From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 08F1B138334 for ; Sat, 21 Sep 2019 16:09:32 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 72B35E0844; Sat, 21 Sep 2019 16:09:27 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 235E7E0829 for ; Sat, 21 Sep 2019 16:09:26 +0000 (UTC) Received: from pomiot (c134-66.icpnet.pl [85.221.134.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id CBF1B34B46F; Sat, 21 Sep 2019 16:09:24 +0000 (UTC) Message-ID: Subject: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev Cc: licenses Date: Sat, 21 Sep 2019 18:09:20 +0200 Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-BwBHqB5hTgcPU1svdKnZ" User-Agent: Evolution 3.32.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 5b99e962-e579-4096-9615-dc92c51e72e8 X-Archives-Hash: 713281a73d3a212a037bbc1bc07e897c --=-BwBHqB5hTgcPU1svdKnZ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having the former trigger QA warning asking the dev to double-check if it's 'GPL-2-only' or 'GPL-2+'. GNU Licenses currently don't carry an upgrade clause -- instead, authors are expected to decide whether they permit upgrade to newer versions of the license in question, or require users to stick with their version of choice. Their decision is normally indicated in copyright notices on top of source files. Those that permit upgrade usually state 'either version N of the License, or (at your option) any later version.', while others remove the 'or...' or even replace with 'only' (sometimes removing 'either', sometimes leaving it ;-)). The truth is, many developers don't go that far to verify it. Instead, they usually look at 'COPYING' or 'LICENSE', read the version there and put 'GPL-2', 'GPL-3' etc. in the ebuild. It doesn't help that GitHub does the same and shows the result as easy-to-read note on top of repo. For some time I've been reviewing packages I'm (co-)maintaining, as well as proxy-maint submissions for this particular problem. However, surprisingly many projects actually go the 'version N only' route, even in middle of environments that are 'N+' like Xfce. As a result, I've ended up rechecking the same packages over and over again to the point of starting to add comments saying 'yes, this is GPL-2 only'. I'd like to propose to employ a more systematic method of resolving this problem. I would like to add additional explicit 'GPL-n-only' licenses, and discourage using short 'GPL-n' in favor of them. The end result would be three licenses per every version/variant, e.g.: GPL-2-only -- version 2 only GPL-2+ -- version 2 or newer GPL-2 -- might be either, audit necessary The main idea is that we'd be able to easily find 'non-audited' packages with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only after auditing. While technically it would still be possible for people to wrongly set LICENSE to GPL-2-only, I think this explicit distinction will help people notice that there actually is a deeper difference, and it will still catch people who just type 'GPL-n' without looking into the license directory. For a start, I'd only go for adding the '-only' variants to the most common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some FDL versions. I don't think we need this for the long 'exception' variants -- I suspect that if someone did research enough to notice the exception, then most likely he would also notice the 'or newer'. WDYT? --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-BwBHqB5hTgcPU1svdKnZ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAl2GSzBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM3 NkE4NDUwOTQwOThEMjhDQzhCMjZDNTYzOUFEQUUyMzI5RTI0MEUACgkQY5ra4jKe JA4uXAgAiCqC7FPMzIhuGuHvukLMo1fbtRgeH14+99blAlKj1aGiLP9IzHcRZGkf FI60UkbMe7eCGT/or4ZZdbCnX0s/GpWrDP6VtMdTkQefR+zYArOgH014Fg+e39ZT Xw1Fk7V24rw8lFeRB6Tea0DMMp0Lzx8VYJYvwYKxbTlDTEyXv321jsCGR55Huc2e lmXEO3Ko/Zm3my9yvoeUbhVzPvssNr0SkcNW/jZB+k4UmC2/0k/EyCOOlhtKWKfv CYFFZ3p6Xqg6ktHfxRVJNxIZ5cGNKLiCqXElEco/0h2St59BsfLZPCSkyz/B0hs+ bkxBSlyJbvc9SXt44gtaIpXRtWTv/Q== =HIAJ -----END PGP SIGNATURE----- --=-BwBHqB5hTgcPU1svdKnZ--