Licenses: being finicky

Peter Hutterer peter.hutterer at who-t.net
Sat Feb 17 00:03:35 UTC 2024 

On Fri, Feb 16, 2024 at 12:42:29PM +0100, tlaronde at kergis.com wrote:
> On Fri, Feb 16, 2024 at 08:22:59PM +1000, Peter Hutterer wrote:
> > On Wed, Feb 14, 2024 at 09:37:43PM +0100, tlaronde at kergis.com wrote:
> > > Some meson.build, for example, have a SPDX-License-Identifier: tag,
> > > where "MIT" is mentionned, applying (I think) to the file itself, and
> > > the project has an entry with a pair (license: 'MIT') applying to the
> > > data by itself.
> > > 
> > > But, for example, xcbproto has a license with a (classical, for me)
> > > fourth clause forbiding use of the names of the authors without
> > > permission to advertise etc.
> > > 
> > > Acoording to:
> > > 
> > > https://spdx.org/licenses/
> > > 
> > > this is identified as "X11", the "MIT" being the same without this
> > > fourth paragraph. (I suspect this distinction is rather new.)
> > > 
> > > When creating meson files for building, is there some rule regarding
> > > this? 
> > > 
> > > I think that the correct way is to state 'X11' or 'MIT' or
> > > whatever matches COPYING or COPYRIGHTS or whatever file explains the
> > > license status and to conform, simply because this exists and is
> > > standardized, to the SPDX list of identifiers.
> > > 
> > > What do other think about this?
> > 
> > we've recently done this work for Fedora so you can probably get the
> > various licenses from there. Fun fact, some projects have *a lot* of
> > SPDX identifers (i think the record is 15).
> > 
> > In the end whether the license entry in meson.build matters is very
> > questionable and only the actual code files and maybe COPYING matters
> > (but do ask your preferred lawyer for confirmation).
> 
> Since a packaging system using meson could advertise the license
> from what is set in the project in meson.build, 

Maybe in a perfect world but this is not a reliable indicator so I doubt
any packaging system that cares about licenses uses that, or can use it
for the forseeable future.  Meson doesn't do any verification of those
tags so aside from being easier to extract it's really no different to
relying on COPYING or LICENSE (the latter of which at least github
encourages you to add).

> I think that it should be set
> right there and perhaps conforming to the SPDX identifiers (the SPDX
> identifiers in the meson.build meson_options.txt are less crucial, one
> could infer that if someone---me for example---is contributing, he's
> willing to contribute under X11 license and that this is what applies
> if lacking a more defined license identifier).

ftr, I don't disagree, we should advertise the right license whereever
possible but, example of the xserver: 
  Adobe-Display-PostScript AND BSD-3-Clause AND DEC-3-Clause AND
  HPND AND HPND-sell-MIT-disclaimer-xserver AND HPND-sell-variant AND
  ICU AND ISC AND MIT AND MIT-open-group AND NTP AND SGI-B-2.0 AND
  SMLNJ AND X11 AND X11-distribute-modifications-variant

I'm sure that would scare a few people away ;)

Sure, you could reduce it to just whatever the top-level spdx license is
(MIT) but then you're just back at where you started.

A better option for this would be the relatively new `license_files`
kwarg in meson's project() which we can just point at COPYING. But
having to version-check meson just to add this seem a bit over the top.

TLDR: our COPYING files are (thanks to Alan) quite good so relying on
those is probably the least friction approach.

Changing 'mit' to 'x11' in projects where it's really just the once
license would be quite uncontroversial though.
 
Cheers,
  Peter

> > 
> > Licenses are also compatible or direct derivatives of each other so X11
> > and MIT are compatible and unless you're into lawyerese it doesn't
> > matter which one is listed in meson.build.
> > 
> > > Note: I'm not planing to review "correct" attribution between X11 and
> > > MIT in all the Xorg projects---I'm sufficiently late on my schedule
> > > with what I have to do without starting to rover around. Furthermore,
> > > X11 has been historically identified as 'MIT'...
> > 
> > The main question: what are you're trying to achieve here? The
> > vast majority of our projects are old and new projects tend to
> > (or should) copy/paste from SDPX anyway.
> 
> I'm just _adding_ (not removing autoconf/automake stuff) meson build
> files to Xorg projects I'm reviewing (because I need to track bugs with
> X11/Mesa and kernel DRMKMS on NetBSD), so I want to have everything as
> correct as possible.
> 
> > 
> > PS: If I were you I'd be *really* careful trying to update old
> > repositories. We've made people maintainers for less! ;)
> 
> I will be careful ;)
> -- 
>         Thierry Laronde <tlaronde +AT+ kergis +dot+ com>
>                      http://www.kergis.com/
>                     http://kertex.kergis.com/
> Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C

More information about the xorg-devel mailing list