From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id F36A9138350 for ; Thu, 30 Jan 2020 13:19:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D8B8DE089B; Thu, 30 Jan 2020 13:19:21 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7FC33E0897 for ; Thu, 30 Jan 2020 13:19:21 +0000 (UTC) Received: by mail-pf1-f182.google.com with SMTP id n7so1506885pfn.0 for ; Thu, 30 Jan 2020 05:19:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=wT1QIpy0PKJxfirUHQy+x3UVZZVc5lK12GL/bBPQW64=; b=spBHjzzv1hGHNmgy3AXk8DyrDEeEqknZi19mkAkYs52ZQTrQ1cRz1rLmlagls7cp+0 TyDGipmr+fVMoiUDPCCqXhSxr0A96ZQkwAV7d+6Ym459n04NsemspB3sGaaFIsy0LCxx FNvSDuHpPx5UeBwsajoyTpxew+kvprhb5q24+wOubb+PczAO1FK7JK9P7Ed0p50UBhAj dFaS8uNBZm5rWif6Rty1rppw/KlDxhENaOCojrUS+jrVYcetGIcevsUzKR0vvxh4WnjD ITg6hTrOjJYraJqrSRrbSofK6sl2A6BPoVJZIQdO7Pw2mxT8AnWYvmJAM5G5nUbMrX9j c79w== X-Gm-Message-State: APjAAAUrjFuhY2534ClPWiNOx1YDPWWKQml/chafHjEJQR+q6DEHvLfD EqWaUDdw48buleJ+P1hWkTWtfpMW++ZLina+M4USRg== X-Google-Smtp-Source: APXvYqyo113RaRTzmT+WjHfMXlKa49GHv1Ue4WusgZPny0Ot5Ubd8CmwwUr1EfqmiuNaYzKynkchQB/TXKje2yJxGnc= X-Received: by 2002:a63:8041:: with SMTP id j62mr4630219pgd.41.1580390359857; Thu, 30 Jan 2020 05:19:19 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <20200130112034.GH16867@cloudsdale.the-delta.net.eu.org> In-Reply-To: <20200130112034.GH16867@cloudsdale.the-delta.net.eu.org> From: Rich Freeman Date: Thu, 30 Jan 2020 08:19:08 -0500 Message-ID: Subject: Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds? To: gentoo-dev Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: c2fe1450-7f06-4c11-86af-d369ef2cabf5 X-Archives-Hash: 3b673cb3ea7ba2637bc3817c1b8a6d8f On Thu, Jan 30, 2020 at 6:20 AM Haelwenn (lanodan) Monnier wrote: > > [2020-01-27 12:41:26+0100] Ulrich Mueller: > > So, the question is, should we allow ebuilds > > # Distributed under the terms of the GNU General Public License, v2 or later > > in the repository, or should we even encourage it for new ebuilds? > > > > I have somewhat mixed feelings about this. One the one hand, I think > > that GPL-2+ should generally be preferred because it offers better > > compatibility. For example, the compatibility clause in CC-BY-SA-4.0 > > won't work with GPL-2. > > Is there another reason for GPL-2+ than just compatibility? > Because I quite find the "or later" thing to be quite a scary one as > whatever will come up next as a GPL will become applicable and it feels > quite weird to me to have a license that can evolve to whatever > license over time. Well, there are two sides to this particular issue. GPL 2+ means that anybody can choose to redistribute the code under the terms of any version of the GPL that is >=2. So, if they add terms to GPL v4 that you really don't like, you can still redistribute it under the terms of GPL v2-3 if you prefer. The other side to this is that you can't stop others from redistributing it under v4. They could also incorporate it into other code that is v4+ which you could only redistribute under v4 or greater. Of course, the original code can still be redistributed under v2 - it is just the parts that are comingled with other v4 code that is at issue. Really the main threat (IMO) is that the code could be de-copylefted. They could make GPL v4 a copy of the BSD license, and now anything that was v2+ is effectively BSD and can be used in non-FOSS software without issue. I guess that isn't any worse than the previous case of it instead being merged into some other v4 variant that you can access the source for but prefer to avoid because of something else in the license, except now you might not see the code at all. The advantage of 2+ is of course flexibility: For one it reduces license proliferation. Code that is v2-only is effectively orphaned with regard to v3, v4, v5, and so on projects in the future. GPLv2 is fairly restrictive by design around compatibility with other licenses and accepting future versions helps mitigate this insofar as you trust the FSF. And of course if at some point some fatal flaw is found in the GPL in a court case, it is possible that a future version could mitigate that flaw. Of course, if that flaw lets anybody ignore the copyleft bits you can't prevent people from using it under the old flawed v2, but at least you can still use the code in your own v4 or whatever. Of course, if the flaw effectively made the v2 code public domain you can do that anyway, but if the flaw were of a different nature it might cause problems having code being locked up as v2-only. > > I think I would personally slightly prefer to have it be properly > dual-licensed GPL-{2,3} or GPL-2 & CC-BY-SA-4.0 instead. > The problem like this is that this is basically just kicking the can down the road. It is of course equivalent for the moment, but when GPLv4 comes along we have to go through this again. Right now most of the Gentoo authors are alive and might be willing to explicitly sign off on a relicense (maybe). However, maybe in another 10 years when GPLv4 comes out it is going to be much harder to track everybody down. On the flip side the fact is that none of us know what the FSF will look like in 10 years, or 40 years. There are plenty of large non-profits today that bear little resemblance to what they looked like 100 years ago, for good or ill. The GPL v2 (or v3) are known quantities that we can debate on in a concrete manner, but unknown future versions can only be speculated on. Another solution to this problem is the FLA - which is something we've talked about but shelved until we've sorted out some of our other copyright issues which were thorny enough. Perhaps we could consider taking that up again. Without getting into the details it is a bit like a copyleft-style copyright assignment, which isn't actually an assignment. We envisoned it being voluntary and would allow any contributor to give the Foundation the authority to relicense their contributions, with a number of restrictions, like the new license being FOSS. I'd have to dig up the latest version and take a look at it again. Basically instead of trusting the FSF you'd be trusting the Foundation instead, but there are some limitations on what they'd be allowed to do, and if they violate those limitations the agreement would be canceled and the rights would revert back to whatever was on the original contribution, which would probably be whatever the author originally wanted. That said, I'm not sure it really provides a whole lot more protection over what happens except for the fact that Foundation members have more say in how the Foundation operations than the FSF, if only because the number of people allowed to vote are limited to a relatively small pool Gentoo contributors, at least compared to the entire FOSS community. -- Rich