[gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 2705 bytes --]

Hi,

TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
the former trigger QA warning asking the dev to double-check if it's
'GPL-2-only' or 'GPL-2+'.


GNU Licenses currently don't carry an upgrade clause -- instead, authors
are expected to decide whether they permit upgrade to newer versions of
the license in question, or require users to stick with their version of
choice.

Their decision is normally indicated in copyright notices on top
of source files.  Those that permit upgrade usually state 'either
version N of the License, or (at your option) any later version.', while
others remove the 'or...' or even replace with 'only' (sometimes
removing 'either', sometimes leaving it ;-)).

The truth is, many developers don't go that far to verify it.  Instead,
they usually look at 'COPYING' or 'LICENSE', read the version there
and put 'GPL-2', 'GPL-3' etc. in the ebuild.  It doesn't help that
GitHub does the same and shows the result as easy-to-read note on top of
repo.


For some time I've been reviewing packages I'm (co-)maintaining, as well
as proxy-maint submissions for this particular problem.  However,
surprisingly many projects actually go the 'version N only' route, even
in middle of environments that are 'N+' like Xfce.  As a result, I've
ended up rechecking the same packages over and over again to the point
of starting to add comments saying 'yes, this is GPL-2 only'.

I'd like to propose to employ a more systematic method of resolving this
problem.  I would like to add additional explicit 'GPL-n-only' licenses,
and discourage using short 'GPL-n' in favor of them.  The end result
would be three licenses per every version/variant, e.g.:

  GPL-2-only -- version 2 only
  GPL-2+     -- version 2 or newer
  GPL-2      -- might be either, audit necessary

The main idea is that we'd be able to easily find 'non-audited' packages
with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only
after auditing.  While technically it would still be possible for people
to wrongly set LICENSE to GPL-2-only, I think this explicit distinction
will help people notice that there actually is a deeper difference,
and it will still catch people who just type 'GPL-n' without looking
into the license directory.

For a start, I'd only go for adding the '-only' variants to the most
common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some
FDL versions.  I don't think we need this for the long 'exception'
variants -- I suspect that if someone did research enough to notice
the exception, then most likely he would also notice the 'or newer'.


WDYT?

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Matt Turner]

On Sat, Sep 21, 2019 at 9:09 AM Michał Górny <mgorny@gentoo.org> wrote:
> TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> the former trigger QA warning asking the dev to double-check if it's
> 'GPL-2-only' or 'GPL-2+'.

I think that's a good idea.

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Matt Turner]

On Sat, Sep 21, 2019 at 9:57 AM Matt Turner <mattst88@gentoo.org> wrote:
>
> On Sat, Sep 21, 2019 at 9:09 AM Michał Górny <mgorny@gentoo.org> wrote:
> > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > the former trigger QA warning asking the dev to double-check if it's
> > 'GPL-2-only' or 'GPL-2+'.
>
> I think that's a good idea.

An idea to consider: use SPDX license identifiers (see
https://spdx.org/licenses/)

For GPL 2 they are "GPL-2.0-only" and "GPL-2.0-or-later"

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 606 bytes --]

>>>>> On Sun, 22 Sep 2019, Matt Turner wrote:

> An idea to consider: use SPDX license identifiers (see
> https://spdx.org/licenses/)

> For GPL 2 they are "GPL-2.0-only" and "GPL-2.0-or-later"

Yeah, they have a history of using silly names. What does 2.0 mean?
There is no such version of the GPL, and with Gentoo versioning rules,
2 is not equal to 2.0.

Another funny thing is that they first introduced a "+" operator, but
then decided not to use it for the GPL family, but append "-or-later"
instead. (And IIUC, "GPL-2.0-only+" is valid in their scheme and
equivalent to "GPL-2.0-or-later".)

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Matt Turner]

On Sat, Sep 21, 2019 at 4:46 PM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> >>>>> On Sun, 22 Sep 2019, Matt Turner wrote:
>
> > An idea to consider: use SPDX license identifiers (see
> > https://spdx.org/licenses/)
>
> > For GPL 2 they are "GPL-2.0-only" and "GPL-2.0-or-later"
>
> Yeah, they have a history of using silly names. What does 2.0 mean?
> There is no such version of the GPL, and with Gentoo versioning rules,
> 2 is not equal to 2.0.
>
> Another funny thing is that they first introduced a "+" operator, but
> then decided not to use it for the GPL family, but append "-or-later"
> instead. (And IIUC, "GPL-2.0-only+" is valid in their scheme and
> equivalent to "GPL-2.0-or-later".)

Yes, from the page I cited it seems that they decided that
differentiating with only a '+' character was a bad idea -- the exact
thing Michał is suggesting we stop doing.

> Release 3.0 replaced previous Identifiers for GNU licenses with more explicit Identifiers to reflect the "this version only" or "any later version" option specific to those licenses. As such, the previously used Identifiers for those licenses are deprecated as of v3.0.

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Matt Turner]

On Sat, Sep 21, 2019 at 4:46 PM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> >>>>> On Sun, 22 Sep 2019, Matt Turner wrote:
>
> > An idea to consider: use SPDX license identifiers (see
> > https://spdx.org/licenses/)
>
> > For GPL 2 they are "GPL-2.0-only" and "GPL-2.0-or-later"
>
> Yeah, they have a history of using silly names. What does 2.0 mean?
> There is no such version of the GPL, and with Gentoo versioning rules,
> 2 is not equal to 2.0.

Just responding because the absurdity of this angers me, to be honest.
See if you notice anything funny about the URL:

    https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]

>>>>> On Tue, 24 Sep 2019, Matt Turner wrote:

> Just responding because the absurdity of this angers me, to be honest.
> See if you notice anything funny about the URL:

>     https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html

What do you mean? Should we localise it, because translations in other
languages exist? Sorry, but that's not going to happen.

(That said, we have few examples like "lha" where we have both the
original (Japanese) and an unofficial English translation. These are
in the same file, though.)

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Matt Turner]

On Tue, Sep 24, 2019 at 12:13 AM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> >>>>> On Tue, 24 Sep 2019, Matt Turner wrote:
>
> > Just responding because the absurdity of this angers me, to be honest.
> > See if you notice anything funny about the URL:
>
> >     https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html
>
> What do you mean? Should we localise it, because translations in other
> languages exist? Sorry, but that's not going to happen.

No, I am pointing out that even the GNU project sometimes refers to
the license as GPL "2.0", which you seemed to object to SPDX doing.

[gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 307 bytes --]

>>>>> On Sat, 21 Sep 2019, Michał Górny wrote:

> TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> the former trigger QA warning asking the dev to double-check if it's
> 'GPL-2-only' or 'GPL-2+'.

This has been discussed before. There is no such license as GPL-2-only.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 548 bytes --]

On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> >>>>> On Sat, 21 Sep 2019, Michał Górny wrote:
> 
> > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > the former trigger QA warning asking the dev to double-check if it's
> > 'GPL-2-only' or 'GPL-2+'.
> 
> This has been discussed before. There is no such license as GPL-2-only.

I am with ulm on this one.
We have GPL-2 and GPL-2+ in the tree. The way I read this,
LICENSE="GPL-2" means GPL 2 only and LICENSE="GPL-2+" means GPL-2+.

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 693 bytes --]

On Sat, 2019-09-21 at 14:26 -0500, William Hubbs wrote:
> On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> > > > > > > On Sat, 21 Sep 2019, Michał Górny wrote:
> > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > > the former trigger QA warning asking the dev to double-check if it's
> > > 'GPL-2-only' or 'GPL-2+'.
> > 
> > This has been discussed before. There is no such license as GPL-2-only.
> 
> I am with ulm on this one.
> We have GPL-2 and GPL-2+ in the tree. The way I read this,
> LICENSE="GPL-2" means GPL 2 only and LICENSE="GPL-2+" means GPL-2+.
> 

Have you read my original mail?

