LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributions

News and Editorials

LCA: Cooperative management of package copyright and licensing data

By Jonathan Corbet
January 20, 2010
Kate Stewart is the manager of the PowerPC team at Freescale. As such, she has a basic customer service problem to solve: people who buy a board from Freescale would like to have some sort of operating system to run on it. That system, of course, will be Linux; satisfying this requirement means that Freescale must operate as a sort of Linux distributor. At her linux.conf.au talk, Kate talked about a new initiative aimed at helping distributors to ensure that they are compliant with the licenses of the software they are shipping.

Early GPL enforcement actions against companies like Cisco were, arguably, misplaced: Cisco was just gluing its nameplate onto hardware (and [Kate Stewart] software) supplied to it by far-eastern manufacturing operations. The original GPL violation was committed by the original manufacturers who incorporated GPL-licensed software and failed to live up to the source distribution requirements. There was a clear purpose behind targeting companies like Cisco, though: the unpleasantness of dealing with GPL compliance problems was meant to get them to require compliance from their suppliers, which were otherwise harder to reach. Companies seem to have gotten the message; Kate noted that the supply chain is now routinely requiring certification of license compliance from suppliers. So Freescale needs to stay on top of license compliance in order to be able to sell its products; your editor suspects this may be a more powerful motivation than the mere need to avoid copyright infringement.

One common worry related to license compliance, of course, is that somebody might have somehow included proprietary code into a freely-licensed package. More common, though, are simple license compatibility issues, such as the inclusion of a GPL-licensed file in an ostensibly BSD-licensed package. Finding this kind of problem requires the examination of every file distributed with a package - and there are a lot of packages with a great many files out there. It's a lot of work.

Freescale is certainly not the only Linux distributor, and it is not the only one facing this problem; anybody who is distributing software (free or otherwise) is (or at least should be) going through a similar process. That leads to a lot of duplicated work which really could be shared. At the first LinuxCon event in September 2009, a number of interested parties got together to try to figure out if there was a way that the license validation and compliance work could be carried out in a more community-oriented manner.

The problem may seem simple, but there are a lot of details to deal with, starting with the large number of ways of analyzing projects. At one end, commercial tools provided by companies like Black Duck and Palamida can automate the task of finding a number of common licensing problems. But there are also many homegrown tools and spreadsheets in use throughout the industry. The end result is predictable: lots of incompatible data, inconsistent work, and duplicated effort.

Given that, it's not surprising that this new (and, apparently, still unnamed) project is starting with an attempt to standardize the encoding of information about packages. This information comes at a number of levels:

  • The identification of the project as a whole, including metadata on the results of any analysis which has been done. Included here is a formal name for the package, its published location, the stated license (and any possible alternative licenses), how the package is used (is it a standalone program or a library?), the copyright holders and dates of copyright, etc.

  • Package-specific facts: the version that was analyzed, hashes for each of the included files, how the information about the package was generated, and so on. There will also be the equivalent of a "signed off by" tag whereby people doing analysis on a package would certify their results.

  • File-specific information for every file found in the package: its full path name, the type of the file, the license governing it, copyright information, and so on.

Once the process of standardizing the encoding of this information has been completed, the project can move on to the second phase, which is the creation of a common site to host information stored in that format. The idea here is to make it easy to look up and share information on specific packages, and to make any known problems publicly visible.

All of that, in turn, has a goal beyond the simple sharing of work: they would also like to improve the quality of the next generation of packages. By making public review of licensing information easier, it is hoped that problems will be found (and fixed) sooner. One gets the sense that companies like Freescale are getting tired of finding licensing issues in packages which are scheduled to ship in a few days. A related goal is to make package maintainers more aware of where their code is coming from. As licensing issues are found in a public review process, maintainers will, hopefully, begin to pay more attention and these issues will become less common.

The project is still in an early stage; there is a mailing list set up on the FOSSBazaar site, but not a whole lot else. The dreaded regular conference call will be established in the near future. The group hopes to create a proposed standard within the next few months; the Linux Foundation will be helping with legal review to ensure that all of the appropriate bases are covered. The current plan is to get the first version of the standard published in August, 2010.

During the question period, Andrew Bartlett expressed his dislike for the central database concept. Centrally-maintained information, he says, will soon go stale. It would be better to create a format for a license metadata file which could be maintained and shipped with the project itself; he said he would be glad to carry such information with the Samba distribution. That is an idea which will likely be carried back to the working group for consideration.

Licensing is an important component of the free software development process, and ensuring that our licenses are complied with is incumbent upon anybody engaged in software distribution. But all of the associated due diligence work really only has to be done once; like the development of the software itself, it can be managed in a community-oriented manner. The formalization and organization of the associated information is a logical first step toward bringing a community process to this important - if not necessarily fun - task.

Comments (10 posted)

New Releases

AV Linux 3.0R1 Released!

The first revision of AV Linux 3.0 is available. "On the heels of AV Linux 3.0, version 3.0R1 (R1=Revision 1) has been released. I, better than anyone perhaps realize the inconvenience of a new version so quickly, it is my hope that this is the best move in the long run to provide a stable base that has a broader possible range of installation and can be better maintained with updated packages over the course of a longer "shelf life". This fixes many of the installation issues created by 3.0 as well as streamlining and drastically reducing the ISO size down to just over a Gigabyte. My sincere thanks to the AV Linux users who were guinea pigs and helped to test and provide feedback on 3.0R1 before it's release."

