Fedora Board Recap 2007-JUL-10

[Jeff Spaleta]

On 7/12/07, Luis Villa <luis at tieguy.org> wrote:
> > 1) Why do we need to examine code coming from upstream updates?  (E.g.
> > only to make sure the license tag spells out the correct version?)
>
> Consider a not very hypothetical hypothetical: (the details of the
> incompatibility are simplified and possibly even incorrect, because I
> have been at the office *a lot* the past three days, but the basic
> idea is there)
>
> * Samba releases a library which is GPLv3. They are upstream for
> libsmbclient; it is their prerogative to do this.
>
> * Fedora packages and ships this new, GPL v3 libsmbclient.
>
> * Fedora rebuilds things which link against libsmbclient, but which
> are not GPL v3.
>
> * Fedora distributes. Voila... a (potential, depending on the details)
> license violation!
>
> Here, all relevant upstreams have done the right thing, and yet Fedora
> has committed a license violation. So Fedora might wish to put into
> place review procedures which minimize the risk of this occurring.

I think this is a potential messy enough issue that all fedora
maintainers need to make sure that they have an accurate idea of what
their upstreams are doing with regard to GPLv3 and more importantly
take a look at what the libraries your applications depend on plan to
do.
And please if you are a package maintainer and your upstream is
looking at moving to GPLv3 or LGPLv3 try to ping fedora-maintainers
with a note concerning the change of licensing status so people with
packages that link to that library can get a heads up and talk to
their upstreams.

We really need to make sure that we (as well as other distribution
packagers) are keeping the lines of communicating open with the
upstream developers over potential licensing conflicts as individual
projects make the licensing version jump.

-jef