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 824 bytes --]

On Sat, Sep 21, 2019 at 09:57:25PM +0200, Michał Górny wrote:
> On Sat, 2019-09-21 at 14:26 -0500, William Hubbs wrote:
> > On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> > > > > > > > On Sat, 21 Sep 2019, Michał Górny wrote:
> > > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > > > the former trigger QA warning asking the dev to double-check if it's
> > > > 'GPL-2-only' or 'GPL-2+'.
> > > 
> > > This has been discussed before. There is no such license as GPL-2-only.
> > 
> > I am with ulm on this one.
> > We have GPL-2 and GPL-2+ in the tree. The way I read this,
> > LICENSE="GPL-2" means GPL 2 only and LICENSE="GPL-2+" means GPL-2+.
> > 
> 
> Have you read my original mail?

Yes, and I just did again, and my position is still the same.

William

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1293 bytes --]

On Sat, 2019-09-21 at 17:45 -0500, William Hubbs wrote:
> On Sat, Sep 21, 2019 at 09:57:25PM +0200, Michał Górny wrote:
> > On Sat, 2019-09-21 at 14:26 -0500, William Hubbs wrote:
> > > On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> > > > > > > > > On Sat, 21 Sep 2019, Michał Górny wrote:
> > > > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > > > > the former trigger QA warning asking the dev to double-check if it's
> > > > > 'GPL-2-only' or 'GPL-2+'.
> > > > 
> > > > This has been discussed before. There is no such license as GPL-2-only.
> > > 
> > > I am with ulm on this one.
> > > We have GPL-2 and GPL-2+ in the tree. The way I read this,
> > > LICENSE="GPL-2" means GPL 2 only and LICENSE="GPL-2+" means GPL-2+.
> > > 
> > 
> > Have you read my original mail?
> 
> Yes, and I just did again, and my position is still the same.
> 

I know what we have now and what it means.  The mail includes long
explanation why this doesn't work.  Repeating what we have now does not
bring any argument to the discussion, except for anger/demotivation
because it feels like you've completely ignored most of the mail
and just reject it on the basis of 'it's not what we have now'.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Jason Zaman]

On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> >>>>> On Sat, 21 Sep 2019, Michał Górny wrote:
> 
> > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > the former trigger QA warning asking the dev to double-check if it's
> > 'GPL-2-only' or 'GPL-2+'.
> 
> This has been discussed before. There is no such license as GPL-2-only.

Yes there is:
https://spdx.org/licenses/GPL-2.0-only.html
https://spdx.org/licenses/GPL-2.0-or-later.html

The "GPL-2.0" one is deprecated:
https://spdx.org/licenses/GPL-2.0.html

If SPDX moved to having two names "-only" and "-or-later" then we should
too.

-- Jason

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Matt Turner]

On Mon, Sep 23, 2019 at 6:42 PM Jason Zaman <perfinion@gentoo.org> wrote:
>
> On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> > >>>>> On Sat, 21 Sep 2019, Michał Górny wrote:
> >
> > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > > the former trigger QA warning asking the dev to double-check if it's
> > > 'GPL-2-only' or 'GPL-2+'.
> >
> > This has been discussed before. There is no such license as GPL-2-only.
>
> Yes there is:
> https://spdx.org/licenses/GPL-2.0-only.html
> https://spdx.org/licenses/GPL-2.0-or-later.html

Just so everything is clear: Ulrich is just making an extremely
pedantic point that the there's no version of the GPL-2 license itself
with the "only" in it. Strange, now that I think about it I don't
remember a "GPL-2+" license either...

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1025 bytes --]

>>>>> On Tue, 24 Sep 2019, Jason Zaman wrote:

> The "GPL-2.0" one is deprecated:
> https://spdx.org/licenses/GPL-2.0.html

> If SPDX moved to having two names "-only" and "-or-later" then we
> should too.

The main problem is that we will always have licenses that are not in
their list. So if they add them later, chances are that we would have to
rename ours, forcing our users to update their ACCEPT_LICENSE variable
and possibly reinstall packages.

Generally, it is also not predictable what they will choose as an
identifier. For example, there is "BSD-2-Clause" but "0BSD". Sometimes
they stick with the upstream version (e.g. CDDL-1.0), sometimes they
invent their own (GPL-2.0-only), and sometimes they drop the version
altogether (WTFPL). In addition, they change their names, which would
make it even more difficult to catch up.

