Thomas Danckaert writes: > Marius Bakke writes: > >> Could you mention which files, since it's only three? I also think >> listing both lgpl2.1+ and lgpl3+ is redundant; if these source files >> interact in some way the result is effectively lgpl3+. If the LGPL2.1+ >> code is what is installed, I would pick that since it implies LGPL3+. > > The files are source/util.{h,c} (lgpl2.1+), and source/cifs_spnego.h > (lgpl3+), I'll add that in a comment. > > About the lgpl2.1+ vs lgpl3+ thing, I'm a bit confused about what we > actually want to communicate with the license field (and probably about > license issues in general). As far as I know, all code (lgpl2.1+ and > lgpl3+ files) is installed (compiled). Because the rest of the code is > GPL3+, I think a linked binary (e.g. a substitute from hydra) can only > be distributed as GPL3+? In addition to that, there are 3 source files, > which can are individually licensed as LGPL2.1+ and LGPL3+, which why we > specify a list of licenses, I thought? In that case I don't really > understand why mentioning only lgpl2.1+ would be sufficient (lgpl3+ is > more strict?). I had a short discussion with Ludo over this in #26256[0]. The consensus is that the "license" field should communicate the terms of the end result, i.e. what the user installs. Often a package will install some executable files with a GPL3+ license which are using some library files that are LGPL3+, then both of those should be mentioned. This becomes complicated when there are a mix of licenses as in this case. Then we have to look at which files are using which to determine what applies to the output. In this case, none of the LGPL code appear to be installed on its own. Most of the source is either GPL2+ or GPL3+. So, I would argue that GPL3+ alone is what applies to this package, since it "wins" over LGPL and GPL2 by being stricter. Hope this helps! [0] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=26256#86