appstream icon indicating copy to clipboard operation
appstream copied to clipboard
verified publisher icon ximion

Use Fedora's Allowed Licenses for one of free license source

Open hokonch opened this issue 2 years ago • 8 comments

https://docs.fedoraproject.org/en-US/legal/allowed-licenses/

Fedora has recently moved from its own identifiers to SPDX, so there will be no need to manually curate the data and it will be safe to merge. I think Fedora's list is exhaustive and could solve some edge cases that appstream currently misclassifies.

Edge cases I found

  • wings3d wings3d use TCL License, which seems to DFSG-free (https://packages.debian.org/bookworm/wings3d) and is allowed by Fedora.
  • VirtualXT VirtualXT use zlib-acknowledgement license, which is allowed by Fedora. I don't know if this license is certainly DFSG-free, but it appears to be fine by DFSG's definition

hokonch avatar Sep 08 '23 04:09 hokonch

If Fedora moved to SPDX, everything should be fine, shouldn't it? Afterall, the SPDX registry provides information on whether a license is OSI or FSF approved, which AppStream uses to determine whether a license is free or not.

ximion avatar Sep 08 '23 04:09 ximion

As I understand it, AppStream use a mix of three standards: OSI or FSF or DESG-Free. https://github.com/ximion/appstream/blob/84531a1a74bf8e08208eb2490bd27faca3aca128/data/spdx-free-license-ids.txt#L1 My suggestion is to change this to OSI or FSF or DESG-Free or Fedora-Allowed.

hokonch avatar Sep 08 '23 05:09 hokonch

I really don't want to add more, it is already messy enough as it is. The SPDX data is machine-readable and I can extract information from it automatically, making this very easy to maintain. The DFSG list is just to augment the SPDX data where SPDX is missing information (annoyingly), since OSI's criteria are based on the DFSG.

Adding yet another list would make this even harder to maintain. Is the Fedora list at least machine-readable in some form?

ximion avatar Sep 10 '23 16:09 ximion

It is. The data is available in the fedora-license-data package, which has its upstream sources in Fedora's GitLab namespace: https://gitlab.com/fedora/legal/fedora-license-data/

Conan-Kudo avatar Oct 03 '23 02:10 Conan-Kudo

That does look like a pretty good resource!

ximion avatar Oct 03 '23 17:10 ximion

Fedora's license data also notes which ones are allowed or disallowed, which is useful for compliance stuff (and SPDX does not provide that information, because all it does is give identifiers to licenses).

Conan-Kudo avatar Oct 03 '23 19:10 Conan-Kudo

For what it's worth, fedora-license-data also includes Fedora-License-Identifier -> SPDX-License-Identifier mappings, in addition to tags for whether a license is approved for use (effectively equivalent to DFSG-Approved).

I use the data in RPMLint in Fedora and I believe it's also used in RPMInspect. It'd be great if AppStream also used it.

Conan-Kudo avatar Oct 08 '23 04:10 Conan-Kudo

It'll not replace any of the existing data sources, but having it as an additional one would certainly be nice. I'll likely look into adding it after the 1.0 release (it's not a breaking change, so we can easily add it later).

ximion avatar Oct 14 '23 03:10 ximion