So, we can use SPDX as a guideline when adding _new_ licenses, but I
don't see any good reason for renaming existing ones. Especially when
the SPDX identifiers aren't stable.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Michael Orlitzky]

On 9/21/19 12:09 PM, Michał Górny wrote:
> Hi,
> 
> TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> the former trigger QA warning asking the dev to double-check if it's
> 'GPL-2-only' or 'GPL-2+'.
> 

This works only until people start putting

  LICENSE="GPL-2-only"

for things that they haven't sufficiently verified.

If we want to let those people keep committing to the tree, then a
specially-formatted comment might work just as well. It would be harder
to QA (you'd have to parse the comment and associate it with the
variable), but it would save us from having to rename the license every
few years to catch mistakes.

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1022 bytes --]

On Sat, 2019-09-21 at 15:56 -0400, Michael Orlitzky wrote:
> On 9/21/19 12:09 PM, Michał Górny wrote:
> > Hi,
> > 
> > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > the former trigger QA warning asking the dev to double-check if it's
> > 'GPL-2-only' or 'GPL-2+'.
> > 
> 
> This works only until people start putting
> 
>   LICENSE="GPL-2-only"
> 
> for things that they haven't sufficiently verified.
> 
> If we want to let those people keep committing to the tree, then a
> specially-formatted comment might work just as well. It would be harder
> to QA (you'd have to parse the comment and associate it with the
> variable), but it would save us from having to rename the license every
> few years to catch mistakes.

Honestly, do you believe having the choice of 'GPL-2' and 'GPL-2-only'
people would choose the latter without actually checking the difference?
Because the way I see it, choosing the former is much more likely.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Michael Orlitzky]

On 9/21/19 3:59 PM, Michał Górny wrote:
> 
> Honestly, do you believe having the choice of 'GPL-2' and 'GPL-2-only'
> people would choose the latter without actually checking the difference?

I've seen twenty people do ten stupider things in the last five minutes.

[gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1787 bytes --]

>>>>> On Sat, 21 Sep 2019, Michał Górny wrote:

> I'd like to propose to employ a more systematic method of resolving this
> problem.  I would like to add additional explicit 'GPL-n-only' licenses,
> and discourage using short 'GPL-n' in favor of them.  The end result
> would be three licenses per every version/variant, e.g.:

>   GPL-2-only -- version 2 only
>   GPL-2+     -- version 2 or newer
>   GPL-2      -- might be either, audit necessary

To elaborate a bit more on this: "GPL-2" already has that well defined
meaning that your proposed "GPL-2-only" has, namely that the package is
licensed under the GNU General Public License, version 2.

Presumably, your change would cause a long transition time, in which we
would have *three* variants for every GPL version (as well as LGPL,
AGPL, FDL), two of them with identical meaning. And after the transition
time, we would have "GPL-2-only" instead of "GPL-2", which is not only
longer but also not accurate.

Plus, it would result in paradoxical entries like "|| ( GPL-2-only
GPL-3-only )" for a package that can be distributed under GPL versions 2
or 3 but no later version.

If the goal of this exercise is to do an audit of ebuilds labelled as
"GPL-2", then a less intrusive approach (which I had already suggested
when this issue had last been discussed) would be to add a comment to
the LICENSE line, either saying "# GPL-2 only" for packages that have
been verified. Or the other way aroung, starting with a comment saying
that it is undecided, which would be removed after an audit. This would
have the advantage not to confuse users, and have no impact on their
ACCEPT_LICENSE settings. (For example, some people exclude AGPL and
would have to add entries for AGPL-3-only.)

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Matt Turner]

On Sat, Sep 21, 2019 at 1:58 PM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> >>>>> On Sat, 21 Sep 2019, Michał Górny wrote:
>
> > I'd like to propose to employ a more systematic method of resolving this
> > problem.  I would like to add additional explicit 'GPL-n-only' licenses,
> > and discourage using short 'GPL-n' in favor of them.  The end result
> > would be three licenses per every version/variant, e.g.:
>
> >   GPL-2-only -- version 2 only
> >   GPL-2+     -- version 2 or newer
> >   GPL-2      -- might be either, audit necessary
>
> To elaborate a bit more on this: "GPL-2" already has that well defined
> meaning that your proposed "GPL-2-only" has, namely that the package is
> licensed under the GNU General Public License, version 2.

