[opam-devel] license for passwdgen

Roberto Di Cosmo roberto at dicosmo.org
Thu Apr 4 10:15:53 BST 2013


Florent, Anil, thanks for raising this issue, which is indeed
quite an interesting one, and requires some thought.

Tracking license information is an important issue in general, but the case of
opam is quite special: opam "packages" just provide informations on building
binaries from sources that will be downloaded from somewhere on the net,
like BSD ports; they are not the same as typical binary packages
found on common GNU/Linux distros which need a very strict
licence screening process to accept packages (like Debian does);
as such, providing an opam package for a completely non-free
source is *not* a problem for opam: the possible licence
violation is perpetrated by the person that decides to build
the package on its own machine, not by the packager providing
the instructions on how to build it!
And it may be very well the case that such building instructions
are quite useful for people who have the right to use that software.

To sum up:

 - I do not think that one is *obliged* remove the opam package for 
   passwdgen from opam-repository

 - It is clear that one cannot make a copy of the *source code* of passwdgen
   on ocamlpro, so the opam package for passwdgen should point to the original
   URL for downloading the sources, not to an OCamlPro copy (which must be
   removed)

At the same time, making it easy for developers to incorportate non-free
code in their projects *without knowing it* is an issue, and I believe it
must be taken seriously.

Here is a proposal:

 - extend the metadata for opam packages with a "licenses" key, holding
   a list of the licenses used in the source code (that may include
   "unknown"); for this, we need a standardised list of values, and the
   SPDX standardised list available here https://spdx.org/licenses/ is
   a good starting point (incomplete, though, as they do not list our
   favorite LGPL with OCaml exception :-))

 - provide a simple guide for packagers pointing to the list of
   standard licence identifiers

 - add an option to opam to print licence information on the packages;
   opam list -l might produce something like (the licences are fake here)

    aacplus                       --  LGPL-3.0+,LGPL-2.0 Bindings for the aacplus library which provides functions for decoding AAC audio files
    aifad                         --  LGPL-2.0+          Machine learning library and application written in OCaml which generalizes decision tree learning to algebraic data types
    alberto                       --  LGPL-2.0           OCaml interface to Erlang ports
    ...

 - later on, add "profiles" to opam that allow to specify that one refuses
   to install components with licences not included in a specific list
   that represents the "house policy"; actually, this would have a quite
   high added value for commercial developers

--
Roberto

On Wed, Apr 03, 2013 at 03:30:15PM -0700, Anil Madhavapeddy wrote:
> If no license is specified anywhere within the package or its distribution
> website, then we need to remove the package from the repository as we have
> no right to redistribute it.
> 
> -anil
> 
> On 3 Apr 2013, at 06:51, Florent Monnier <monnier.florent at gmail.com> wrote:
> 
> > Hi,
> > I don't know if I should open an issue for this too.
> > I don't know what is the licensing policy for Opam.
> > I found the package "passwdgen" and while searching for its license I
> > was unable to find it.
> > Just tried to write to the email given in the README file but the
> > recipient's e-mail address was not found in the recipient's e-mail
> > system.
> > -- 
> > Cheers
> > _______________________________________________
> > opam-devel mailing list
> > opam-devel at lists.ocaml.org
> > http://lists.ocaml.org/listinfo/opam-devel
> > 
> 
> _______________________________________________
> opam-devel mailing list
> opam-devel at lists.ocaml.org
> http://lists.ocaml.org/listinfo/opam-devel

-- 
Roberto Di Cosmo
 
------------------------------------------------------------------
Professeur               En delegation a l'INRIA
PPS                      E-mail: roberto at dicosmo.org
Universite Paris Diderot WWW  : http://www.dicosmo.org
Case 7014                Tel  : ++33-(0)1-57 27 92 20
5, Rue Thomas Mann       
F-75205 Paris Cedex 13   Identica: http://identi.ca/rdicosmo
FRANCE.                  Twitter: http://twitter.com/rdicosmo
------------------------------------------------------------------
Attachments:
MIME accepted, Word deprecated
      http://www.gnu.org/philosophy/no-word-attachments.html
------------------------------------------------------------------
Office location:
 
Bureau 320 (3rd floor)
Batiment Sophie Germain
Avenue de France
Metro Bibliotheque Francois Mitterrand, ligne 14/RER C
-----------------------------------------------------------------
GPG fingerprint 2931 20CE 3A5A 5390 98EC 8BFC FCCA C3BE 39CB 12D3                        


More information about the opam-devel mailing list