GNU bug report logs - #61950
[PATCH] lint: Add 'copyleft' checker.

Previous Next

Package: guix-patches;

Reported by: Antero Mejr <antero <at> mailbox.org>

Date: Sat, 4 Mar 2023 04:17:01 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Antero Mejr <antero <at> mailbox.org>
Cc: 61950 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>
Subject: [bug#61950] [PATCH] lint: Add 'copyleft' checker.
Date: Tue, 21 Mar 2023 22:48:37 -0400

Hello Antero,

Antero Mejr <antero <at> mailbox.org> writes:

> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>>   1. It’s entirely fine for, say, a BSD-3 package to link against
>>      Readline (GPLv3+).  The combination is effectively GPLv3+, but
>>      that’s perfectly valid legally speaking.
>
> It's fine for FOSS packages, but if you have proprietary-licensed Guix
> package where the code can't be open-sourced, bringing in a GPL
> dependency is an issue.
>
> This copyleft linter goes along with the other patch where guix lint
> exits 1. So you can do something like this in a CI pipeline:
>
> 'guix lint -c copyleft my-proprietary-package'
>
> to block developers from adding copyleft dependencies to a non-free package.

I think that goes against the spirit of the GNU project: it's a tool
that helps finding licensing concerns for proprietary software, with the
end goal of weeding out GPL components.  We may be better off if no such
tool exists and more companies embrace the idea that is GPL instead of
helping them spot GPL dependencies so they can rewrite them under some
non-copyleft license.

>>   2. It’s tempting to view devise a “licensing calculus” of sorts and
>>      automate assessments of licensing compatibility.  However, I think
>>      it’s overestimating both law and our own licensing annotations: how
>>      law applies in a specific case isn’t entirely clear until one goes
>>      to court, and our ‘license’ fields fail to represent all the
>>      relevant nuances anyway (subcomponents having different licenses,
>>      dual/multiple licensing, etc.).
>
> True, this linter check is basic and would not constitute legal advice.
>
> It's more of a broad "software license auditing" sort of thing,
> to allow engineers to do quick compliance checks. In my experience
> it's useful for development in regulated applications of software.
>
> Thanks for the feedback, lmk what you think.

I think I'd rather not see this tool in Guix, but I think it could live
happily as a channel or as an extension.

-- 
Thanks,
Maxim
This bug report was last modified 2 years and 64 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.