From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 08EA2138334 for ; Sun, 22 Sep 2019 16:36:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 76F19E08D9; Sun, 22 Sep 2019 16:36:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EEC81E08BF for ; Sun, 22 Sep 2019 16:36:46 +0000 (UTC) Received: from [192.168.5.125] (pool-96-232-115-28.nycmny.fios.verizon.net [96.232.115.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryao) by smtp.gentoo.org (Postfix) with ESMTPSA id 53AB234B489; Sun, 22 Sep 2019 16:36:45 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 (1.0) Subject: Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing From: Richard Yao X-Mailer: iPad Mail (16G77) In-Reply-To: Date: Sun, 22 Sep 2019 12:36:42 -0400 Cc: licenses Content-Transfer-Encoding: quoted-printable Message-Id: References: To: gentoo-dev@lists.gentoo.org X-Archives-Salt: 28350e03-83bc-4923-a746-cf7e260ad8ac X-Archives-Hash: ee7cb58bcc65dc525af8da5702b49551 > On Sep 21, 2019, at 12:09 PM, Micha=C5=82 G=C3=B3rny w= rote: >=20 > Hi, >=20 > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having > the former trigger QA warning asking the dev to double-check if it's > 'GPL-2-only' or 'GPL-2+'. >=20 >=20 > GNU Licenses currently don't carry an upgrade clause -- instead, authors > are expected to decide whether they permit upgrade to newer versions of > the license in question, or require users to stick with their version of > choice. >=20 > Their decision is normally indicated in copyright notices on top > of source files. Those that permit upgrade usually state 'either > version N of the License, or (at your option) any later version.', while > others remove the 'or...' or even replace with 'only' (sometimes > removing 'either', sometimes leaving it ;-)). >=20 > The truth is, many developers don't go that far to verify it. Instead, > they usually look at 'COPYING' or 'LICENSE', read the version there > and put 'GPL-2', 'GPL-3' etc. in the ebuild. It doesn't help that > GitHub does the same and shows the result as easy-to-read note on top of > repo. >=20 >=20 > For some time I've been reviewing packages I'm (co-)maintaining, as well > as proxy-maint submissions for this particular problem. However, > surprisingly many projects actually go the 'version N only' route, even > in middle of environments that are 'N+' like Xfce. As a result, I've > ended up rechecking the same packages over and over again to the point > of starting to add comments saying 'yes, this is GPL-2 only'. >=20 > I'd like to propose to employ a more systematic method of resolving this > problem. I would like to add additional explicit 'GPL-n-only' licenses, > and discourage using short 'GPL-n' in favor of them. The end result > would be three licenses per every version/variant, e.g.: >=20 > GPL-2-only -- version 2 only > GPL-2+ -- version 2 or newer > GPL-2 -- might be either, audit necessary >=20 > The main idea is that we'd be able to easily find 'non-audited' packages > with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only > after auditing. While technically it would still be possible for people > to wrongly set LICENSE to GPL-2-only, I think this explicit distinction > will help people notice that there actually is a deeper difference, > and it will still catch people who just type 'GPL-n' without looking > into the license directory. My read of this and the comments is that it boils down to getting people to d= o the right thing and ensuring that they did. If anyone does not already und= erstand this, we need to have a talk with them about it. Also, for things like the Linux kernel where some files lack the or later ve= rsion clause, this is going to end up with us doing GPL-2-only and GPL-2+ at= the same time. Is this really what we want to do there? >=20 >=20 > For a start, I'd only go for adding the '-only' variants to the most > common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some > FDL versions. I don't think we need this for the long 'exception' > variants -- I suspect that if someone did research enough to notice > the exception, then most likely he would also notice the 'or newer'. >=20 >=20 > WDYT? >=20 > --=20 > Best regards, > Micha=C5=82 G=C3=B3rny >=20