Replace copy of license with an SPDX identifier. #171
Conversation
| The above copyright notice and this permission notice shall be included in | ||
| all copies or substantial portions of the Software. |
There was a problem hiding this comment.
Doesn't removal violate this requirement?
There was a problem hiding this comment.
In my opinion, no. The permission notice is still included by way of the SPDX identifier. It merely reduces the redundancy.
There was a problem hiding this comment.
SPDX is a reference to a license in an external DB, not to a notice within a license. And the requirement is to include this notice in all copies of the project.
IANAL, but I'm like 99% sure downstreams would not be able to distribute said software if it doesn't have a license file.
It's probably a good idea to ask @hroncok @befeleme @mgorny if the respective distros have policies that would cause problems.
Also, GitHub will probably stop being able to detect said licenses. It uses https://licensee.github.io/licensee/ to perform detection. You can run it as a CLI tool in a container to see what it'd return.
There was a problem hiding this comment.
IANAL but the way I understand it, the notice works "downwards". Basically, if the project sources include one, then all redistributions of these sources must include one as well. So if the project sources no longer include the notice, then it simply means redistributions don't have to include it either.
That said, if the project has had third party contributions, then the situation might be different. In particular, since all contributions were made under the license in question and under the assumption that such a notice is present, then the notice effectively holds an obligation for the primary author from other authors. Therefore, unilaterally removing the notice without agreement from other contributors could be perceived as a license violation.
There was a problem hiding this comment.
TLDR; In Fedora, this wouldn't make us too happy, but there are ways forward.
Fedora's licensing guidelines strongly state the preference of including the license file into the distribution, if the license itself states it must be distributed with copies of the software. We must include the file, if present, and ask upstream developers to include the file if it isn't there. If that doesn't render the result, we can either include a text of that well known license (ideally after confirming with upstream this is the correct text), or decide not to package such project. I believe MIT is an example of a license that requires going through the process.
Source: https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/#_license_text
Keeping a separate copy of a well-known license is just extra maintenance burden. With the introduction of SPDX identifiers in PyPI metadata, the most straightforward way to indicate the license for the project is through the license metadata field.