Re: vendored dep licenses to include (or skip) in binary rpms

[Nicolas Mailhot]

Le lundi 05 mars 2018 à 10:07 -0500, Lokesh Mandvekar a écrit :
> When you ship a Go binary like cri-o, do you need to include the
> licenses of all vendored dependencies at %license? Or does it suffice
> to specify just the license file of the main package itself?

You *must* follow Fedora licensing guidelines for everything you ship,
whether it is built or not. That includes license files and package
licensing tag.

There used to be some tolerance for items removed as first step in %prep
(ie rm -fr vendor), as long as they were under a Fedora-friendly
license. For stuff Fedora actually forbids, packagers were required and
are probably still required to regenerate the archive used by the spec
file without the offending content before uploading to koji.

Apart from Fedora requirements, that go a bit beyond the law to simplify
maintenance, from a legal POW, you should never state a package is under
a particular license before making sure all the licenses in play
actually devolve to this license.

And lastly any time you ship other people's code, either built or not,
it is good taste to document and preserve its licensing.

Which is why, vendoring (bundling) and static linking (when all the code
ends up a single binary) is a terrible idea from a legal POW.

So:

1. for devel-only Go packages: don't ever vendor, rm all traces of
bundled code, that will save you loads of legal problems

2. for Go packages that build binaries: if you don't vendor anything,
(rm -fr vendor as first step or better get an upstream archive without
third-party code) and you have satisfied yourself all the licenses
devolve to a single one, it's probably ok to document just this one

3. it is *way* simpler with dynamic linking where all the objects are
nicely separated, in different packages, with separate documentation,
and legal analysis can be made at the time you assemble the packages,
not at the time you ship them. Volunteers willing to convert Fedora
packages to dynamic linking are welcome.

4. if you publish a Go project: don't vendor, use stable releases of
other components, and if you do vendor don't include the vendored files
in you git repo, just the vendor config file.

But do ask spot or fedoral-legal when in doubt.

Regards,

-- 
Nicolas Mailhot
___
golang mailing list -- golang@lists.fedoraproject.org
To unsubscribe send an email to golang-le...@lists.fedoraproject.org

vendored dep licenses to include (or skip) in binary rpms

[Lokesh Mandvekar]

When you ship a Go binary like cri-o, do you need to include the licenses of 
all vendored dependencies at %license? Or does it suffice to specify just the 
license file of the main package itself?
For BSD-2-Clause, there seems to be 
https://github.com/spdx/license-list-XML/blob/v3.0/src/BSD-2-Clause.xml#L23-L26 
which, IIUC, needs this file to be provided as well when distributed in binary 
form. Correct me if I'm wrong. 

This was brought to my atention when trying to upstream ubuntu packaging files 
for cri-o, but it seems relevant to fedora packaging as well.
https://github.com/kubernetes-incubator/cri-o/pull/1380#discussion_r171599330

Thanks,
-- 
Lokesh 
Freenode, OFTC: lsm5
GPG: 0xC7C3A0DD
https://kebyase.io/lsm5
___
golang mailing list -- golang@lists.fedoraproject.org
To unsubscribe send an email to golang-le...@lists.fedoraproject.org