On Thu, Sep 12, 2019 at 8:46 AM William Hubbs wrote: > On Wed, Sep 11, 2019 at 05:05:50PM -0700, Alec Warner wrote: > > On Wed, Sep 11, 2019 at 4:48 PM William Hubbs > wrote: > > > > > On Wed, Sep 11, 2019 at 04:34:27PM -0700, Alec Warner wrote: > > > > On Wed, Sep 11, 2019 at 10:39 AM Michael Orlitzky > > > wrote: > > > > > > > > > On 9/11/19 1:21 PM, William Hubbs wrote: > > > > > > +++ b/dev-vcs/hub/hub-2.12.3.ebuild > > > > > > ... > > > > > > > > > > > > LICENSE="MIT" > > > > > > > > > > This license is wrong, as it's pretty much guaranteed to be every > time > > > > > you commit one of these packages. I find it pretty troubling that > one > > > > > corporation is able to force this stuff through even though it's a > > > > > security and legal hazard for everyone else. > > > > > > > > > > > > > How is it wrong? > > > > > > > > https://github.com/github/hub/blob/master/LICENSE > > > > > > The argument is that because of the vendoring, LICENSE= needs to list > > > all licenses for the vendored dependencies that are different from MIT > > > as well. > > > > > > > I see, I tend to believe that argument in that case. > > > > > > > > > > Personally I don't have a comment about this, but that's what is being > > > pushed for. I'll let you guys debate this but it isn't really relevant > > > to the eclass. ;-) > > > > > > > I think it's difficult to put instructions in the eclass like: > > > > +# $ cd /my/clone/of/upstream > > +# $ git checkout > > +# $ go mod vendor > > +# $ tar cvf project-version-vendor.tar.gz vendor > > > > And then not mention this fairly easy trap (it's so easy to fall into you > > did it twice.) > > In the case of hub, I didn't make a vendor tarball because upstream does > the vendoring, so I don't see how these two things are related. > > In other words, the way I see this is a tree-wide issue. LICENSE= for > any package should list every license for every package it links to or > uses. > So for packages managed by portage this is true by recursion. A -> B -> C A_LICENSE: [GPL-2], B_LICENSE: [MIT], C_LICENSE: [BSD] So to install A we have to install [A,B,C] and accept licenses [GPL-2, MIT, BSD]. Presumably if ACCEPT_LICENSE was set to "-*" you would be forced to actually accept each of these individually; but the default is @OSI_APPROVED or similar, which contains many common OSS licenses. If you bundle a bunch of stuff in package C and don't bother to set the LICENSE variable, this is no longer true; I suspect this is why people are complaining. I don't think we are asking you to do extra work. Current practice is to add dependencies as other packages (with their own LICENSE variable.) Your scheme doesn't do this (saving you work), it bundles the dependencies instead. This means to be equivalent to existing practice the LICENSE should contain the licenses for the bundles as well. -A > William > >