Ports license auditing infrastructure

Table of Contents

Project description

This project is about adding a license framework to the ports system (i.e. bsd.licenses.mk), allowing it to be aware of the license used by each port. Another part of this project is to find an automated solution (so maintainers don't have to specify each port's license). With this information the infrastructure will be able to automate many tasks such as: restrict licenses, redistribution of files, identifying GPLv3 ports, etc.

See Project Ideas entry.

Project goals

Concrete features of the framework:

See below for a more detailed description.

Other (partial) implementations

The following partial implementations, and their TODO list are useful for the design.

NetBSD

The framework provides LICENSE, ACCEPTABLE_LICENSES, and DEFAULT_ACCEPTABLE_LICENSES. The first one is defined by the port, second optionally by users and the third by the framework.

Ports must define a license type, and if it's not in the accepted list the port will refuse to build.

There is a target show-license that displays LICENSE_FILE to the user.

See Handling licences, license.mk and TODO (section "Licenses of packages").

OpenBSD

The framework provides 4 variables PERMIT_{PACKAGE|DISTFILES}_{CDROM|FTP} (but no LICENSE like?) to control the redistribution. There is a policy to install license files under /usr/local/share/doc/<name>/

See Porting checklist and bsd.port.mk (see license-check and PERMIT_*).

Gentoo

Currently only supports attaching a license name to an ebuild, but there is a draft for adding more functionality.

See GLEP 23 (PRs at the end).

Design

As for other implementations the following considerations seem important:

Defining restrictions

Mainly there are 4 types of restrictions, depending on the distribution type and what is to be redistributed.

Item

Type

Description

Distfile

FTP

Mirroring

Distfile

CDROM

Selling

Package

FTP

Mirroring

Package

CDROM

Selling

There are also licenses that restrict distribution of binaries created from modified source code, but generally these ones aren't friendly at all for redistributing binaries.

In addition, some applications can't be linked with incompatible licensed code, but our dependencies don't track this directly (a port in BUILD_DEPENDS may be used to process a file, or to link an archive file with code).

License grouping

Grouping licenses under tags like GPL, FSF and OSI is useful for the user to be able to accept or reject a particular group.

Other groups can be created having nothing to do with the mentioned ones, like CDROM_FRIENDLY or RESTRICTED_REDISTRIBUTION.

See:

Multiple licenses

Another important consideration is when an application has more than one license, which could happen in the following cases:

Status

Description of actual progress made up to now, current items and plans for the near future.

Features

Incomplete features and additional ideas

Implementation notes

Integration with bsd.port.mk is done as follows:

New files to be installed (can be disabled with NO_LICENSE_INSTALL):

Interface

For the user

The following variables can be set wither from command-line or in /etc/make.conf.

Variable

Description

LICENSES_ACCEPTED

Accepted licenses

LICENSES_GROUPS_ACCEPTED

Accepted groups

LICENSES_REJECTED

Rejected licenses

LICENSES_GROUPS_REJECTED

Rejected groups

LICENSES_ASK

Require explicit user agreement for licenses accepted by default, for example most common licenses in bsd.licenses.db.mk

NO_LICENSES_DIALOGS

Disable dialog menus (GUI), and use the text interface

NO_LICENSES_INSTALL

Disable installation of (all) license files. These will possibly be required for future features (specially scripts or tools outside the ports systems).

For the port

The following variables can be defined by the port (this is for a single license, for more than one see next section).

Variable

Description

LICENSE

Code of license (short name; only letters, numbers and underscore)

LICENSE_PERMS

Permissions (see below)

LICENSE_GROUPS

Groups the license belongs to

LICENSE_NAME

Full license name (for the reports)

LICENSE_FILE

Full path to license (or use LICENSE_TEXT)

LICENSE_TEXT

Text to use as a license, for referencing when not available

LICENSE_DISTFILES

Name of licensed files (defaults to ${_DISTFILES})

The LICENSE variable can be set to either a license from bsd.licenses.db.mk (see make -V _LICENSES_LIST) or a new name, falling in "known" and "unknown" categories respectively.

Available components for LICENSE_PERMS:

Variable

Description

dist-mirror

Free redistribution of distfile (like FTP mirroring; opposite of RESTRICTED)

dist-sell

Selling of distfile (like in CD-ROM; opposite of NO_CDROM)

pkg-mirror

Free redistribution of package (like FTP upload; opposite of NO_PACKAGE)

pkg-sell

Selling of package (like in CD-ROM; opposite of NO_CDROM)

auto-accept

If present the license is accepted by default, without agreement (at least LICENSES_ASK is defined by the user)

Note that permissions can be denied by prefixing no-, for example no-dist-sell. If both are present, then it will be excluded. However this functionality not useful for now.

Currently two multiple licenses modes are supported: dual and multi. The first is for optional licenses, where the package/distfiles can use any of them. The second is for packages that combine distfiles with different licenses and accumulate restrictions (like an open source code, with restricted artwork).

