F44 Change Proposal: CommonLicenses [SystemWide]

The GPL variants are one of the easier scenarios. Consider the BSD-3-Clause license:

there is a wildcard placeholder there which is substituted in with the name of the project or author, giving us effectively infinitely many valid but different BSD-3-Clause texts. It is not valid to collapse those all into a single common text in the RPMs - to comply with the license we are required to ship the variant with the particular substitutions defined by the project itself.

To pick on xorg-x11-proto-devel we see several variants within the same package:

$ grep "^IN NO EVENT SHALL" xorg-x11-proto-devel/*
xorg-x11-proto-devel/COPYING-applewmproto:IN NO EVENT SHALL PRECISION INSIGHT AND/OR ITS SUPPLIERS BE LIABLE FOR
xorg-x11-proto-devel/COPYING-pmproto:IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR
xorg-x11-proto-devel/COPYING-windowswmproto:IN NO EVENT SHALL PRECISION INSIGHT AND/OR ITS SUPPLIERS BE LIABLE FOR
xorg-x11-proto-devel/COPYING-xextproto:IN NO EVENT SHALL HEWLETT-PACKARD COMPANY BE LIABLE FOR ANY CLAIM,
xorg-x11-proto-devel/COPYING-xf86driproto:IN NO EVENT SHALL PRECISION INSIGHT AND/OR ITS SUPPLIERS BE LIABLE FOR
xorg-x11-proto-devel/COPYING-xf86vidmodeproto:IN NO EVENT SHALL Kaleb S. KEITHLEY BE LIABLE FOR ANY CLAIM, DAMAGES

yeah… there’s a reason my fdupes based spelunking example didn’t comment on the BSD licenses… It’s also why I keep hinting we only focus on the strict deduping.

but given that… makes me wonder how many variants of MIT & BSD are here on my laptop…and if someone were foolish enough to install the full package catalogue and ran my fdupes analysis would it still come out to be about a 2/3rds duplicate in size and file count..scaling the same a my laptop?

Let’s assume my laptop analysis scales. 3.5k binary packages with 4.6k license files 3k of which are duplicates via 400 ‘set’ unique files. Scaling up to say 35k binary packages… means strict deduping of 30k duplicate files using 4k ‘set’ unique files… and about 12k other unique files. The ‘set’ unique files are going to be a weird mix of variants of a lot of license files.

Would it be desirable to have common-license package that has 4k files in it in order to dedupe something like 30k files out of 46k? It’s like a 90% reduction in size just with strict deduping of files that show up at least twice. You’d have dozens of GPLv2 variants in those 4k set unique files in the common package, but you could use checksum logic to figure out which one is the verbatim match out of the variants.

Maybe 4k files is a little too much… maybe we can just take like the most duplicated files..
using a little awk and and sort magic with fdupes…

$ fdupes -r -l ./ | awk '{ print NF $0}' | sort -n -r | head -n 50

I get the top 50 duplicated fdupes ‘set’ unique files on my laptop

The top 50 duplicated files sum up to 2310 of the 3465 duplicated files so about 2/3 of the total duplicated files. So 2/3rds of the total possible space savings so we’re down from a maximum of 90% savings using 400 files to about 60% savings using 50 files. I wonder how those top 50 from my laptop scale across the entire set of packages?

Details from my laptop.
top has 175 copies and is a GPLv2 variant
50th has 12 copies and is an APACHEv2 variant
49th has 12 copies and is a BSD 2-clause variant using 'THE COPYRIGHT HOLDER` in the ‘NO EVENT SHALL’ clause and the placeholder year and owner at the top.
41st has 14 copies and is a BSD 3-clause variant with boiler plate placeholders

going even further.. I can get to 50% reduction of 1723 duplicates with just the top 20 ‘set’ unique files.

number 10 on the list with 66 dupes is a BSD 3-caluse variant with boiler plate placeholders

So it could be just having a relatively small number of common variants of license files may actually have some utility with minimal risk… if the tooling sticks to strict deduping.

Why is the base prefix GPL-3.0? Why not GPL? What would be common prefix for CC-BY-NC-SA-3.0-DE - will it be CC or CC-BY or CC-BY-NC-SA-3.0? So many questions.

Another thing to bear in mind is that SPDX license identifiers can have modifiers for exceptions eg “LGPL-2.1-or-later WITH GCC-exception-2.0”. So when linking to a license, it isn’t always sufficient to link to just one file - the “LGPL-2.1-or-later” text needs to be combined with the “GCC-exception-2.0” text.

Sure, and those exceptions aren’t really a special case. It’s just another identifier bounded by operands. Since the exception text is standardized, it can be captured too.

OK I have installed a system with as many x86_64 packages I could get installed without various non-declared conflicts stopping things. The following is the data I could get for this.

root@fedora-rawhide:/usr/share/licenses# rpm -qa | wc -l
65893
root@fedora-rawhide:/usr/share/licenses# fdupes -r -m /usr/share/licenses
27594 duplicate files (in 3707 sets), occupying 346.6 megabytes
root@fedora-rawhide:/usr/share/licenses# du -sch .
509M    .
509M    total
root@fedora-rawhide:/usr/share/licenses# find . -type f | wc -l
42615

Now some of the files in licenses don’t seem to be actual licenses, and there are a TON of small variations of the perl and gpl v1 license it seems. However this should give some upper limits if we ‘assumed’ the 42615 files found were licenses, and over half are duplicates which can be brought down to 3707. This means that there are around 15021 which aren’t de-duplicated for a total of around 18728.

I will try to do a more thorough audit of the files and see how many of these are tiny variations using licensecheck and md5sum to see where the variations lie.

