https://bugzilla.redhat.com/show_bug.cgi?id=2431593
--- Comment #10 from Sergio Arroutbi <[email protected]> --- I have applied next patch: --- clevis-pin-trustee.spec.202601271117 2026-01-26 10:26:28.143400243 +0100 +++ clevis-pin-trustee.spec 2026-01-27 12:09:51.970794917 +0100 @@ -10,8 +10,24 @@ Release: %autorelease Summary: Clevis PIN for Trustee attestation -# License covers both source and all statically-linked dependencies -License: MIT AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSL-1.0 AND Unicode-3.0 AND Unicode-DFS-2016 AND Unlicense AND 0BSD AND Zlib AND ISC AND (Apache-2.0 WITH LLVM-exception) +# Upstream license specification: MIT +# +# The build dependencies have the following licenses: +# +# (Apache-2.0 or MIT) and BSD-3-Clause +# (MIT or Apache-2.0) and Unicode-DFS-2016 +# 0BSD or MIT or Apache-2.0 +# Apache-2.0 +# Apache-2.0 or BSL-1.0 +# Apache-2.0 or MIT +# BSD-2-Clause or Apache-2.0 or MIT +# MIT +# MIT or Apache-2.0 +# MIT or Zlib or Apache-2.0 +# Unicode-3.0 +# Unlicense or MIT +# +License: (Apache-2.0 OR MIT) AND BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (MIT OR Apache-2.0) AND (MIT OR Zlib OR Apache-2.0) AND Unicode-3.0 AND (Unlicense OR MIT) AND CC0-1.0 URL: https://github.com/latchset/clevis-pin-trustee Source0: https://github.com/latchset/%{name}/archive/refs/tags/v%{version}.tar.gz @@ -46,6 +62,9 @@ %cargo_build %install +# Generate license file for bundled dependencies +%{cargo_license} > LICENSE.dependencies + # Install main binary install -D -m 0755 target/release/%{name} %{buildroot}%{_bindir}/%{name} @@ -59,6 +78,7 @@ %files %license LICENSES/MIT.txt +%license LICENSE.dependencies %doc README.md %{_bindir}/%{name} %{_bindir}/clevis-encrypt-trustee Justification: 1. No Effective License Analysis (No Simplification): Per the https://docs.fedoraproject.org/en-US/legal/license-field/#_no_effective_license_analysis: "you should not attempt to simplify or reduce the License: tag license expression" How we apply this: - We enumerate all license expressions found in the source code and dependencies without reduction - We preserve expressions like (Apache-2.0 OR MIT) even though both Apache-2.0 and MIT appear standalone elsewhere - We keep both (Apache-2.0 OR MIT) and (MIT OR Apache-2.0) as distinct expressions (different dependencies declared them in different orders) - We don't apply algebraic simplification, compatibility analysis, or license theory to reduce the expression 2. Special Rules for OR Expressions (Preserve Recipient Choice) Per the https://docs.fedoraproject.org/en-US/legal/license-field/#_special_rules_for_or_expressions: "All the license operands of an OR expression should be preserved, but only to the extent that those license operands are allowed" How we apply this: - OR expressions represent the recipient's choice of which license to use for that particular component - We preserve all OR expressions exactly as declared in the dependencies - We only exclude disallowed licenses from OR expressions (none in this case - all licenses are Fedora-approved) - We don't arbitrarily select one license from an OR expression -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2431593 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202431593%23c10 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
