From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2D3A8138334 for ; Sun, 22 Sep 2019 09:16:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 95A48E0922; Sun, 22 Sep 2019 09:16:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2BC78E0919 for ; Sun, 22 Sep 2019 09:16:15 +0000 (UTC) Received: from katipo2.lan (unknown [203.86.205.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: kentnl) by smtp.gentoo.org (Postfix) with ESMTPSA id 8B4F734B447 for ; Sun, 22 Sep 2019 09:16:13 +0000 (UTC) Date: Sun, 22 Sep 2019 21:16:02 +1200 From: Kent Fredric To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing Message-ID: <20190922211602.3c31577a@katipo2.lan> In-Reply-To: References: Organization: Gentoo X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/eg6+lJ50Ub_sfzn/Gc==TQH"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Archives-Salt: a052d7ea-3850-4617-a397-4b4009b61d1c X-Archives-Hash: a564304746ee5df26c8c2a6243c7366d --Sig_/eg6+lJ50Ub_sfzn/Gc==TQH Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sat, 21 Sep 2019 22:58:03 +0200 Ulrich Mueller wrote: > If the goal of this exercise is to do an audit of ebuilds labelled as > "GPL-2", then a less intrusive approach (which I had already suggested > when this issue had last been discussed) would be to add a comment to > the LICENSE line, either saying "# GPL-2 only" for packages that have > been verified. Or the other way aroung, starting with a comment saying > that it is undecided, which would be removed after an audit. This would > have the advantage not to confuse users, and have no impact on their > ACCEPT_LICENSE settings. (For example, some people exclude AGPL and > would have to add entries for AGPL-3-only.) An adjuct idea:=20 Given things like "License" can get changed by upstream, and is prone to deviating from what we have in the ebuild, and given the only way to automate testing that requires being unable to unpack the archive and grep for various things ... Maybe we instead should be considering a per-package file that indicates some kind of audit trail? < dev-qt/qtwebengine/audit > ------------ # audit_ident aduit_param [....] license 2019-09-22 5.12.5 ------------ Where for example, the license audit is:=20 @NAME: license @PARAMS: DATE VERSION @DESCRIPTION: Certify a UTC DATE and VERSION used as reference, that you explicitly and intentionally carefully reviewed upstreams sources against the LICENSE field, ensuring you used the appropriate license and combinations, for instance: ensuring you wrote "GPL-2" only when upstreams license clearly omits the "or later" clause, and using "GPL-2+" in where the clause is present. Where you specify the version of the package at the time you carefully audited it last. At least that way, you can automate doing spot checks for license being current and then yell at somebody to re-check it. This seems like a more reliable approach than hoping the right value was used and nothing has changed without anyone noticing in the interim. And this tool could be used to expand the sort of scope of things QA can check for, by ensuring that things that can't be checked automatically, can at least have some sort of record indicating when they were checked last (where git commit log will indicate who performed the check) Though there's lots of bikeshed potential here. Just planting seeds :) --Sig_/eg6+lJ50Ub_sfzn/Gc==TQH Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEgdrME8Lrmai3DXYJda6SGagVg7UFAl2HO9MACgkQda6SGagV g7UoVxAAtk1wwv7pKQMAjhSGVLiX9HWb7yTaDRTtapYfLiFlXopxbPDRJ7tkzNzK XoEff9w0mjT4tSv+AkofUAAkJopr10tt0eywOa0BQqCRCIGQIR2cTFj+VixNEgtF nDpXDho8Zb9hyH+Itjf/+aNfZg6QNyLq4ZII/3ZrvAXtpVSPGVHyK2NF96rPPzx1 hYdy+D2Oe/ebzqqPK8TZDAUVQIxl9+QXSJBtYFSoifMYu4PL0t43nUOzBKVtnYaq w+DXnIOPICVwghLIRurmswL9cCx1e1jQyy2cqtzw1k5BhZ8XknbTcMpCdw1CHt7d NakGZuDXggnIIpWtf/z/G728LZ04p41miZe20FHURwr6FBDq22xVYx9upQM4DQhC 4Wzp6oh2aCgN/RyU6f5BhS2iRkKdO5Lky0kVj7aFs1papXBnQfpN8ENlHVTOVLFQ U55m6VJ51cUHIS/0Kq7ZMGkzIvIVSdGQwI98sGpIc5dQj5KgXfJ4JXjuqyZ4v6lt yJ08b5mpsUZVPdVxvU7UdQZze4BQiXyMms+GPkyXTFH3PNxOSGOrnLRKpuE4Va0u Usg+LDfy5vFv5V6cEVV/ptgz9Z3P/1kTyysIx3w7Wl4SsOWH3mByQeRK2Yecc7cl K3wlMJ7aNvp4OOs+SEdvQCB5oOjs1cQRXaHVMmR/FiyeEBQ/NBA= =BUhY -----END PGP SIGNATURE----- --Sig_/eg6+lJ50Ub_sfzn/Gc==TQH--