David Cantrell wrote:
> We can't get rid of the License tag, unfortunately. See:
>
> https://www.linuxfoundation.org/blog/blog/spdx-its-already-in-use-for-global-software-bill-of-materials-sbom-and-supply-chain-security
>
> And as part of the US Executive Order on Cybersecurity, we need to start
> using SPDX identifiers in software we package and provide so that our
> downstream users are in compliance:
>
> https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
I do not see anything there requiring RPM packages to contain a License tag.
I doubt this can ever be encoded in a law.
Software needs to state its license somehow, but that is already the case in
various forms (depending on the package) within the SRPM and hopefully the
binary RPM. (If the notice does not make it into the binary package, that is
an upstream issue and IMHO not our problem.)
Personally, I think it makes sense to state the license in the RPM metadata
for the people installing the software, but, like Michael Catanzaro, I doubt
the current approach of requiring to explicitly list every permissive
license of copied&pasted code is in any way practical. The License tag
should have only indicative value, the authoritative license(s) are the ones
on the source code itself.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
