E5=AE=8B=E6=96=87=E6=AD=A6 wrote: > >> Hello list, I have some questions about the 'license' of a package, >> currently defined as: >> >> The license of the package; a value from =E2=80=98(guix licenses)= =E2=80=99, or a >> list of such values. >> >> 1. It's the license of source files (guix build -S) or built binary >> files? > > (If 'built binary files', I would include generated or copied > documentation in the list. And icons, .desktop files, ..., I'm not > restricting myself to _executable_ binaries here and also not to > binaries that aren't sources as well.) Sure, it should be clear what license any file has. Below, I'd refer them as sources and outputs. > > Rarely, there is some weirdness where the source code is free > (VSCodium?) but the official build has a non-free license > (VSCode?). At least for that example, it doesn't apply to Guix though > (because VSCodium is not packaged, and because with some rare > exceptions we build from source). > > However, in my experience, in free software they almost always have > the same license, so the distinction appears meaningless to me with > the possible exception of build scripts and test files (including, but > not limited to, test code). There are 2 main cases which the licenses of sources and outputs of a package can be different: 1. statically linked binaries (eg: golang, rust), leading outputs has more licenses than the package's sources (should be all sources), see: https://artemis.sh/2022/08/21/this-program-is-illegally-packaged-in-14-di= stributions.html 2. not used sources or when licenses not propagated to outputs during build (eg: tests, build tools, sources generator), leading outputs has less licenses than sources. I think this distinction will be important when we audit the license compatibility issues for outputs, since we also distribute outputs via substitutes. > > I think it should include the source files, as the license of the > source is important for people doing 'guix build --source'. I agree too. > >> 2. When its value is a list of multiple licenses, it's files under >> different licenses (eg: lib/*.so under LGPL, while bin/* under GPL), >> or files under one license select from choices? >> >> My guess is that the license field is for source files since we can >> disable binary substitutes, and list is used for files under different >> licenses. >> >> Does my guess is correct? Thank you! > > As answered in a reply to a patch, myself I go for 'files under > different licenses' -- to me it seems hard to go wrong with 'just > include all participating licenses' instead of trying to make a > selection. > > However, keep in mind that sometimes a file is part licensed as, say, > BSD(*), part as Expat, with modifications under the GPL -- to me it > appears that for practical purposes you could consider such a thing to > be 'effectively GPL', but that's not 100% accurate, as it appears > required to preserve the BSD and Expat license text. (Such things can > happen when incorporating code from other, differently-licensed, > projects). > > (*) let's say without the advertising clause or whatever it was (IIRC > and IIUC the original BSD was incompatible with the GPL?). > > If there's some consensus, I think it would be nice to clarify this > matter in the manual. Yes, after read (Combining code), I think we should list all licenses of sources files in the package's license field.=20=20 And for license choices, write in comments, since we lacking "OR", our list of multiple license is same as "AND" in SPDX license expressions. https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/ https://wiki.spdx.org/view/FileNoticeExamples Later, I think we can introduce a "OR" form for license field or use SPDX l= icense expressions directly. In summary, I think our next steps are: 1. Clarify the license field is for sources and the list is for files under multiple license (required to simultaneously comply with two or more licenses) in our manual. 2. Consider extend the license field with "OR" form or use SPDX license expressions. 3. Introduce some ways to show and check licenses for package's outputs. What do you think? Thanks for help!