| View previous topic :: View next topic |
| Author |
Message |
ulm
Developer
Joined: 04 Oct 2004
Posts: 98
Location: Mainz, Germany
|
 Posted: Sun May 19, 2019 7:51 pm Post subject: Change of ACCEPT_LICENSE default |
 |
|
Find below a copy of the 2019-05-23-accept_license news item.
(Looks like GLSAs are automatically mirrored to forums, but news items aren't?)
The default set of accepted licenses has been changed [1,2] to:
| Code: | | ACCEPT_LICENSE="-* @FREE" |
This means that by default only free software and documentation will be installable. The "FREE" license group is defined in the profiles/license_groups file in the Gentoo repository. It contains licenses that are explicitly approved by the Free Software Foundation, the Open Source Initiative, or that follow the Free Software Definition.
The system wide default for the accepted licenses is controlled by the ACCEPT_LICENSE variable in /etc/portage/make.conf, or it can be specified on a per-package basis in /etc/portage/package.license.
For example, to allow the app-arch/unrar and sys-kernel/linux-firmware packages to be installed, the following lines would have to be added to /etc/portage/package.license:
| Code: | app-arch/unrar unRAR
sys-kernel/linux-firmware @BINARY-REDISTRIBUTABLE |
A migration tool app-portage/elicense is available. It scans installed packages for licenses that are no longer accepted, and generates a list in the same format as the package.license file. See elicense's README for further details.
If you want to revert to the previous default, add the following line to /etc/portage/make.conf:
| Code: | | ACCEPT_LICENSE="* -@EULA" |
This will permit all licenses, except End User License Agreements that require reading and signing an acceptance agreement. Note that this will also accept non-free software and documentation.
See GLEP 23 [3] as well as the make.conf(5) and portage(5) man pages for the detailed syntax of the ACCEPT_LICENSE variable. Further information about licenses can be found in the Gentoo Handbook [4] and on the license groups wiki page [5].
[1] https://projects.gentoo.org/council/meeting-logs/20190210-summary.txt
[2] Bug 676248
[3] GLEP 23
[4] https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Licenses
[5] https://wiki.gentoo.org/wiki/License_groups
Last edited by ulm on Thu May 23, 2019 5:19 pm; edited 1 time in total |
|
| Back to top |
|
 |
ulm
Developer
Joined: 04 Oct 2004
Posts: 98
Location: Mainz, Germany
|
| Posted: Sun May 19, 2019 9:09 pm Post subject: |
|
|
It's reverted for now: commit 16ffd91a723a
Stay tuned. |
|
| Back to top |
|
|
gengreen
Apprentice
Joined: 23 Dec 2017
Posts: 150
|
| Posted: Mon May 20, 2019 7:31 pm Post subject: |
|
|
Better start now and get use to it so I added the ACCEPT_LICENSE="-* @FREE" on my make.conf
I'm not sure if it is related somehow but about the gentoo-sources, if I'm not mistaken it include the blob firmware of the vanilla kernel, it is still considered as FREE license ?
Thanks ! |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Mon May 20, 2019 8:08 pm Post subject: |
|
|
Thank you, Ulm, for this detailed head's up.
I checked my make.conf and found: | Code: | ACCEPT_LICENSE="* AdobeFlash-11.1"
#ACCEPT_LICENSE="-* @FREE"
|
It's a rarity to have these changes explained, let alone explained in advance.
Thank you again, for your courtesy. |
|
| Back to top |
|
|
msst
Apprentice
Joined: 07 Jun 2011
Posts: 259
|
| Posted: Mon May 20, 2019 8:18 pm Post subject: |
|
|
Well, those who use the machine only private and do not distribute anything can simply use
and be done with it. That is the translated version of "I do not care about the licenses at all". And if you don't want something with a specific license installed just exclude it. I do not see the problem with the default change.
But actually it would be best if the change would come as some kind of config package and just ask the user: What do you want? Most common options are a) b) c) d) or e) enter a custom one and then set this. |
|
| Back to top |
|
|
ulm
Developer
Joined: 04 Oct 2004
Posts: 98
Location: Mainz, Germany
|
| Posted: Mon May 20, 2019 8:28 pm Post subject: |
|
|
| gengreen wrote: | | I'm not sure if it is related somehow but about the gentoo-sources, if I'm not mistaken it include the blob firmware of the vanilla kernel, it is still considered as FREE license ? |
The whole firmware tree has been dropped from the kernel starting with version 4.14.
So, >=gentoo-sources-4.14 (and same for vanilla-sources) are under GPL-2 and there is no action required. If you're running an older longterm version like 4.4 or 4.9, then you'll have to add the following line to your /etc/portage/package.license file:
| Code: | | sys-kernel/gentoo-sources linux-firmware |
|
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Mon May 20, 2019 8:43 pm Post subject: |
|
|
| For what it's worth, although I'm accepting all licenses, I think the proposed change is appropriate for a default. |
|
| Back to top |
|
|
gengreen
Apprentice
Joined: 23 Dec 2017
Posts: 150
|
| Posted: Mon May 20, 2019 10:56 pm Post subject: |
|
|
| ulm wrote: | | gengreen wrote: | | I'm not sure if it is related somehow but about the gentoo-sources, if I'm not mistaken it include the blob firmware of the vanilla kernel, it is still considered as FREE license ? |
The whole firmware tree has been dropped from the kernel starting with version 4.14.
So, >=gentoo-sources-4.14 (and same for vanilla-sources) are under GPL-2 and there is no action required. If you're running an older longterm version like 4.4 or 4.9, then you'll have to add the following line to your /etc/portage/package.license file:
| Code: | | sys-kernel/gentoo-sources linux-firmware |
|
Alright, to cut short this doesn't equal to "free" (I'm refering to https://www.gnu.org/distros/common-distros.en.html)
I'm often confuse regarding those license term / legal aspect because they don't give a complete guarantee that some software / library format / codec... will not sneakily found their place on my system...
