@artemis it seems like you've uncovered "best effort" licensing

@artemis nix used to package adobe flash (and install it by default when you asked for firefox) so it doesn't surprise me at all that they screw this up.

alpine doesn't really strike me as the kinds of folks who'd care much either but i don't have any direct experience with it so that's just a gut feeling. homebrew and macports *definitely* don't have much quality control on their packaging. seeing arch on the list is the only one that's mildly surprising to me.

@technomancy "and install it by default when you asked for firefox" AMAZING. i love distributing software

@artemis i have held a decade-long grudge against nix because of this. like... they fixed it, but what does it tell you about the project leadership that they *ever* considered this, even for a moment?

it's like if you ordered pizza delivery and they brought it to you with a turd on the top and when you got mad they're like "oh yeah, turdless pizza is a separate item, you should have been more specific"

@artemis

the issue is that dependency trees of software change over time, and thus the license situation also changes.

things like SBOMs, ELF references, etc. will help distributions to automatically deduce the correct license information for packages, rather than depending on manual checks.

but we are probably at least a year or two out before that starts to land in distributions

@ariadne yeah this seems extremely like a non-trivial problem, especially if you're the maintainer for more than just a handful packages. I intentionally made the post a little click-baity to get people talking about it but I tried to throw enough names in that it's clear it's not just some particular group doing things "wrong" or whatever

@artemis sadly, a lot of maintainers just copy the license data from some other distribution, hoping that it got vetted along the way.

a license review of alpine is long overdue, my hope is to just automate license compliance instead.

there is a weekly SPDX call about automation that might interest you.

@artemis Basically with licenses that are not copyleft (the so-called "permissive" licenses such as MIT, Apache, the BSD ones or the Unlicense, CC0 etc. but not GPL for example), you are allowed to take the code and distribute it under your own different license.

So for example I can write a program of my own, include some Apache-licensed code inside it, and release the entire thing under the MIT license. The entire thing, including that other code, is now released under MIT.

@artemis This means my resulting program wouldn't be partially MIT and partially Apache, it would be distributed entirely under the terms of the MIT license. It would have to include the original Apache license notice from the other code, but that doesn't mean I'm releasing it under Apache, that is just the form of credit required by the Apache license.

Copyleft licenses such as the GPL differ in that they don't allow this (they require derivarive works to use the same license).

@artemis Mos Eisley cantina:

Dr. Evazan: He doesn't like you.
Luke Skywalker: Sorry.
Dr. Evazan: I don't like you either! You just watch yourself! We're wanted men. This program is illegally packaged in 14 distributions!

Sign in to participate in the conversation
Cybrespace

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!