GNU bug report logs - #61950
[PATCH] lint: Add 'copyleft' checker.

Previous Next

Package: guix-patches;

Reported by: Antero Mejr <antero <at> mailbox.org>

Date: Sat, 4 Mar 2023 04:17:01 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #50 received at 61950 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Antero Mejr <antero <at> mailbox.org>
Cc: 61950 <at> debbugs.gnu.org
Subject: Re: [bug#61950] [PATCH] lint: Add 'copyleft' checker.
Date: Mon, 06 Mar 2023 23:38:20 +0100

Antero Mejr <antero <at> mailbox.org> skribis:

> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>>   1. It’s entirely fine for, say, a BSD-3 package to link against
>>      Readline (GPLv3+).  The combination is effectively GPLv3+, but
>>      that’s perfectly valid legally speaking.
>
> It's fine for FOSS packages, but if you have proprietary-licensed Guix
> package where the code can't be open-sourced, bringing in a GPL
> dependency is an issue.

Maybe, but it’s not an issue for the Guix project.  :-)

> This copyleft linter goes along with the other patch where guix lint
> exits 1. So you can do something like this in a CI pipeline:
>
> 'guix lint -c copyleft my-proprietary-package'
>
> to block developers from adding copyleft dependencies to a non-free package.

I recommend having this out-of-tree.  If it helps, changing ‘guix lint’
to it can discover new “checkers”, using (guix discovery), might be okay.

>>   2. It’s tempting to view devise a “licensing calculus” of sorts and
>>      automate assessments of licensing compatibility.  However, I think
>>      it’s overestimating both law and our own licensing annotations: how
>>      law applies in a specific case isn’t entirely clear until one goes
>>      to court, and our ‘license’ fields fail to represent all the
>>      relevant nuances anyway (subcomponents having different licenses,
>>      dual/multiple licensing, etc.).
>
> True, this linter check is basic and would not constitute legal advice.
>
> It's more of a broad "software license auditing" sort of thing,
> to allow engineers to do quick compliance checks. In my experience
> it's useful for development in regulated applications of software.
>
> Thanks for the feedback, lmk what you think.

Thanks for explaining.  I think I understand the need now but (1) I
think this need is outside the scope of Guix, and (2) I remain wary of
conclusions drawn from automated ‘license’ field inspection.

I hope that makes sense!

Ludo’.
This bug report was last modified 2 years and 64 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.