[Openembedded-architecture] LICENSE and LICENSE_pkg

Mark Hatle mark.hatle at windriver.com
Mon Aug 8 14:01:30 UTC 2016 

On 8/8/16 7:59 AM, Markus Lehtonen wrote:
> There seems to be confusion and uncertainty (me included) regarding the
> usage of LICENSE and LICENSE_pkg variables - see discussion in [1] and
> [2]. The variables are not well documented and they are used somewhat
> incoherently even inside oe-core.
> 
> The current (unwritten) guideline is that LICENSE is a source-level
> value, a union containing all the (possible) licenses in the package.
> It is also the default license used for all binary subpackages, but,
> LICENSE_pkg values can be used to refine the license on subpackage
> level. LICENSE_pkg should never contain anything that isn't also
> specified in LICENSE.

if it's unwritten, someone should write it down.

LICENSE is supposed to be the overall license of the source code -being
compiled-.  Thus licenses in autoconf and other build components (that do not
influence the license of what is being compiled) are not affected.

LICENSE_pkg is used for the -unusual- case where binaries, when packaged, may
not match the LICENSE value.  I don't believe it is a typical occurrence that
they vary.  The existing system permits the unusual, but does not cater to it.

> However, there are recipes that currently use it incorrectly – at least
> hdparm in oe-core (see [3]). It uses LICENSE as just a default binary
> license (without including all LICENSE_pkg values) and LICENSE_pkg for
> one differently licensed subpackage. We could fix all the recipes like
> this, of course, but it is not necessarily the best solution.
> 
> The basic problem is probably best illustrated by the question "how do
> I package 'mypkg' where one binary subpackage needs to be GPLv2 but all
> other 20 binary packages are BSD?"
> 
> Currently, you'd need to define something like:
> LICENSE = "BSD & GPLv2"
> LICENSE_mypkg = "BSD"
> LICENSE_mypkg-dev = "BSD"
> LICENSE_mypkg-dbg = "BSD"
> LICENSE_mypkg-subpkg1 = "BSD"
> ...
> LICENSE_mypkg-subpkgX = "BSD"
> LICENSE_mypkg-subpkgZ = "GPLv2"

(The -dbg should match LICENSE in all but really unusual cases.)

I don't see it as a burden to the maintainer to list the license of all of the
packages that deviate from the LICENSE value.  If the extreme case above happens
it should be rare -- if it's not it would be nice to have an idea how often it
actually happens.

As time goes on and SPDX, hopefully, is adopted the LICENSE fields being simply
informational and not authoritative.  But this type of work and additional
effort has been outside of the scope of what most folks are doing so far.

(What I mean by the above, assuming the perfect world where we have SPDX,
tooling, etc.  We should be able to identify the source 'LICENSE' based on the
overall SPDX.  Then looking at the things that were packaged, correlate them
back to the SPDX and determine the license of the each package as well.  But
we're lacking the SPDX files and the tools to be able to do all of that.)

> 
> This is not very maintainer-friendly and I think that this should be
> improved. Some possible solutions that I can think of are:
> 
> 1. Add a new LICENSE_DEFAULT variable that would define the default
> binary license. The variable would be optional and default to LICENSE.
> In the case of the example above, you would define:
> LICENSE = "BSD & GPLv2"
> LICENSE_DEFAULT = "BSD"
> LICENSE_mypkg-subpkgZ = "GPLv2"

I actually find this more confusing.  As an engineering -- I can generally
assume that the source code of the license is the source code of the binaries.
Thus the LICENSE -> LICENSE_pkg is a reasonable behavior.  Deviations from that
are really exceptions and should be made as such.

> 2. Change interpretation of LICENSE so that it would be the default
> binary license. Wherever source-level license is needed, it would be
> constructed as a union of LICENSE and all LICENSE_pkg values. The
> source-level license could be provided by an optional LICENSE_ALL
> variable (or similar) that would default to LICENSE. In our example you
> would simply define:
> LICENSE = "BSD"
> LICENSE_mypkg-subpkgZ = "GPLv2"

I definitely don't like this.  We really want to be able to exclude things based
on source code license...

Anyway, my 2 cents.  Maybe it's a bigger issue then I'm familiar with, but at
this point I see it as the rare case, and I'd really prefer something like SPDX
to fix the issue -- but this is still a long-term solution.

--Mark

> From these, I'd prefer #1 as it does not alter (and/or break) anything
> that we currently have. It should be relatively easy to implement with
> only minor changes to package* bbclasses. I also like the current idea
> that LICENSE is a source-level union of all license. Option #2 would
> change the interpretation of LICENSE and would require more invasive
> changes, and, auditing all code involving LICENSE. When done properly,
> it shouldn't break anything we currently have. However, automatically
> making a union of the licenses has its pitfalls as the license
> definitions can be complex logical expressions. Neither is perfect,
> comments and better suggestions are welcome.
> 
> 
> Thanks,
>   Markus
> 
> 
> 
> [1] http://lists.openembedded.org/pipermail/openembedded-core/2016-May/
> 122161.html
> [2] https://bugzilla.yoctoproject.org/show_bug.cgi?id=9499
> [3] http://git.openembedded.org/openembedded-core/tree/meta/recipes-ext
> ended/hdparm/hdparm_9.48.bb?id=c4dda05cb9755cb865c1d1bd142196f8a9f45d3d
> _______________________________________________
> Openembedded-architecture mailing list
> Openembedded-architecture at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-architecture
>

More information about the Openembedded-architecture mailing list