We are all aware. But the point is to explicitly put "-only" in the
LICENSE metadata so that ebuild authors are less likely to confuse
GPL-2 vs GPL-2+.

> Presumably, your change would cause a long transition time, in which we
> would have *three* variants for every GPL version (as well as LGPL,
> AGPL, FDL), two of them with identical meaning. And after the transition
> time, we would have "GPL-2-only" instead of "GPL-2", which is not only
> longer but also not accurate.

Sure, but who cares about a long transition time? We still have EAPI=0
ebuilds in tree -- and that's okay since we can quickly and easily
tell what hasn't been transitioned!

> Plus, it would result in paradoxical entries like "|| ( GPL-2-only
> GPL-3-only )" for a package that can be distributed under GPL versions 2
> or 3 but no later version.

That paradoxical entry is pretty clear to me.

> If the goal of this exercise is to do an audit of ebuilds labelled as
> "GPL-2", then a less intrusive approach (which I had already suggested
> when this issue had last been discussed) would be to add a comment to
> the LICENSE line, either saying "# GPL-2 only" for packages that have
> been verified. Or the other way aroung, starting with a comment saying
> that it is undecided, which would be removed after an audit. This would

It's not a one-time audit. Michał has a history of fixing things in
ways that does not allow the issue to return. I imagine that's what
he's doing here, and it would not surprise me at all if something
could be wired into CI to help ensure this.

> have the advantage not to confuse users, and have no impact on their
> ACCEPT_LICENSE settings. (For example, some people exclude AGPL and
> would have to add entries for AGPL-3-only.)

Trivial concern solved with a news item.

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1374 bytes --]

>>>>> On Sun, 22 Sep 2019, Matt Turner wrote:

> We are all aware. But the point is to explicitly put "-only" in the
> LICENSE metadata so that ebuild authors are less likely to confuse
> GPL-2 vs GPL-2+.

I don't see how renaming could possibly help with that.

>> Plus, it would result in paradoxical entries like "|| ( GPL-2-only
>> GPL-3-only )" for a package that can be distributed under GPL
>> versions 2 or 3 but no later version.

> That paradoxical entry is pretty clear to me.

Not the same thing. "GPL-2-only+" might be clear as well, which doesn't
imply that it isn't paradoxical.

> It's not a one-time audit. Michał has a history of fixing things in
> ways that does not allow the issue to return. I imagine that's what
> he's doing here, and it would not surprise me at all if something
> could be wired into CI to help ensure this.

If it's not a one time audit, it implies that we will permanently have
three variants. This would be a lot of effort, for a tiny gain. After
all, there is absolutely no difference in ACCEPT_LICENSE filtering
between GPL-2 and GPL-2+.

> Trivial concern solved with a news item.

As I've said before, if the intent is to do a tree-wide audit, then
this should be done in a way that has no impact on users. For example,
by adding a comment, instead of changing the LICENSE variable.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 2456 bytes --]

On Sat, 21 Sep 2019 22:58:03 +0200
Ulrich Mueller <ulm@gentoo.org> wrote:

> If the goal of this exercise is to do an audit of ebuilds labelled as
> "GPL-2", then a less intrusive approach (which I had already suggested
> when this issue had last been discussed) would be to add a comment to
> the LICENSE line, either saying "# GPL-2 only" for packages that have
> been verified. Or the other way aroung, starting with a comment saying
> that it is undecided, which would be removed after an audit. This would
> have the advantage not to confuse users, and have no impact on their
> ACCEPT_LICENSE settings. (For example, some people exclude AGPL and
> would have to add entries for AGPL-3-only.)

An adjuct idea: 

Given things like "License" can get changed by upstream, and is prone
to deviating from what we have in the ebuild, and given the only way to
automate testing that requires being unable to unpack the archive and
grep for various things ...

