Hi all,
A correction on item 1):
The path I was referring to got mixed. It should have been
curl-master/m4/ax_compile_check_sizeof.m4 (see https://github.com/curl/curl/blob/master/m4/ax_compile_check_sizeof.m4)
I'd still argue (after some background discussions) that this is
GPL-3.0-or-later WITH Autoconf-exception-2.0 (to be verified along the SPDX matching guidelines)
Some more details on item 6):
a) I don’t argue against that the license identification is BSD-3-Clause. That is fine with me within the boundaries of the SPDX matching guidelines. My point is, that there is an “original” license text with variations, and I would like to see that “original” license text reproduced in the license folder, not a rather arbitrary template.
In the beginning curl had one instance of a BSD-3-Clause license (the “original”). After REUSE is applied it shows two instances (template and “original”).
When I only parse the REUSE tags, I miss the "original" license.
b) The license text (binary redistribution clause) says:
“2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.“
We take „this list of conditions and the following disclaimer“ verbatim. This is in alignment with our key objective to not trivialize license terms and conditions.
Therefore, we were concluding that REUSE is obfuscating information.
We propose to indicate the "template" characteristics of the current BSD-3-Clause license in the license folder and add the original license as well. Perhaps this can be done by a naming conventions on the license files.
Regards, Karsten
metaeffekt GmbH Firmensitz: Renettenweg 6/1, 69124 Heidelberg Registergericht: Amtsgericht Mannheim, HRB 725313 Geschäftsführer: Karsten Klein USt.-IdNr.: DE307084554
Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen beinhalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte den Absender und löschen Sie diese E-Mail und alle Kopien umgehend. Eine unbefugte Weitergabe der E-Mail oder deren Inhalte und Anhänge ist nicht gestattet.
Möchten Sie als Empfänger keine Informationen dieser Art erhalten, setzen Sie sich bitte unmittelbar mit dem Absender der E-Mail in Verbindung. Die metaeffekt GmbH unterstützt Ihre Datenhoheit und informationelle Selbstbestimmung und übermittelt Informationen ausschließlich auf der Rechtsgrundlage der europäischen Datenschutzgrundverordnung (DSGVO). Weitere Informationen zu den Datenverarbeitungsvorgängen und insbesondere Ihrer Rechte entnehmen Sie der Datenschutzerklärung der metaeffekt GmbH http://www.metaeffekt.com/files/metaeffekt-data-privacy_v2018-05-29.pdf.
On 22.06.22, 18:06, "REUSE on behalf of Karsten Klein" <reuse-bounces@lists.fsfe.org on behalf of karsten.klein@metaeffekt.com> wrote:
Hi all,
I took the thread as a trigger to check what our scanners derive and made the following observations (not intended to be complete, but to simply to trigger thoughts):
1) /curl-master/scripts/copyright.pl should be tagged as "GPL-3.0-or-later WITH Autoconf-exception-2.0" (to be validated) instead of just be "GPL-3.0-or-later" (HIDE)
2) /curl-master/lib/curl_path.c includes an ISC snippet, but this is not marked with an SPDX-License-Identifier (HIDE)
3) /curl-master/lib/sha256.c includes a quote that parts of the code are based on public domain. This is not captured. (HIDE)
4) /curl-master/lib/md4.c includes contains code under Public Domain or simple redistribution terms (“heavily cut down BSD license”). This is not captured. (HIDE)
5) /curl-master/lib/md5.c includes contains code under Public Domain or simple redistribution terms (“heavily cut down BSD license”). This is not captured. (HIDE)
Being picky (while greetings go to Jilayne):
6) /curl-master/lib/krb5.c contains a variant of the BSD-3-Clause. The SPDX-License-Identifier says BSD-3-Clause. In /curl-master/LICENSES/BSD-3-Clause.txt is however the standard/default text not matching the original license text. (OBFUSCATE)
Being extremely picky:
7) The files
/curl-master/tests/data/test222 /curl-master/tests/data/test230 /curl-master/tests/data/test232 /curl-master/tests/data/test314 /curl-master/tests/data/test396 /curl-master/tests/data/test1123
contain references to X11 License and suggest that curl is under such license. I would propose to rework those test cases to not cause any ambiguity.
My biggest concern with REUSE is that it might HIDE or OBFUSCATE information (see items above). Just relying on the SPDX-License-Identifier does not provide the full truth.
Currently we configure our scanner to intentionally excludes lines containing SPDX-License-Identifier tags, because we would like “to see through”.
I don’t want to say, that this is the final situation. But in case projects apply REUSE, I would require them to be as accurate as possible and identify all corner cases; otherwise it just adds further work and ambiguity.
Just my thoughts…
Regards, Karsten
On 22.06.22, 14:22, "REUSE on behalf of Sebastian Crane" <reuse-bounces@lists.fsfe.org on behalf of seabass-labrax@gmx.com> wrote:
On Mon, Jun 13, 2022 at 04:29:31PM +0200, Lina Ceballos wrote: > Hi all, > > Since Max is on leave for some weeks, I have the honour to share some > success story with you today! > > The FSFE's REUSE booster team has been in close communication with the curl > team and after some feedback loop, this pull request got merged today: > https://github.com/curl/curl/pull/8869
This is wonderful news! I've been eager to see the results from the REUSE Booster programme, so am thrilled to hear about this.
Best wishes,
Sebastian _______________________________________________ REUSE mailing list REUSE@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/reuse
This mailing list is covered by the FSFE's Code of Conduct. All participants are kindly asked to be excellent to each other: https://fsfe.org/about/codeofconduct
_______________________________________________ REUSE mailing list REUSE@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/reuse
This mailing list is covered by the FSFE's Code of Conduct. All participants are kindly asked to be excellent to each other: https://fsfe.org/about/codeofconduct