To use set LICENSE_COMB to dual or multi. Note that when not defined it defaults to single (that is the code used internally). After defining it, you can add more than one entries to LICENSE. Then similar rules apply to each license present (see "known" and "unknown" above), but variables are prefixed with LICENSE_ and suffixed with _<license> where <license> is an entry of LICENSES.

Examples

Note that some license and port names may be invented for the purpose of the example.

If you type make in a port whoose license is accepted by default (which means to have the auto-accept permission in its definition), the following happens.

% make
===>  Vulnerability check disabled, database not found
===>  License accepted by the user
===>  Extracting for test-license-1.0
===>  Patching for test-license-1.0
===>  Configuring for test-license-1.0

In this case the port could have contained something like this (assuming GPLv2 is defined in bsd.licenses.db.mk):

LICENSE=GPLv2
LICENSE_FILE=${WRKSRC}/LICENSE

If the license is not accepted by default, or you define LICENSES_ASK (which disables the auto-accept permission), it would look like this (with the text interface):

% make -DLICENSES_ASK -DNO_LICENSES_DIALOGS
===>  Vulnerability check disabled, database not found
===>  License needs confirmation, will ask later
===>  Extracting for test-license-1.0

To install the port you must agree to the license: GPLv2 (GNU General
Public License version 2).

You can view the license at work/GPLv2.

If you agree with the corresponding license/s, add them to
LICENSES_ACCEPTED either in make arguments or /etc/make.conf.

*** Error code 1

Then you can read the license and decide if you agree or not. Note that for now we don't have a license pool so if the port does not define LICENSE_FILE (which is unusual), the file will contain some text like this:

% cat work/GPLv2
The license: GPLv2 (GNU General Public License version 2) is standard,
please read from the web.

If you agree with the license add it to LICENSES_ACCEPTED either in make arguments or /etc/make.conf, like this:

% echo "LICENSES_ACCEPTED+=GPLv2" >> /etc/make.conf
% make -DLICENSES_ASK -DNO_LICENSES_DIALOGS
===>  Patching for test-license-1.0
===>  Configuring for test-license-1.0

If the GUI menus are used, it would look like licenses-single-dialog.png.

Now suppose you have a port with the following license definitions:

LICENSE=GPLv2 BSD CDDL
LICENSE_COMB=dual

Then if any of them have the auto-accept permission and LICENSES_ASK is undefined, that one will be selected (in order of appereance in LICENSES). If you define LICENSES_ASK this happens:

% make -DNO_LICENSES_DIALOGS -DLICENSES_ASK

To install the port you must agree to any of the following licenses:

- GPLv2 (GNU General Public License version 2), available at work/BSD
- BSD (BSD license), available at work/BSD
- CDDL (Common Development and Distribution License), available at work/CDDL

If you agree with the corresponding license(s), add them to
LICENSES_ACCEPTED either in make arguments or /etc/make.conf.

*** Error code 1

Then for example if you choose BSD, you can run the following:

% make -DNO_LICENSES_DIALOGS LICENSES_ACCEPTED=BSD
===>  Patching for test-license-1.0
===>  Configuring for test-license-1.0

If the GUI menus are used, it would look like licenses-dual-dialog.png.

Now suppose the port defines this multiple licenses (a GPLv2 source code for the program, but copyrighted data needed):

LICENSE=GPLv2 EULA
LICENSE_COMB=multi
LICENSE_DISTFILES_GPLv2=engine-src-1.2.tar.gz
LICENSE_NAME_EULA=End User License Agreement for copyrighted data
LICENSE_PERMS_EULA=pkg-mirror dist-mirror
LICENSE_TEXT_EULA=Commercial redistribution is not allowed
LICENSE_DISTFILES_EULA=demo-data.run

Then if GPLv2 is accepted by default, it will not appear in the message, but as LICENSE_PERMS_EULA does not contain auto-accept it will. Notice that EULA is an "unknown" license, so it has to be defined in contrast to GPLv2, BSD, CDDL, etc.

% make -DNO_LICENSES_DIALOGS
===>  Vulnerability check disabled, database not found
===>  License needs confirmation, will ask later
===>  Extracting for test-license-1.0

To install the port you must agree to all of the following licenses:

- EULA (End User License Agreement for copyrighted data), available at work/EULA

If you agree with the corresponding license(s), add them to
LICENSES_ACCEPTED either in make arguments or /etc/make.conf.

*** Error code 1

Then as before, you can check the license:

% cat work/EULA 
Commercial redistribution is not allowed

And finally you must agree to all of them, but as GPLv2 was accepted by default, only EULA has to be added:

% make LICENSES_ACCEPTED="EULA"
===>  Patching for test-license-1.0
===>  Configuring for test-license-1.0

If the GUI menus are used and LICENSES_ASK is defined, it would look like licenses-multi-dialog.png.

<!> Please do not add unknown (per-port) licenses to /etc/make.conf because names can collide, so you may unexpectedly agree to a completely different license in another port.

-- AlejandroPulver 2008-04-24 18:51:35

PortsLicenseInfrastructure (last edited 2009-08-15 23:41:33 by AlejandroPulver)