LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Fedora Extras license audit

[Posted January 24, 2007 by corbet]

Last year, the Fedora Core distribution went through a process of auditing the licenses on every package it distributed. This long task, handled by Tom Callaway, led to a number of changes as programs with problematic licensing were discovered. Among other things, the cdrecord package was reverted to an earlier version and the openmotif library was dropped altogether. It was not a lot of fun, and some users were upset by what seemed to them to be an exercise in excessive free software zealotry. But the end result was worthwhile: Fedora Core could claim, with a high level of confidence, that it was a 100% free distribution.

But Fedora Core has seen its last release. The upcoming Fedora 7 release will include a great many packages which have not been through the license audit process. Fedora's commitment to free software has not changed, but its ability to be sure that nothing in the distribution has a non-free license has gone away. All of the code which went into Extras, and which is now part of Fedora, is supposed to be free, and almost all of it certainly is. But there might just be a surprise or two in there.

So it looks like the license audit process needs to start all over again. Auditing Extras has been on the project's "we'll get around to that" list for some time, but the merging of the repositories has brought a new urgency to the task. In this context, Tom Callaway has announced the beginning of the Extras audit.

There's just one little problem: Extras is a rather larger set of packages than Core was. So Tom is asking for help:

Sound like fun? Well, no. But it is something that we do need volunteers to help with. So, if you're interested in taking on this challenge, let me know. The more people we can get to help in this task, the quicker it will be completed. We have about 2550 source packages to check.

This would be a good opportunity for anybody with an interest in Fedora to help out; coding skills are not required. What is required is the ability to look over the files in a source distribution - not just the COPYING file - and make sure that the licenses presented there are consistent and free.

In the short term, Fedora would help itself tremendously by putting together some sort of checklist for those who would participate in the auditing process. Longer term, the project may need something like the debian-legal community - a group not known for letting non-free licenses slip by. For that matter, a package which is free for Debian should also be free for Fedora, and vice versa. Maybe distributors should consider working together to avoid duplication of effort while ensuring that everything they are shipping is free software.

(Log in to post comments)

The Fedora Extras license audit

Posted Jan 25, 2007 12:37 UTC (Thu) by PhilHannent (guest, #1241) [Link]

Clearly a level of automation would solve this issue. You want to check the headers of every source file, check they match a set of standard headers and if not flag it for review. If a header is not found then flag that.

Automating it would mean you could tie to to the packaging process and ensure all future packages were up to date.

Or am I missing something?

The Fedora Extras license audit

Posted Jan 25, 2007 17:17 UTC (Thu) by vmole (guest, #111) [Link]

Consider a file that contains the standard BSD 3-clause license *and* a set of additional restrictions. Since the standard header was present, you'd miss the problem.

And yes, this is a real problem: remember that cdrecord claimed to be GPL, but then added additional restrictions.

The Fedora Extras license audit

Posted Jan 31, 2007 19:24 UTC (Wed) by gerv (subscriber, #3376) [Link]

I have a script which looks for certain types of license; I used it in the Mozilla relicensing. It's probably both overly-complex and not featureful enough for this, but it should be possible to tell with a pretty good level of reliability what the licence block on a set of files is.

Another way you could use it is duplicate removal. Particularly for the GPL and similar licenses (not the MPL) where the boilerplate doesn't change, you could have a script which says "Hey, there are these 7 different boilerplates somewhere in this package. Please check they are all OK." Much easier than going through thousands of files by hand.

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds