• do SPDX declaration fulfill =?utf-8?Q?=C2=A717?= of GPL?

    From Nicholas D Steeves@21:1/5 to All on Fri Dec 11 01:20:01 2020
    Hi,

    I found a problematic change in one of my packages:

    https://github.com/KDE/kio-gdrive/commit/6321fda6294e3d021b7a2758c1200aa42debb021

    This looks like a regression of license validity to me, because the
    fulfillment of §17 of the GPL was removed from the affected files, and I suspect that we don't accept standalone SPDX declarations as valid in
    ambiguous cases like this one...

    Especially when they're as confusing as "GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL", when the provided GPL-3.0-only is
    identical to the provided GPL-3.0-or-later, and the restriction of
    "only" is not reflected in any headers nor the license text for
    GPL-3.0-only.

    Finally, the intent of David Barchiesi appears to have been GPL-2+ OR GPL-3+...with "KDE e.V." restriction on forward compatibility, but this
    is not reflected in the provided https://github.com/KDE/kio-gdrive/commit/6321fda6294e3d021b7a2758c1200aa42debb021#diff-39989992dd1286c14401f7fd5ddc9cdf08c61ebe75659cc148678f13b75049b6

    Despite the mess, it appears that the licenses will evaluate to
    bin:kio-gdrive as a whole being GPL-3.0-only work, but confidence in
    that is low if SPDX declarations do not fulfill §17 of GPL.

    I don't want to exploit the fact that the package is already in Debian
    as a way to bypass what seems like it might otherwise have been an
    ftpmaster reject.


    Thank you in advance for your comments!
    Nicholas

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEE4qYmHjkArtfNxmcIWogwR199EGEFAl/SuXEACgkQWogwR199 EGF1IBAAsIU7r9uRMbSyvR5N2AqncfMOgLaHiH5pUqI7Ue8k/DIpLA/1HcdaJYwD WU6ltZ1qcrrBwZQjoqRQco3tV+WZGG3/8C1wy/1jg88TQWMf5naxmIjch1oqU7bn FahkINntkglugSfjFoZtEpOV9+7sGkhkMw5yKmaDCVqmVmFiIH+YAyTtQIVHBB4P +8f1jxjhTuEliuRkcx2m8MAB6gKiBfmPeTUVTd0AdgeWJ8JWxC1QQwQGIm078PJg 4oAKB9p56KX3gIMWKLUBG+Gr7JuMG4uDxcqIJlE8aujt8ltDFg+ltb/Eq2dh7rjL TddaZNeWDDuaZ64+ePKNpzT9d1EVA+EsZ2s8L1zW0dzyM1O8pO4v+Mpzv2Qw+QFj R0Ms5AkFi0R8J0T6lmQ9BEzdkF0SkWDG1jhL6CPV8jFRwiQE1KV2KJqMdzgUaNJC j4wg9MDaOHeIN9zm3GS+Gm+vnAHwcKdMi6rJbNpfOn9u7PmE+IuocWLoZiq2xdZW 402ZlaPltmcpg0dTqR8ESqXqqf9neyIZUgC9Baq3bbR9k+eBLMf8eiTvAX99unX3 Q9vNkI/qOPLkiKduiBUqj/5uqvrhLL7lC7eeGCtbZGEY2zFhy3YyTj+GWL8IB3Av 6e9rOcA4UVDyggYB9YNQyi6QXptA51gcdw1CYuZ/sGDp4KECSPU=JnIx
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Florian Weimer@21:1/5 to All on Sat Dec 12 12:50:01 2020
    * Nicholas D. Steeves:

    Hi,

    I found a problematic change in one of my packages:

    https://github.com/KDE/kio-gdrive/commit/6321fda6294e3d021b7a2758c1200aa42debb021

    This looks like a regression of license validity to me, because the fulfillment of §17 of the GPL was removed from the affected files, and I suspect that we don't accept standalone SPDX declarations as valid in ambiguous cases like this one...

    What's §17 in your copy?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)