[opam-devel] license for passwdgen

[Anil Madhavapeddy]

On 4 Apr 2013, at 02:15, Roberto Di Cosmo <roberto at dicosmo.org> wrote:

> Florent, Anil, thanks for raising this issue, which is indeed
> quite an interesting one, and requires some thought.
> 
> Tracking license information is an important issue in general, but the case of
> opam is quite special: opam "packages" just provide informations on building
> binaries from sources that will be downloaded from somewhere on the net,
> like BSD ports; they are not the same as typical binary packages
> found on common GNU/Linux distros which need a very strict
> licence screening process to accept packages (like Debian does);
> as such, providing an opam package for a completely non-free
> source is *not* a problem for opam: the possible licence
> violation is perpetrated by the person that decides to build
> the package on its own machine, not by the packager providing
> the instructions on how to build it!
> And it may be very well the case that such building instructions
> are quite useful for people who have the right to use that software.
> 
> To sum up:
> 
> - I do not think that one is *obliged* remove the opam package for 
>   passwdgen from opam-repository
> 
> - It is clear that one cannot make a copy of the *source code* of passwdgen
>   on ocamlpro, so the opam package for passwdgen should point to the original
>   URL for downloading the sources, not to an OCamlPro copy (which must be
>   removed)

Note that these two go together: right now in OPAM we construct the
archive unconditionally, hence the immediate need for removal in the case
of unknown-licensed packages.

We can of course improve this, but it's good to fix licensing violations
as soon as we become aware of them.

> At the same time, making it easy for developers to incorportate non-free
> code in their projects *without knowing it* is an issue, and I believe it
> must be taken seriously.
> 
> Here is a proposal:
> 
> - extend the metadata for opam packages with a "licenses" key, holding
>   a list of the licenses used in the source code (that may include
>   "unknown"); for this, we need a standardised list of values, and the
>   SPDX standardised list available here https://spdx.org/licenses/ is
>   a good starting point (incomplete, though, as they do not list our
>   favorite LGPL with OCaml exception :-))

OASIS has a nice library to handle all this doesn't it?  CCing Sylvain to
see if it can be separately used by OPAM.

> 
> - provide a simple guide for packagers pointing to the list of
>   standard licence identifiers
> 
> - add an option to opam to print licence information on the packages;
>   opam list -l might produce something like (the licences are fake here)
> 
>    aacplus                       --  LGPL-3.0+,LGPL-2.0 Bindings for the aacplus library which provides functions for decoding AAC audio files
>    aifad                         --  LGPL-2.0+          Machine learning library and application written in OCaml which generalizes decision tree learning to algebraic data types
>    alberto                       --  LGPL-2.0           OCaml interface to Erlang ports
>    ...
> 
> - later on, add "profiles" to opam that allow to specify that one refuses
>   to install components with licences not included in a specific list
>   that represents the "house policy"; actually, this would have a quite
>   high added value for commercial developers

Indeed. For example, GPLv3 is banned in many commercial development situations,
so adding a house filter is a useful thing to have.

-anil