[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#61950] [PATCH] lint: Add 'copyleft' checker.
From: |
Ludovic Courtès |
Subject: |
[bug#61950] [PATCH] lint: Add 'copyleft' checker. |
Date: |
Mon, 06 Mar 2023 23:38:20 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Antero Mejr <antero@mailbox.org> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> 1. It’s entirely fine for, say, a BSD-3 package to link against
>> Readline (GPLv3+). The combination is effectively GPLv3+, but
>> that’s perfectly valid legally speaking.
>
> It's fine for FOSS packages, but if you have proprietary-licensed Guix
> package where the code can't be open-sourced, bringing in a GPL
> dependency is an issue.
Maybe, but it’s not an issue for the Guix project. :-)
> This copyleft linter goes along with the other patch where guix lint
> exits 1. So you can do something like this in a CI pipeline:
>
> 'guix lint -c copyleft my-proprietary-package'
>
> to block developers from adding copyleft dependencies to a non-free package.
I recommend having this out-of-tree. If it helps, changing ‘guix lint’
to it can discover new “checkers”, using (guix discovery), might be okay.
>> 2. It’s tempting to view devise a “licensing calculus” of sorts and
>> automate assessments of licensing compatibility. However, I think
>> it’s overestimating both law and our own licensing annotations: how
>> law applies in a specific case isn’t entirely clear until one goes
>> to court, and our ‘license’ fields fail to represent all the
>> relevant nuances anyway (subcomponents having different licenses,
>> dual/multiple licensing, etc.).
>
> True, this linter check is basic and would not constitute legal advice.
>
> It's more of a broad "software license auditing" sort of thing,
> to allow engineers to do quick compliance checks. In my experience
> it's useful for development in regulated applications of software.
>
> Thanks for the feedback, lmk what you think.
Thanks for explaining. I think I understand the need now but (1) I
think this need is outside the scope of Guix, and (2) I remain wary of
conclusions drawn from automated ‘license’ field inspection.
I hope that makes sense!
Ludo’.
[bug#61950] [PATCH] gnu: nettle-2: Add lgpl3+ to licenses., Antero Mejr, 2023/03/06