Re: [exim] licensing and SPDX

Góra strony
Delete this message
Reply to this message
Autor: Kirill Miazine
Data:  
Dla: exim-users
Temat: Re: [exim] licensing and SPDX
• Jeremy Harris via Exim-users [2022-10-30 12:22]:
> Does anyone have opinions on the licensing of Exim?
>
> The project front-page ( https://exim.org/index.html )
> says "under the terms of the GNU General Public Licence",
> and links to the GPL page (which primarily promotes GPLv3,
> though older versions are present deeper in that site).
>
> The earliest version of that text I can locate is from May 2000
> ( exim-website git; 4bec300304 ), which predates GPLv3 (2007).
> GPLv2 was 1991.
>
> The file "LICENCE" in the exim git "/src" directory, which ends
> up in the top directory of the extracted tarball of a distribution,
> is GPLv2.


There's a file called src/NOTICE, added by ph10, which states that Exim
can be redistributed and/more modified under the terms of GPLv2 or any
later version.

The NOTICE file mentions that a copy of the GPL should be received, and
that copy is present in src/LICENCE, added there by ph10.

Lots of files refer to the file NOTICE for conditions of use and
distribution.

There's also a file called src/CONTRIBUTING, which deals with
contributions and what is assumed to apply for any contributions (author
retains copyright + contribution licenses under same terms as Exim).
Although that file was added in 2010
(https://git.exim.org/exim.git/commit/2daddfb8bf41421c78cbc9bf5cf5a24acc4b0ff8),
I'd say it's same to assume the same for any contributions prior to
that. OTOH, there's always a risk with making assumptions when dealing
with copyright law.

> Now, along comes SPDX: a standard for labelling files with
> the license that applies. Yup, we're late as usual...
>
> a) Do we care?  Should we label every text file in sight?
>    Or not take any action?


The first question would be: why bother at all? For new project, sure,
go ahead with SPDX -- but for existing? Exim carries quite a lot of
history. Luckily, the copyright to the roots is probably fully at the
University of Cambridge.

A quick read on SPDX indicates that SPDX license identifiers should
apply at the file level.

> b) Do existing licence conditions mentioned in specific file matter?
>    For example: a few files are commented (my precis) "GPLv2 or later",
>    some with "open source, do what you want".


If SPDX shall apply at the file level, then at least some files could be
labeled based on existing comments. Personally, I would either not do
such labelling on any file unless I was the original creator of the file
or at least be very selective of where I do the labelling. Why? Because
such labelling means that I'd have to be sure that

    - I fully understand the intent of the original author based on the comment,
    - I fully understand the scope and implications of SPDX label,
    - I am absolutely sure that there's no gap between those.


Now, the SPDX labels seem simple enough, but still...

For Exim project, I'd say it'd be doable to label the project itself and
those files which specifically refer to the src/NOTICE file. To be on
the safe side, one could reach out to the University of Cambridge and
inform them them of the labelling.

>    We could
>    - not label such files


Safe approach, would probably be the advice of your typical lawyer.

>    - try to use a label matching the existing text


Doable for files which refer to src/NOTICE, maybe doable for others as
well. When no specific license mentioned, either not label or reach out
to author and ask what label should apply (e.g. WTFPL when they say "do
what you want").

>    - label with the project choice of licence


For files added after src/CONTRIBUTING was added, this could be an
option. Still, I'd reach out to relevant author(s) and inform of the
labelling.

> c) What license should we label with?
>    - Given the dates above, I'm tempted to say that GPLv2-only
>      should be taken as the original intent.  But I don't know
>      how much freedom we have for change, nor what (if any)
>      might be preferred.


According to the NOTICE, it's GPLv2 or later, and that's what should
apply to the files wihch refer to the NOTICE file.

> d) What are the legal implications of doing this labelling?
>    Specifically, when different files are differently (not)labelled?


In theory there are no legal implication, as labelling does not do any
magic. In practice, however, you may end up with a situation where
labelling will be used to make decisions which otherwise would require
human evaluation.

For files added after src/CONTRIBUTING was added, it's safe-ish to
assume same labelling as for the rest of Exim. Maybe reach out to the
author and inform them of the labelling (with a copy e.g. to the
exim-dev, to ensure that request and any response is documented).

> --
> Cheers,
> Jeremy