Check for conforming licences #83
Comments
|
Probably @tarsius has some code we could use here, since he recently wrote code to audit published packages' licences. :-) |
|
Really? Why is this? Not that I object, just curious. |
For the Emacsmirror I wrote some code to detect the license a long time ago and a few weeks ago I published some statistics on https://www.youtube.com/watch?v=TmQKihNpsHk#t=3m19s As a result I had to do damage control and quickly improve my extraction tools (there were ~600 packages whose license it could not detect initially) and contact maintainers to ask them to change the license so we could continue to distribute them while keeping Richard happy. That was my main intention when working on the license detection code; match as many weird ways of specifying the license so that the situation would as quickly as possible not look worse than it actually is and to have mostly reliable lists of maintainers to contact. And it was a mess I wrote a long time ago to begin with. So it is not quite ready to be used by |
|
But why? Packages can be use incompatible licenses just fine, all it would prevent is redistributing them with Emacs itself (and that's irrelevant because Emacs is not free software anyway, what with only the FSF being allowed to contribute); people can download and use them without issue. To me, it sounds like needless pandering to the FSF. |
Because Richard disagrees with that. I think he is wrong. |
|
I'd suggest Richard put his code where his mouth is and rewrite the "offending" packages, then. Third-party package authors are under no obligation to pander to him. |
|
It's even weirder when compared with gcc. This would seem like saying that any software compiled with GCC must be licensed with GPLv3. Or that any software written in Guile must be. Obviously that's not the case. I think I know which of the methods is relevant here. ;) |
GCC is a funny example, because Linux uses GCC plugins licensed under GPLv2 only as a part of the kernel build, while GCC is GPLv3+. Yes, they're incompatible, no, nobody cares. |
No, that's not the same. It's more like saying any GCC extensions must be licenced with GPL. I'm absolutely not a GPL zealot, and also not a lawyer, but there's at least a borderline reasonable argument that all elisp is an Emacs extension, which runs only inside Emacs, and is therefore subject to GPL. And if that is legally the case, then MELPA etc. may not redistribute de facto GPL'd code under incompatible terms, e.g. under an author's invalid or missing licence terms. MELPA now therefore firmly requires packages to be licenced with GPLv3+ or a compatible licence, and my goal here is simply to reduce the MELPA maintenance burden. |
Exactly, and there's a real-world example of people writing, using and redistributing GPLv3-incompatible (namely, GPLv2-only) GCC plugins that I mentioned earlier.
I actually tested some of my packages under SBCL, and they worked with minor modifications, so there's that 😉 Then again, 2-clause BSD is GPL-compatible, so I'm in the clear.
Why not? GPL incompatibility would matter only if repositories redistributed GPL-ed code bundled together with GPL-incompatible code, which they do not, since they just redistribute each package separately.
That's not how licensing works. Even if a work is a derivative of some other GPL work, it's not automatically GPL'd, the author of the derived work would "just" be violating the license of the upstream work, but if somebody redistributed the derived work on the basis that it's de facto GPL, they'd be "guilty" of "copyright infringement". I remember this exact thing happening with some leaked exFAT (IIRC) drivers. Disclaimer: I am not a lawyer (besides, even if I were one, that would still mean squat, because the great thing about law is that there are so many jurisdictions to choose from), and I believe that the very concept of "copyright" and "intellectual property" is cancerous and should be abolished. |
|
Yep, I agree with a bunch of this, but there's not much point us all debating how we think things should work or should be interpreted. We (the MELPA maintainers) are pursuing the path which puts us least at odds with the core Emacs community and FSF because we have limited time to waste on this stuff.
