Dave Love <f...@gnu.org> skribis: > Ludovic Courtès <l...@gnu.org> writes: > >> Dave Love <f...@gnu.org> skribis: >> >>> Alex Vong <alexvong1...@gmail.com> writes: >>> >>>> Based on the above general argument, I think we should list all the >>>> licenses instead of just GPLv2+ since it would be inaccurate to say that >>>> the whole program is under just GPLv2+. >>> >>> Indeed. Not only do you need to list the licences (according to all >>> "legal advice" I've seen for distributions), but normally also >>> distribute the relevant licence texts, even for permissive licences if >>> they require that (e.g. BSD). I raised this recently, as it's not >>> generally being done, so some Guix binary packages appear to be >>> copyright-infringing. >> >> There’s no such thing as a “Guix binary package” though, which makes it >> different from traditional distros. >> >> In Guix a package is a Scheme object that refers to the source and build >> method of upstream software. > > Sure, but if you use guix pack and distribute the result, it seems > clearly a copyright infringement, because even BSD requires > > 2. Redistributions in binary form must reproduce the above copyright > notice, this list of conditions and the following disclaimer in the > documentation and/or other materials provided with the distribution.
[...] > Well, from what I know about copyright, that isn't the licence of glibc, > which is the sum of all the licences involved, and you'd have to know > how to find them if you didn't just unpack the tarball. With pack > output in a lot of cases you don't have the information. Right, ‘guix pack’ makes things more complicated—although I would argue that, contrary to Dockerfiles and the like (which nobody seems to complain about), Guix makes it easier to do provenance tracking since there’s an unambiguous source → binary mapping. How do Debian and Fedora determine the relevant files to copy? We could investigate ways to do that, but it won’t scale unless we have a mostly automated way to do it. (It won’t scale to the size of Stackage, CPAN, Pypi, etc. either…) Thoughts? Ludo’.
