Re: License auditing

[Ludovic Courtès]

Hi,

Alex Griffin <address@hidden> skribis:

> On Wed, Aug 3, 2016, at 03:42 PM, Ludovic Courtès wrote:
>> However, in Guix we encode such cases as ‘gpl3+’ (or similar), rather
>> than ‘gpl1+’.
>
> That seems wrong and confusing.

Strictly speaking it’s wrong, but I think it better reflects the intent
of the authors (I think authors who throw a GPLv3 ‘COPYING’ file without
bothering to add file headers probably think that GPLv3 and maybe later
versions apply, but not previous versions.)

> It means that if I'm writing a GPLv2 program, for example, then I
> cannot rely on Guix to search for legally compatible libraries to
> use. It also means we cannot implement a tool to automatically flag
> Guix package dependencies for possible license violations.

I suppose many package violations could be detected using Guix, but
you’re right that subtle cases like this one can go undetected.

In the end, we’re talking about legal documents whose interpretation
isn’t as formal as we would like.  So I suspect that no single tool can
provide what you want—there is no “license calculus”.  Tools like
Fossology go a long way, but AFAIK they are no substitute for proper
manual auditing.

Thanks,
Ludo’.