F40 Change Proposal: SPDX License Phase 3 (System-Wide)

SPDX License Phase 3

This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Wiki
Announced

:link: Summary

The third phase of transition from using Fedora’s short names for licenses to SPDX identifiers in the License: field of Fedora package spec files. This phase focuses on finishing migrating packages from ELN set. We still do not expect that all packages from Fedora Linux will be migrated in this phase.

:link: Owner

:link: Detailed Description

This is follow-up of Phase 2. During this phase, all remaining packages should be migrated to use SPDX license identifiers in the License: field of the package spec file.

So far, package maintainers have been updating their packages in accordance with the guidance provided at Updating License: field for Existing Packages :: Fedora Docs and filing issues in the fedora-license-data repo. Miroslav has been tracking how many packages that have been updated. Given the large number of packages in Fedora, this progress is good, but slow.

The intake of newly discovered licenses is still more than we are able to process. We want to focus on adding the new license to both fedora-license-data and SPDX.org list.

At the same time, we want to focus on the ELN subset of Fedora and cooperate with maintainers of these packages to finish the migration of these packages.

This Change will be followed by Phase 4, where we want to finish the migration of the remaining Fedora packages.

:link: Feedback

See feedback section of Phase 1

Discussions on the mailing list:

Challenges:

  • license-fedora2spdx tool uses mapping of legacy Fedora short names to SPDX identifiers using the fedora-license-data to suggest SPDX identifiers. Where there is an apparent one-to-one mapping, the package maintainer could simply update the License field: and move on.
  • for many packages, particularly packages that use “umbrella” legacy short names that may refer to a large set of unrelated or loosely related licenses, further inspection will be needed. Currently, Fedora documentation provides sparse advice on how to do this inspection and thus, a range of methods are used.

:link: Benefit to Fedora

The use of standardized identifiers for licenses will align Fedora with other distributions and facilitates efficient and reliable identification of licenses. Depending on the level of diligence done in this transition, Fedora could be positioned as a leader and contributor to better license information upstream (of Fedora).

:link: Scope

  • Change Owners:

    • Continue adding newly found licenses to fedora-license-data and to SPDX.org list.
    • Continue to report progress
    • Focus on the ELN subset of Fedora.
  • Other developers:

    • All packages (during the package review) should use the SPDX expression. - this is redundant as this has already been approved since Phase 1, but it should be reminded.
    • Migrate the existing License tag from a short name to an SPDX expression.
  • Release engineering: nothing

  • Policies and guidelines: all done in previous phases

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with Objectives:

:link: Upgrade/compatibility impact

License strings are not used anything in run time. This change will not affect the upgrade or runtime of Fedora.

During the transition period, developer tools like rpminspect, licensecheck, etc. may produce false negatives. And we have to define a date where we flip these tools from old Fedora’s short names to the SPDX formula.

:link: How To Test

See How to test section of Phase 1

:link: User Experience

Users should be able to use standard software tools that audit licenses. E.g. for Software Bills of Materials.

:link: Dependencies

No other dependencies.

:link: Contingency Plan

  • Contingency mechanism: There will be no way back. We are already beyond of point to return. We are heading to explore strange new worlds… to boldly go where no man has gone before.
  • Contingency deadline: Beta freeze. But it is expected that not all packages will be converted by that time and the change will continue in the next release.
  • Blocks release? No. This change has no impact on runtime of any package.

:link: Documentation

Allowed Licenses

Update existing packages

:link: Release Notes

In Fedora 40, all core RPM packages use SPDX identifiers as a standard. In total XX percent of packages have been migrated to SPDX identifiers. The remaining packages are estimated to be migrated in upcoming releases of Fedora.

1 Like

This doesn’t seem to have the right Change document linked to it?

Indeed. Not my fault, but I have rights to fix it, so I fixed it.

1 Like

This change proposal has now been submitted to FESCo with ticket #3141 for voting.

To find out more, please visit our Changes Policy documentation.