Full Story (comments: none)

openSUSE releases the openSUSE Build Service Beta 2

openSUSE has released the second beta of the openSUSE Build Service (OBS). "This release is now feature complete and also the API should be final by now. Biggest changes since beta 1 are: * Switch to Ruby on Rails 2.3.5 * The branch call is doing full copies of packages now, not just _link files anymore * Repository status + dirty flag is calculated and displayed in the web interface (and with osc 0.125) * many bugfixes esp. in api and webui * Workers can get auto configured via SLP."

Comments (none posted)

Open Xange 2010

The Xange team has announced the release of Open Xange 2010: the very best of Xange, only with OSS - Open Source Software. Xange is a Fedora remix with KDE.

Comments (none posted)

Pardus Linux 2009.1 arrives - Update (The H)

The H covers the release of Pardus Linux 2009.1. "The Pardus developers have announced the release of Pardus Linux 2009.1. Pardus is a Turkish distribution sponsored by The National Research Institute of Electronics and Cryptology (UEKAE) and includes several unique features: PiSi (Packages Installed Successfully, as Intended), an efficient and small package management system for installing and managing software implemented using Python, and COMAR, their own COnfiguration MAnageR that includes the Mudar init system for Pardus."

Comments (none posted)

Puredyne 9.10 released

Puredyne 9.10 is out. "Puredyne is a GNU/Linux live distribution aimed at creative people, looking for tools outside the standard. It provides the best experimental creative applications alongside a solid set of graphic, audio and video tools in a fast, minimal package. For everything from sound art to innovative filmmaking." Changes in this release appear to include 64-bit support and the "broth" mechanism designed to make it easy to create derivative distributions.

Full Story (comments: none)

Ubuntu 'Lucid' Alpha 2 released

The second alpha of the Ubuntu 10.04 "Lucid Lynx" release is available for testing. There's a number of changes in this alpha, including the removal of Hal, a 2.6.32 kernel, and no less than three versions of the proprietary NVIDIA drivers. See this page for a detailed view of the changes planned for 10.04 as a whole.

Full Story (comments: 36)

Distribution News

Mandriva Linux

Noteworthy changes in Mandriva Cooker

Frederik Himpe covers some recent changes in Mandriva's development Cooker. "GNOME has been upgraded to the new development release 2.29.5. The Cheese webcam application has been split into different libraries, making it easier for other applications to integrate webcam functionality (like avatar choosers in instant messaging applications). Epiphany now uses an infobar to ask the user for saving website username and password and stores them in the GNOME keyring."

Comments (none posted)

Ubuntu family

Minutes from the Ubuntu Technical Board meeting

Click below for the minutes from the January 12, 2010 meeting of the Ubuntu Technical Board.

Full Story (comments: none)

Developer Membership Board election results

The Ubuntu development team has elected the members of the Developer Membership Board. Click below for the results.

Full Story (comments: none)

Distribution Newsletters

DistroWatch Weekly, Issue 337

The DistroWatch Weekly for January 18, 2010 is out. "With most major distributions in the early stages of preparation for their next stable releases, it seems like a good time to take a look at some of the lesser-known projects. This week we examine Jibbed 5.0.1, a NetBSD-based live CD that boots into an Xfce desktop and includes a number of desktop applications. In the news section, a new community remix of Fedora with media codecs and improved hardware support makes its first appearance, Mandriva updates its development branch with the latest testing builds of GNOME and KDE, the Dreamlinux user community expresses fears over the future of the project, and Arch Linux developers defend the "Arch way" in an interview at OSNews. Also in this week's issue, Jesse Smith explains why free software is sometimes perceived as inferior compared to proprietary applications. Finally, don't miss the statistics section which takes another look at online sales of free operating systems. Happy reading!"

Comments (none posted)

Fedora Weekly News 209

The Fedora Weekly News for January 17, 2010 is out. "This issue starts with announcements from the project, including availability of Open Xange 2010, a Fedora + KDE distro, a change in cmake macro usage, and some feature update pings for Fedora 13. In Ambassador news, details on the FAmSCo chair, vice-chair named. In Quality Assurance news, lots of detail from this past week's QA Team meetings, plus details on an X.org testing request, desktop validation update, and an updated gnome-shell available for testing.In Translation news, a request for submission branches for Anaconda, notice that virt-viewer has been added and is available for translations, and a new coordinator of the Brazilian Portuguese translation team. In Art/Design Team news, notice of the approval of the new Design Spin for Fedora, and updates to the Fedora 13 theming and graphics. This week issue wraps up with the latest security advisories for Fedora 11 and 12. We hope you enjoy Fedora Weekly News 209!"

Full Story (comments: none)

openSUSE Weekly News/106

This issue of the openSUSE Weekly News covers * openSUSE News: OBS supports new branch and merge handling, * Unixmen/srlinuxx: Five useful extensions for Openoffice, * Jussi Kekkonen (Tm_T): KDE Software Compilation 4.4 RC1 Codename "Cornelius" released, * Sirko Kemter: Building an openSUSE Art-Team, * TuxRadar: The best Linux desktop search tools, and more.

Comments (none posted)

Ubuntu Weekly Newsletter #176

The Ubuntu Weekly Newsletter for January 16, 2010 is out. "In this issue we cover: Ubuntu 10.4 Lucid Lynx Alpha 2, Ubuntu Developer Week, Ubuntu User Day, new Ubuntu Women leadership, and Free Culture Showcase."

Full Story (comments: none)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds