[Buildroot] legal-info: multiple licenses separator

Thomas De Schampheleire patrickdepinguin at gmail.com
Thu Oct 10 08:17:56 UTC 2013


Hi,

On Thu, Oct 10, 2013 at 9:53 AM, Thomas Petazzoni
<thomas.petazzoni at free-electrons.com> wrote:
> Dear Arnout Vandecappelle,
>
> On Thu, 10 Oct 2013 08:44:31 +0200, Arnout Vandecappelle wrote:
>
>> > package/lttng-libust/lttng-libust.mk
>> > -LTTNG_LIBUST_LICENSE = LGPLv2.1; GPLv2 for lttng-gen-tp and ust-ctl
>> > +LTTNG_LIBUST_LICENSE = LGPLv2.1, GPLv2 (lttng-gen-tp, ust-ctl)
>>
>>   I thought you wanted to avoid commas? :-)  Anyway, I disagree with your
>> cut argument: cut -d \" -f 6 should do the trick for you.
>
> No, I don't think Thomas wanted to avoid commas, on the contrary. He
> wanted to *allow* commas in the <pkg>_LICENSE variable, and to do this,
> was proposing to change the CSV separator from comma to something else.
>
>>   However, perhaps we should take a step back on the legal info ofr a
>> minute. Considering the number of corrections we have to make to it, and
>> taking into account that we never check if it's still valid after version
>> bumps, I wonder how useful our license manifest really is. In the end,
>> your legal department will still need to check the correctness of the
>> license information... Collecting the sources and the LICENSE_FILES _is_
>> really useful, but the specified licenses are only indicative. So I
>> wouldn't spend too much time on formalizing it.
>
> I do understand these arguments, but I continue to believe that the
> license information is useful. If your legal department checks this,
> and reports to you that there is a mistake, then you will send a patch
> to Buildroot. If everybody does that, the licensing informations get
> more and more correct and accurate. Pretty much like bugs in software
> tend to progressively disappear as more and more people use the
> software.
>
> As an example, the berkeleydb bump from version 5 to 6 was done without
> the appropriate license information change. But not later than one or
> two days later, somebody else noticed that and the situation is in the
> process of being fixed.
>
> Also, remember that not all companies have legal departments. Many
> small to medium size businesses do embedded Linux products. And for
> them, having a license manifest that is 98% accurate is a lot better
> than having no license manifest at all.
>
> There may be some inaccuracies in the license informations that we
> have, but generally, at least the information of whether the component
> is under a non-copyleft or a copyleft license is correct, and this is
> what matters most in my opinion to achieve basic license compliance.
>
>>   Also, if we're going to formalize it more, perhaps we should consider
>> moving to a real formal specification, e.g. spdx. That may make if
>> possible in the future that a tool can at least verify the license
>> information we provide.
>
> I do agree that having a look at SPDX is interesting. They define a
> formal list of licenses (https://spdx.org/licenses/). However, I don't
> know how/if they formalized how to specify which license applies to
> which specific component inside a given package.

The SPDX specification is here:
https://spdx.org/sites/spdx/files/spdx-1.1.pdf

It seems you can either put the file in flat format (I think most
suitable for buildroot) and in RDF format (less readable if you ask
me).

In principle I'm positive towards moving to SPDX, but I have no prior
experience with it.

Best regards,
Thomas


More information about the buildroot mailing list