Maybe we instead should be considering a per-package file that
indicates some kind of audit trail?

< dev-qt/qtwebengine/audit >
------------
# audit_ident  aduit_param [....]
license 2019-09-22 5.12.5
------------

Where for example,  the license audit is: 

   @NAME: license
   @PARAMS: DATE VERSION
   @DESCRIPTION:
      Certify a UTC DATE and VERSION used as reference, that you explicitly
      and intentionally carefully reviewed upstreams sources against
      the LICENSE field, ensuring you used the appropriate license and
      combinations, for instance: ensuring you wrote "GPL-2" only when
      upstreams license clearly omits the "or later" clause, and using
      "GPL-2+" in where the clause is present.

Where you specify the version of the package at the time you carefully
audited it last.

At least that way, you can automate doing spot checks for license being
current and then yell at somebody to re-check it.

This seems like a more reliable approach than hoping the right value
was used and nothing has changed without anyone noticing in the interim.

And this tool could be used to expand the sort of scope of things QA
can check for, by ensuring that things that can't be checked
automatically, can at least have some sort of record indicating when
they were checked last (where git commit log will indicate who
performed the check)

Though there's lots of bikeshed potential here.

Just planting seeds :)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Richard Yao]

> On Sep 21, 2019, at 12:09 PM, Michał Górny <mgorny@gentoo.org> wrote:
> 
> Hi,
> 
> TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> the former trigger QA warning asking the dev to double-check if it's
> 'GPL-2-only' or 'GPL-2+'.
> 
> 
> GNU Licenses currently don't carry an upgrade clause -- instead, authors
> are expected to decide whether they permit upgrade to newer versions of
> the license in question, or require users to stick with their version of
> choice.
> 
> Their decision is normally indicated in copyright notices on top
> of source files.  Those that permit upgrade usually state 'either
> version N of the License, or (at your option) any later version.', while
> others remove the 'or...' or even replace with 'only' (sometimes
> removing 'either', sometimes leaving it ;-)).
> 
> The truth is, many developers don't go that far to verify it.  Instead,
> they usually look at 'COPYING' or 'LICENSE', read the version there
> and put 'GPL-2', 'GPL-3' etc. in the ebuild.  It doesn't help that
> GitHub does the same and shows the result as easy-to-read note on top of
> repo.
> 
> 
> For some time I've been reviewing packages I'm (co-)maintaining, as well
> as proxy-maint submissions for this particular problem.  However,
> surprisingly many projects actually go the 'version N only' route, even
> in middle of environments that are 'N+' like Xfce.  As a result, I've
> ended up rechecking the same packages over and over again to the point
> of starting to add comments saying 'yes, this is GPL-2 only'.
> 
> I'd like to propose to employ a more systematic method of resolving this
> problem.  I would like to add additional explicit 'GPL-n-only' licenses,
> and discourage using short 'GPL-n' in favor of them.  The end result
> would be three licenses per every version/variant, e.g.:
> 
>  GPL-2-only -- version 2 only
>  GPL-2+     -- version 2 or newer
>  GPL-2      -- might be either, audit necessary
> 
> The main idea is that we'd be able to easily find 'non-audited' packages
> with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only
> after auditing.  While technically it would still be possible for people
> to wrongly set LICENSE to GPL-2-only, I think this explicit distinction
> will help people notice that there actually is a deeper difference,
> and it will still catch people who just type 'GPL-n' without looking
> into the license directory.
My read of this and the comments is that it boils down to getting people to do the right thing and ensuring that they did. If anyone does not already understand this, we need to have a talk with them about it.

Also, for things like the Linux kernel where some files lack the or later version clause, this is going to end up with us doing GPL-2-only and GPL-2+ at the same time. Is this really what we want to do there?
> 
> 
> For a start, I'd only go for adding the '-only' variants to the most
> common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some
> FDL versions.  I don't think we need this for the long 'exception'
> variants -- I suspect that if someone did research enough to notice
> the exception, then most likely he would also notice the 'or newer'.
> 
> 
> WDYT?
> 
> -- 
> Best regards,
> Michał Górny
>