From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AD691138334 for ; Sun, 26 Aug 2018 10:39:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E223CE088D; Sun, 26 Aug 2018 10:39:30 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9093BE0884 for ; Sun, 26 Aug 2018 10:39:29 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 98931335C29; Sun, 26 Aug 2018 10:39:26 +0000 (UTC) Message-ID: <1535279962.1066.24.camel@gentoo.org> Subject: [gentoo-dev] [RFC] Solving the problem of huge number of wrong LICENSES=*GPL-[23] From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev Cc: licenses@gentoo.org, qa Date: Sun, 26 Aug 2018 12:39:22 +0200 Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-4pDB9adFaziQMQUkjPMI" X-Mailer: Evolution 3.24.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Archives-Salt: 89296177-1d24-479f-ac1f-12eaa0806c98 X-Archives-Hash: 1fa9e9452af764d1153eca23a31bb9bc --=-4pDB9adFaziQMQUkjPMI Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, It seems that we suffer a major problem of developers wrongly attributing *GPL-[23] licenses to ebuilds, when the correct variant is *GPL-[23]+. In proxy-maint, every second new package with LICENSE=3DGPL- [23] is plain wrong. I suspect part of the problem is that GitHub has poor man's license recognition that does not distinguish between 'vN only' and 'vN or newer' license variants, and similarly that a number of contributors don't bother checking the license beyond COPYING/README. Another part of the problem is that we don't have a really good way of distinguishing verified correct uses of *GPL-[23]. So in the end, I end up verifying the same packages over and over again unless I remember that I've verified them. Therefore, I would like to suggest the following: 1. introducing additional *-only licenses that explicitly indicate that a newer version is not allowed, e.g. GPL-2-only, LGPL-3-only etc. 2. annotating the unsuffixed licenses with a warning that they may mean either x-only or x+ due to frequent mistake. 3. make repoman warn whenever non-specific variant is used, telling developers to verify whether it's x-only or x+. 4. start migrating packages to x-only or x+ appropriately. 5. eventually, remove the non-specific licenses and make repoman error out with clear explanation. What do you think? --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-4pDB9adFaziQMQUkjPMI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEXr8g+Zb7PCLMb8pAur8dX/jIEQoFAluCg1pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVF QkYyMEY5OTZGQjNDMjJDQzZGQ0E0MEJBQkYxRDVGRjhDODExMEEACgkQur8dX/jI EQqwZRAA6S7dOqZkOmp+sM4gXj3aI9PZpsgAinWIlzGGGhMar1p6nKzx+Gm/I9A/ R9yhDnnj5gAnXhlQfz6aX+28yioeM7FDK8Jy+KGGzYStsLRLjjsc/7RKFbyOyhzM wrXJgV1VOkhzIbHkGLSVpbhaD9rpd7Dmf+YSrI7K+kUPBp9SpHiKKysK7YOs1XlA CipvJi2TkUGpN5Y4OLLFgPIplO+TgSWraHhh0BE5hRa4elo4rm/Lfa5qqd2PPKws bcidA/OCn/uvWdofSYgdk3e8cuaG4gRy44NPlXJ0ZveUaJ9aFXh+Jbnv3OBubDM9 H3GUdbXDJUY7kc35JaihTwdv0tYmkpCy/lwORxTHENuYgnLyyCd9flgIvi2vm1/o i8yYW2VcQIaZ/yyepEErHRGaKxPrC/AOfwZaURhs68J7F/FgXqQIoKvr7dowstCK FQ1vI4sFuj5ptub3SFGRhAuLaz/6CpAlNrHi8cDk8ywtUws4k1UgaJpiiN9n3B05 eDTflqdwnQznsZkzMxu0k9PKkSRD36xLnVfu8ZPv0MHgZlg+5c8Nl7fi1QwZJ+qc 9YWQpYBlqS9/4aFBI9mJ5LMgugcA/Ox0OLxuGrFr9EPTPC82PfdrAbZ/JYKEiucm SuuMT7uYjzZqmqCuH3RQvrSlywU5gs/pVPC6KvBRZIlqquZ4esw= =reNL -----END PGP SIGNATURE----- --=-4pDB9adFaziQMQUkjPMI--