I believe this is exactly the point of GPL, fwiw. |
RMS has said that if this is the case, the programs are probably not a derivative work of Emacs:
However, this is a (probably vanishingly) small set of Emacs packages. |
|
See also #117. If we standardised on requiring/recommending |
@purcell Would you say that the spelling of license causes your brain to incense? :) |
|
AAARRGH |
|
Some tools using SPDX metadata expect the license to be stated like this:
Could we simply use that one? Are there particular tools around Emacs that expect the keyword to be |
|
Those |
|
I am still using TL;DR If Melpa and/or See https://emacsmirror.net/stats/licenses.html for statistics about the used licenses. The reason
At present These are the various methods used by
Yes this is rather wacky. That's because it deals with reality and I've seen things you people wouldn't believe... I don't think we should purge packages if we can determine the license just because it specified in a way that is not sanctioned. Within reason that is. I am completely on board telling the maintainers of the packages for which we need (7) to use (1-3), or else. We could also do so for at least some of the packages that need (4) or (6). In any case I do not want to be involved in the process of going around and urging maintainers to "specify their licenses better". (I have done similar things in the past. A lot. I am done with it.) But if we decide that the license has to be specified in a "somewhat reasonable way, which happens to be used by more than a single maintainer" or a package is removed after a grace period, then I can get behind that. |
|
You are a true Emacs hero. That is experience speaking. |
|
Yeah, that's awesome. Rather than check that a tool which goes to heroically great lengths to figure out the licence will succeed with the code being linted, I'd prefer to just give a clear indication to the author that they should use an easy-to-detect and acceptable method of specifying their licence. I think that might mean that |
I agree, as a linting tool we should be enforcing best practices, so looking for the GPL boilerplate and/or an SPDX header is what I'd prefer to do too. |
|
Here's the SPDX license metadata: https://github.com/spdx/license-list-data/blob/master/json/licenses.json Unfortunately, I can't find a field that says whether each license is GPL-compatible. |
|
Also worth keeping in mind:
|
|
This'll be fun. |
|
I love how everyone from the usual MELPA toil gang is gathered in one thread. @riscy has been spared so far, but not any more :D Naturally enough it's the most tedious of all maintenance topics: not only license incompatibility, but license notice incompatibility :) |
I was conflating We should not remove any (or very few) packages from Melpa because of how they specify the license. But we can and agree that we should impose some restrictions for packages that are being added to Melpa.
We should also continue to support the |
Fully agreed.
Do you have a list of those values? Here's a scraping of the SPDX metadata to get a list of "good" license identifiers: https://misc.lassi.io/2019/package-lint-licenses/licenses-good.el ...where "good" means all of these apply:
The problem is, SPDX doesn't have GPL compatibility metadata. "FSF libre" is much more broad than that. But it may be close enough for a linter. |
|
Re. GPL compatibility, we'd have to go by the list of compatible licenses on the GNU page, really. I think a simple set of checks would look like this:
This way, people who had used |
I believe that should be an error, because GPL 1 and 2 aren't compatible with 3. |
Yes, potentially. |
We could just throw a lint error on GPL 1. GPL 2 is from 1991 :) |
|
If we take the short list from SPDX list and manually remove everything that GNU doesn't explicitly say is GPL-compatible, would that be a good list for the linter? |
|
Yes, I think that would be ideal. |
|
Please "enjoy" my review: https://misc.lassi.io/2019/package-lint-licenses/licenses-good-gpl.el (https://www.reddit.com/r/UnnecessaryQuotes/) So here's the final list of completely unproblematic licenses:
|
|
We could further split that list into niche licenses mainly used by
The popular licenses that are left are, GPL:
LGPL:
Permissive:
|
|
The two-clause BSD license is FSF and OSI approved and GPL compatible, but is not listed, and there are notable Emacs packages licensed under it, for example most of my packages. |
|
@Fanael True: https://github.com/spdx/license-list-data/issues/52 It's just being fixed. |
|
There are probably some non-OSI-approved licenses that have some existing packages under them. I'd image Unlicense and WTFPL fall into this category. |
|
There's some data about GPL compatibility in a "Free Software Foundation API", which looks like it's unofficial but a very useful service anyway. The SPDX team will consider adding similar info to their metadata: spdx/license-list-XML#934 |
|
I have some spare energy to tackle this. @purcell What should we do? The license review above still seems OK to me. Is it too much if package-lint expects an How official is |
Yay, thanks!
I'm not sure I understand the question: are you suggesting alternative rules to what I suggested above? That's fine, but maybe we could enumerate a set of rules?
I think that's fairly official - or at least very widely used - but its format is loose. My take: if there's a |
If they match (however you'd detect that), it's fine. For me as a package author it makes sense to add the SPDX header in addition to the license blurb. Removing the license blurb is not an option, that would increase overall churn for no good reason and make it less clear what the license terms are. |
Yes, fair enough.
I don't think anyone is suggesting that here. |
All elisp packages for versions of Emacs that support
package.elmust be licenced under GPLv3+ or compatible licences.We should report errors if this cannot easily be determined to be the case by looking at package headers. Some guidelines about the text people should include is in this comment.
Tagging @tarsius here.
The text was updated successfully, but these errors were encountered: