I'd rather not have any licenseref stuff. Aside from our GPL+ tag, there are no Fedora/Callaway GNU family license tags that can't be trivially converted. @ref has already noted that he accepts GPL-1.0-or-later for GPL+, so there's no reason to make it more complex.

The problem is that no Fedora/Callaway GNU family license tag can be trivially converted to SPDX following our current license tag rules that forbid the "effective license analysis".

Yes they can, because "effective license analysis" and "Fedora vs SPDX" identifiers are orthogonal issues.

I don't like that we can't do that anymore, but frankly, nobody is undertaking a full audit of the Fedora packages. Until someone actually plans to fund that effort, changing away from "effective license analysis" is effectively unenforceable.

+1 to the proposal as written in OP.

a) after it's applied, we have valid SPDX license syntax, only valid SPDX tags, and those tags are visible in the License field, and can be consumed and queried programatically.
b) it can be done with a little script and applied to the whole set of spec files in one day or so. I think the conversion is important, but there should be a limit of how much Miroslav's and other folks' time we are willing to burn on this.

The "effective license" analysis still needs to be done, but this conversion doesn't make it any worse. (If anything, having the LicenseRef-Callaway-tag just makes it clearer that it needs to be done.)

Please don't do this, it is unnecessary complexity. If we want to add a comment to note that a full audit is required, I'd be fine with that.

The note is useful for the packagers looking at the spec file, but it doesn't give the benefits a) or b) listed above.

They aren't benefits over just switching to the correct SPDX identifiers. We're not talking about licenses that don't have mappings like the zillion BSD and MIT variants, these are just the GNU licenses, which have straightforward mappings from Fedora/Callaway to SPDX.

We're not talking about licenses that don't have mappings like the zillion BSD and MIT variants, these are just the GNU licenses, which have straightforward mappings from Fedora/Callaway to SPDX.

While the mail thread started off talking about GPLv2, when the "LicenseRef-Callaway-XXXX" concept was raised, my understanding was that this concept would be something we should apply to all remaining RPMs that are not converted to SPDX. The key benefit of this idea is that we would be separating the 2 tasks - conversion to SPDX expressions, vs conversion to SPDX well known license names. Limiting "LicenseRef-Callaway-XXXX" to only GPL variants makes no sense.

Yes. Initially, it was about converting GPLv2 to GPL-2.0-only. Then about GPLv2 to LicenseRef-Callaway-GPLv2. And my initial thought was only to GPL family and stop. But the last idea allows us to convert everything to LicenseRef-Callaway-$OLDID. Including licenses that do not have 1:1 mapping.

For BSD and MIT,LicenseRef-Fedora is a better prefix since they are Fedora identifiers.

(This also matches the use of Fedora-License-Identifier: too.)

Yeah, LicenseRef-Fedora-* is better than LicenseRef-Callaway-*.

We already use LicenseRef-Fedora-* for "licenses" that do not meet the requirements for being included on the SPDX list, but we use them: LicenseRef-Fedora-Firmware, LicenseRef-Fedora-Public-Domain, LicenseRef-Fedora-UltraPermissive, and LicenseRef-Fedora-Logos.
These are meant to be permanent. For this reason, our group chose LicenseRef-Callaway-* for the transient period.

The Fedora licensing docs typically refer to "The callaway system" when talking about the old license names, so "LicenseRef-Callaway-" would be consistent with that common docs usage e.g. see references in https://docs.fedoraproject.org/en-US/legal/update-existing-packages/

OK, thanks.

+1 from me on converting to LicenseRef-* for the value of SPDX conformity, even though it still represents a TODO.

I agree. While moving to SPDX and license re-review should technically be orthogonal issues, the fact that that a package's license tag has not yet been converted to SPDX yet is usually the only indication that the license re-review hasn't happened yet, so they can't be handled independently o one another.

IMO auto-converting license tags would be 1) making this information even harder to find and 2) creating packages that have inaccurate license tags wrt/ the new "no effective licensing" rules. Converting Foo to LicenseRef-{Callaway/Fedora}-Foo instead of just converting to plain SPDX gives you the (small?) benefit of making license tags valid SPDX identifiers but still makes it obvious that the re-review hasn't been done yet.

+1 to the plan as described in the original request (including the Callaway moniker)

I'm still +1, FTR.

IMO auto-converting license tags would be 1) making this information even harder to find and 2) creating packages that have inaccurate license tags wrt/ the new "no effective licensing" rules.

Sorry, but 1) is "obviously incorrect". The new scheme makes it easier to search for such cases. Instead of an unstructured comment, you have a License tag with a defined syntax.

Case 2) is also incorrect. It is not creating any new cases. It's just converting a license that was possibly innacurate wrt. to the "no effective licensing" rule from one syntax to the other. If it was incorrect before, the syntax change doesn't change that. If it was correct before, it's still correct.

Sorry, that wasn't clear from my post. The case 1) and 2) were for the original proposal to convert without LicenseRef.

Hmm, but the original proposal says:

The owners of the change are in favor of converting e.g. GPLv2 to:
License: LicenseRef-Callaway-GPLv2

If we do this, then we shouldn't bother with any conversions at all. Either we convert trivial tags to correct SPDX identifiers or we just stop it altogether and give up.

These halfway houses with LicenseRef-Callaway are IMO not acceptable.

This was discussed in the meeting, approved (+8, 1, -0) and announced in the minutes - note the text of what is approved:

FESCo is in favor of standardizing on the SPDX format and understands that not all licenses are ready for direct conversion. Those licenses that are unreviewed or otherwise not yet fully compliant should be converted to SPDX licenses of the format LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/72M3MGF6YXXRPFT6ZEUQ5LSSQG6QQKD2/

There seems to be a misunderstanding about the meaning of the approved statement.

See https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Q2SQJJJLYUKH6GI6UQC4KUWMBYWQRJAJ/

Reading the comments above, I believe some were against automatically converting GPLv3 to GPL-3.0-only ​etc., yet this is exactly what happened now. The approved statement does not say anything about this topic.

I second to Miro that the decision about GPL* can be evaluated ambivalently. Can I ask Fesco to vote once again specifically about the remaining 1:1 conversion?

The affected licenses are:
ASL 2.0 -> Apache-2.0
GPLv2+ -> GPL-2.0-or-later
GPLv3+ -> GPL-3.0-or-later
GPLv2 -> GPL-2.0-only
GPLv3 -> GPL-3.0-only
LGPLv3 -> LGPL-3.0-only
Boost -> BSL-1.0

FYI, this affects about 3 thousand packages.

My suggestion for the proposal:

Licenses with 1:1 mapping (namely ASL 2.0, GPLv2+, GPLv3+, GPLv2, GPLv3, LGPLv3, Boost) can be automatically converted to their corresponding SPDX counterparts.

When you cast Yes, I will convert it using the table above.
When you cast No, I will follow the previous decision and convert it to LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier

Thanks.

For what it's worth, my primary concern was the GPL licenses, I don't mind if you convert Apache and Boost.

Licenses with 1:1 mapping (namely ASL 2.0, GPLv2+, GPLv3+, GPLv2, GPLv3, LGPLv3, Boost) can be automatically converted to their corresponding SPDX counterparts.

Yes, I think that's what we want.

PROPOSAL: All old license strings shall be converted to SPDX format. For licenses where a 1:1 mapping exists from the legacy Fedora tag to SPDX, the normal SPDX tag shall be used. For licenses where the conversion is ambiguous, a tag in the form of LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier shall be used. In both cases, a comment shall be included in the spec file to indicate that the conversion was done automatically and review is warranted. For the second case, the comment should also indicate that the maintainers should update to normal SPDX tags after review.

For licenses where the conversion is ambiguous

This is the problematic part. People have different views of what is ambiguous and what not.

The ambiguity seems to be the misunderstanding that the license audit and the SPDX identifier change are coupled. They are not.

To make it abundantly clear: after we finish all license identifier conversions, a full audit of Fedora is required to bring it in compliance with the policy change that we cannot use "binary package effective licensing". This was always the case, but the timing of the two policy changes seems to have confused things.

But auditing to update the package licensing statements is a completely separate exercise that should be undertaken with every package update.

So, for example, the old MIT and BSD identifiers have no 1:1 mapping, so they need to change to LicenseRef-FedoraLegacy-MIT and LicenseRef-FedoraLegacy-BSD (as an example).

If it helps clarify things, on the specific ones that @msuchy brought up I am +1 on those conversions - and +1 on @zbyszek 's proposal too

(if the change owners feel we should nail down what can be converted automatically more, then hey, why not)

I am -1 on this. I don't think we should mass convert old identifiers to new identifiers without making somewhat sure that that is correct.
I am +1 on converting them into a Licenseref-Fedoraold-Whatever, which would make them parsable as SPDX identifiers for tools that do that, but still tell maintainers and others that they need to be audited.

This confusion about the GNU license identifiers between the old Fedora ones and the current SPDX ones is honestly a bit surprising. Even going back to the beginning when the case was first made and all the identifiers were being categorized, all the GNU license tags we had for the Fedora system were matched 1:1 to the SPDX ones. They do not have different meanings.

That the form of how GNU license identifiers differ from how we did it before is why I explicitly asked and got confirmation about when it happened. Everyone was forced to deal with it when SPDX deprecated the "+" modifier and the associated GNU license tags that used it.

The only actual difference between "time of Fedora identifiers" and "time of now" is that we have this quest to use SPDX identifiers everywhere and our ability to simplify informational license tags has been removed.

I don't think we should mass convert old identifiers to new identifiers without making somewhat sure that that is correct.

Miroslav has been doing automatic conversions of various licenses from the old tags to spdx tags for many licenses. Going by the titles of emails ("Mass license change GPL+ to GPL-1.0-or-later", "Mass license change ASL 1.0 to Apache-1.0", "Mass license change Artistic 2.0 to Artistic-2.0", …). If those changes were fine (and I think they were), the change of "Mass license change GPLv2 to GPL-2.0-only" is also fine. It is "unambiguous" in the sense that the old tag had a clearly defined meaning of "GNU General Public License v2.0 only" and the new one the exact same meaning according to our guidelines [1].

I think that the requirement to "make somewhat sure that that is correct" has been met.

[1] https://docs.fedoraproject.org/en-US/legal/allowed-licenses/#_allowed_licenses

Let me update my proposal. I thought "ambiguous" would be unambiguous, but it clearly wasn't.

PROPOSAL v2: All old license strings shall be converted to SPDX format. For licenses where a 1:1 mapping exists from the legacy Fedora tag to SPDX, the normal SPDX tag shall be used. For licenses where the old license tag maps to more than one possible license in the SPDX database, a tag in the form of LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier shall be used. In both cases, a comment shall be included in the spec file to indicate that the conversion was done automatically and review is warranted. For the second case, the comment should also indicate that the maintainers should update to normal SPDX tags after review.

Indeed. To note, when we started this, the spreadsheets that eventually turned into those tables also had that, and it was completely agreed upon for those mappings.

+1

PROPOSAL v2: All old license strings shall be converted to SPDX format. For licenses where a 1:1 mapping exists from the legacy Fedora tag to SPDX, the normal SPDX tag shall be used. For licenses where the old license tag maps to more than one possible license in the SPDX database, a tag in the form of LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier shall be used. In both cases, a comment shall be included in the spec file to indicate that the conversion was done automatically and review is warranted. For the second case, the comment should also indicate that the maintainers should update to normal SPDX tags after review.

+1 (FWIW, this was exactly the intent of my original proposal, but this is far less ambiguous)

+1 to the proposal in https://pagure.io/fesco/issue/3230#comment-919744

Oh, we recently had a discussion if the implitic-+1-from-the-proposer also applies to proposals in tickets. I think it should, be to avoid any doubt:

+1 to my own proposal

Note that automatically converting old GPL tags to new GPL identifiers with a comment is OK by me. Thanks for including that in the proposal.

I suppose that adding comments should mostly handle my objections... I guess I can be +1 to that.

We're at (+5, 0, 0).
I'll add this to the meeting agenda so that we can wrap this up more quickly.

+1

AGREED: All old license strings shall be converted to SPDX format. For licenses where a 1:1 mapping exists from the legacy Fedora tag to SPDX, the normal SPDX tag shall be used. For licenses where the old license tag maps to more than one possible license in the SPDX database, a tag in the form of LicenseRef-<something indicating Fedora legacy>-* where * is the old Fedora identifier shall be used. In both cases, a comment shall be included in the spec file to indicate that the conversion was done automatically and review is warranted. For the second case, the comment should also indicate that the maintainers should update to normal SPDX tags after review. (+7, 0, 0)