[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora Board Recap 2007-JUL-10



On 7/12/07, Luis Villa <luis tieguy org> wrote:
> 1) Why do we need to examine code coming from upstream updates?  (E.g.
> only to make sure the license tag spells out the correct version?)

Consider a not very hypothetical hypothetical: (the details of the
incompatibility are simplified and possibly even incorrect, because I
have been at the office *a lot* the past three days, but the basic
idea is there)

* Samba releases a library which is GPLv3. They are upstream for
libsmbclient; it is their prerogative to do this.

* Fedora packages and ships this new, GPL v3 libsmbclient.

* Fedora rebuilds things which link against libsmbclient, but which
are not GPL v3.

* Fedora distributes. Voila... a (potential, depending on the details)
license violation!

Here, all relevant upstreams have done the right thing, and yet Fedora
has committed a license violation. So Fedora might wish to put into
place review procedures which minimize the risk of this occurring.

I think this is a potential messy enough issue that all fedora
maintainers need to make sure that they have an accurate idea of what
their upstreams are doing with regard to GPLv3 and more importantly
take a look at what the libraries your applications depend on plan to
do.
And please if you are a package maintainer and your upstream is
looking at moving to GPLv3 or LGPLv3 try to ping fedora-maintainers
with a note concerning the change of licensing status so people with
packages that link to that library can get a heads up and talk to
their upstreams.

We really need to make sure that we (as well as other distribution
packagers) are keeping the lines of communicating open with the
upstream developers over potential licensing conflicts as individual
projects make the licensing version jump.

-jef


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]