Some more info. There are a lot of unknown license files in the /usr/share/licenses directory which cover things like PATENTS or other NOTICES plus some AUTHORS files. Removing those and using license check on the 39677 files left I have for the top 50 types of licenses:

root@fedora-rawhide:~# awk -F: '{print $2}' /tmp/z | sort | uniq -c | sort -bnr | head -n 30
   6019  MIT License
   4005  BSD 3-Clause License
   3441  *No copyright* Apache License 2.0
   3317  GNU General Public License, Version 2
   2553  GNU General Public License, Version 3
   2536  LaTeX Project Public License 1.3c
   2001  LaTeX Project Public License 1
   1634  GNU Lesser General Public License, Version 2.1
   1077  Apache License 2.0
    981  UNKNOWN
    813  GNU Lesser General Public License, Version 3
    780  BSD 2-Clause License
    763  Artistic License 1.0 and/or GNU General Public License, Version 1 and/or The Perl 5 License
    740  *No copyright* UNKNOWN
    603  GNU Library General Public License, Version 2.0
    551  *No copyright* Creative Commons CC0 1.0
    457  SIL Open Font License 1.1
    453  GNU General Public License, Version 1
    415  Mozilla Public License 2.0
    407  *No copyright* BSD 3-Clause License
    269  ISC License
    239  *No copyright* MIT License
    206  Artistic License 1.0 (Perl) and/or GNU General Public License, Version 1 and/or The Perl 5 License
    197  GNU General Public License v2.0 or later
    179  *No copyright* BSD 2-Clause License
    165  *No copyright* GNU Lesser General Public License, Version 3
    155  LaTeX Project Public License 1.2
    148  *No copyright* Boost Software License 1.0
    142  *No copyright* GNU General Public License, Version 3
    134  Artistic License 2.0

with licensecheck saying there were 756 different types of general licenses but I can see that it does not differentiate between ones with one or another address in it or other things.. so I would NOT use this to say we can have some set of N licenses and cover all software.

Oh and for space savings.. to install as many packages as I did, I needed 372 GB of diskspace which would save 340mb of space. Most of the storage being used for the 65893 packages is in /usr/share/docs it would seem.

yeah the docs…
but there’s an rpm mechanism to delibrately request the docs not be placed on the filesystem right? I’m rusty..but i could have sworn that was a thing. One of the reasons in fact why the licenses cant be in the docs directory in fact.. because creates a compliance issue if users use that mechanism.

Yes there is, and normally if you are creating containers or such you will end up with installing that way. If I had more time to put into this, I would probably try to set up a new system which had that turned off to figure out what space savings there were. One thing I did see was that there are a LOT of small variations of the same files.

licensecheck reads and sees that it is MIT or GPL or something but the real difference is that there is an exception or some other item which changes the license checksum so just saying it is ‘GPLv3’ and pointing to a common-licenses GPLv3 file may not be right.

I also learned that rebooting a system after you have installed everything is not a good idea.. a lot of services are turned on by default and that ends up with a non-working system

First of all,
you just confirmed that I’m able to nerdsnipe you.. I pledge not to abuse that.. much.

Second of all,
your at scale numbers with 65k packages appear to be inline with my scaled up estimates from my laptop. Your 3707 fdupes ‘set’ unique files is lower than my estimate by a little bit…which suggests that at scale the duplication factor increases a little bit nonlinearly.
If I prep a little python script thing to spit out a visual distribution of what fdupes output would you run it against your maximum installed package set?

also…that last pasted in ’ …| head -n 30’ pipeline you showed..
assuming those numbers at the start are the duplication count like I showed.. but from the licensecheck pov instead of fdupes pov. Summing up your top 30 duplicated files.. i get 35k duplicated files.. meaning 30 licensecheck ‘set’ unique files account for 35k files on disk?

licensecheck is clearly looking at a lot of files that fdupes considers unique and not part of a set of size > 1. It would interesting to rerun licensecheck just against the files fdupes reports as being in a duplicate set…hmmm…

yes. I think licensecheck is grouping all kinds of license files which don’t duplicate as the same. I need to do something a bit smarter when I get this box working again.

I can put a script together against my laptops.. and then you can just run that? that we can share output from the same methodology that compres/contrasts both fdupes and licensecheck

yes you can share it here, matrix or other communication systems.

Top 50 duplicate license files

For the most part I found that the differences between various versions of a license were due to the following:

• Added copyright data saying who and when the file was copyrighted
• Format changes where spacing changed things
• Address changes for web urls and places to send mail to.
• Major change in the KDE license which I am not sure which one is valid

ssmoogen@fedora-rawhide:/tmp$ grep -i kde /tmp/z4
| ./accessibility-inspector/LicenseRef-KDE-Accepted-LGPL.txt| *No copyright* GNU Lesser General Public License, Version 3| 161| e4b79a181b6483b37d39a27f4d75e60a |
| ./akonadiconsole/LicenseRef-KDE-Accepted-GPL.txt| *No copyright* GNU General Public License, Version 3| 128| b4c280013bbbadfbe92219498dc5228c |

ssmoogen@fedora-rawhide:/usr/share/licenses$ diff ./accessibility-inspector/LicenseRef-KDE-Accepted-LGPL.txt ./akonadiconsole/LicenseRef-KDE-Accepted-GPL.txt
2,5c2,5
< modify it under the terms of the GNU Lesser General Public
< License as published by the Free Software Foundation; either
< version 3 of the license or (at your option) any later version
< that is accepted by the membership of KDE e.V. (or its successor
---
> modify it under the terms of the GNU General Public License as
> published by the Free Software Foundation; either version 3 of
> the license or (at your option) at any later version that is
> accepted by the membership of KDE e.V. (or its successor
7c7
< proxy as defined in Section 6 of version 3 of the license.
---
> proxy as defined in Section 14 of version 3 of the license.