Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

[Richard Yao <ryao@gentoo.org>]

> On Sep 21, 2019, at 12:09 PM, Michał Górny <mgorny@gentoo.org> wrote:
> 
> Hi,
> 
> TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> the former trigger QA warning asking the dev to double-check if it's
> 'GPL-2-only' or 'GPL-2+'.
> 
> 
> GNU Licenses currently don't carry an upgrade clause -- instead, authors
> are expected to decide whether they permit upgrade to newer versions of
> the license in question, or require users to stick with their version of
> choice.
> 
> Their decision is normally indicated in copyright notices on top
> of source files.  Those that permit upgrade usually state 'either
> version N of the License, or (at your option) any later version.', while
> others remove the 'or...' or even replace with 'only' (sometimes
> removing 'either', sometimes leaving it ;-)).
> 
> The truth is, many developers don't go that far to verify it.  Instead,
> they usually look at 'COPYING' or 'LICENSE', read the version there
> and put 'GPL-2', 'GPL-3' etc. in the ebuild.  It doesn't help that
> GitHub does the same and shows the result as easy-to-read note on top of
> repo.
> 
> 
> For some time I've been reviewing packages I'm (co-)maintaining, as well
> as proxy-maint submissions for this particular problem.  However,
> surprisingly many projects actually go the 'version N only' route, even
> in middle of environments that are 'N+' like Xfce.  As a result, I've
> ended up rechecking the same packages over and over again to the point
> of starting to add comments saying 'yes, this is GPL-2 only'.
> 
> I'd like to propose to employ a more systematic method of resolving this
> problem.  I would like to add additional explicit 'GPL-n-only' licenses,
> and discourage using short 'GPL-n' in favor of them.  The end result
> would be three licenses per every version/variant, e.g.:
> 
>  GPL-2-only -- version 2 only
>  GPL-2+     -- version 2 or newer
>  GPL-2      -- might be either, audit necessary
> 
> The main idea is that we'd be able to easily find 'non-audited' packages
> with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only
> after auditing.  While technically it would still be possible for people
> to wrongly set LICENSE to GPL-2-only, I think this explicit distinction
> will help people notice that there actually is a deeper difference,
> and it will still catch people who just type 'GPL-n' without looking
> into the license directory.
My read of this and the comments is that it boils down to getting people to do the right thing and ensuring that they did. If anyone does not already understand this, we need to have a talk with them about it.

Also, for things like the Linux kernel where some files lack the or later version clause, this is going to end up with us doing GPL-2-only and GPL-2+ at the same time. Is this really what we want to do there?
> 
> 
> For a start, I'd only go for adding the '-only' variants to the most
> common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some
> FDL versions.  I don't think we need this for the long 'exception'
> variants -- I suspect that if someone did research enough to notice
> the exception, then most likely he would also notice the 'or newer'.
> 
> 
> WDYT?
> 
> -- 
> Best regards,
> Michał Górny
>