I'm not against those closed source drivers/binary/blob when I'm aware of their existence, but trying to achieve a system without the single of them can be tricky... |
|
| Back to top |
|
|
ulm
Developer
Joined: 04 Oct 2004
Posts: 98
Location: Mainz, Germany
|
| Posted: Tue May 21, 2019 6:25 am Post subject: |
|
|
There is now a python script written by Whissi that will find installed packages with non-accepted licenses. It is packaged as app-portage/elicense.
Example output:
| Code: | $ elicense
# The following package(s) are using licenses which aren't covered by
# ACCEPT_LICENSE="-* @FREE" setting nor have entries in the package.license file:
sys-block/hpacucli hp-proliant-essentials
sys-block/storcli Avago LSI
sys-kernel/linux-firmware linux-fw-redistributable no-source-code
media-fonts/corefonts MSttfEULA
sys-firmware/intel-microcode intel-ucode
|
|
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue May 21, 2019 1:31 pm Post subject: |
|
|
I had to add app-portage/elicense to package.accept_keywords on my stable server. I then changed ACCEPT_LICENSES to the new default and ran it as follows: | Code: | ~ # elicense
# The following package(s) are using licenses which aren't covered by
# ACCEPT_LICENSE="@FREE" setting nor have entries in the package.license file:
sys-kernel/gentoo-sources freedist linux-firmware
sys-kernel/linux-firmware freedist linux-firmware no-source-code
media-fonts/corefonts MSttfEULA
media-fonts/freefonts freedist
media-gfx/xv xv
~ # elicense >>/etc/portage/package.license
~ # nano /etc/portage/package.license
~ # elicense
# Licenses for all installed packages are already accepted!
|
I'll have to review those terms (they were all accepted under the old default). I guess I understand gentoo-sources not being free and freefonts (misnamed!) and corefonts, but linux-firmaware was a surprise. |
|
| Back to top |
|
|
gengreen
Apprentice
Joined: 23 Dec 2017
Posts: 150
|
| Posted: Tue May 21, 2019 5:15 pm Post subject: |
|
|
| Quote: | elicense
# Licenses for all installed packages are already accepted! |
It seem to do the job  |
|
| Back to top |
|
|
MerlinYoda
n00b
Joined: 23 May 2007
Posts: 17
Location: Indiana, United States, Earth, Sol System, Milky Way Galaxy, "The Universe"
|
| Posted: Tue May 21, 2019 5:39 pm Post subject: |
|
|
I, for one, am glad to see the change reverted. I don't think portage should be throwing up road-blocks to installing software that doesn't have an explicit EULA that users need to agree to. Just because some software doesn't use a license that isn't sanctioned by the FSF or OSI doesn't mean that it should then be treated as if it was suddenly problematic to install.
For example, a freeware license like the unRAR license explicitly states that "All copyrights to RAR and the utility UnRAR are exclusively owned by the author - Alexander Roshal", but that doesn't put it on the same level as the Oracle-BCLA-JavaSE license. The binary of the former can be freely distributed and is unrestricted on it's usage; the latter is most certainly not.
Still, just in case, I've gone ahead and added the old default to my make.conf in case this change gets put back in place again. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue May 21, 2019 9:21 pm Post subject: |
|
|
| MerlinYoda wrote: | | For example, a freeware license like the unRAR license explicitly states that "All copyrights to RAR and the utility UnRAR are exclusively owned by the author - Alexander Roshal", but that doesn't put it on the same level as the Oracle-BCLA-JavaSE license. The binary of the former can be freely distributed and is unrestricted on it's usage; the latter is most certainly not. |
Still, it's a binary only license like virtualbox. It probably forbids you to decompile and fork it. For some this is very important.
At first, I felt like you but now with the elicense program it's easy to see what needs accepting and to accept the license. I like it. I reverted one of my desktops as well as the central server and will do the other desktop tonight. It won't change what's installed but I'll know what's what. I only changed to accepting everything out of frustration with Adobe and Oracle. I suppose we still have that PITA with separate fetch for oracle. |
|
| Back to top |
|
|
ulm
Developer
Joined: 04 Oct 2004
Posts: 98
Location: Mainz, Germany
|
| Posted: Wed May 22, 2019 6:33 am Post subject: |
|
|
To provide additional background: What finally triggered the change was that dev-db/mongodb moved from AGPL-3 to the non-free SSPL-1 license (see ZDNet article). Other distros like Debian and Redhat reacted by dropping MongoDB altogether. However, Gentoo users wouldn't even have noticed the license change with the old ACCEPT_LICENSE="* -@EULA" default, which may have exposed them to legal risk if they offered it as a service.
With the new "@FREE" default, such changes from free to non-free will be signalled by the package manager and require approval by the user (or unmerging of the package if the new terms are unacceptable).
And of course, this it only the default. Gentoo is about choice, so users can set their own ACCEPT_LICENSE in make.conf. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed May 22, 2019 2:45 pm Post subject: |
|
|
Reading the link it seems like SSPL goes beyond GPL in restricting commercial use and that's why for-profit RedHat dropped it. Sounds good to me, but yes, users should be aware.
Not sure legally how a provider can restrict a formerly less restrictive license. It's like say MSI notifying me, "We changed pricing on that motherboard you bought last year. You owe us $20 more." Or maybe your license depends on your date of acquisition.
I still prefer GPL. |
|
| Back to top |
|
|
Carnildo
Guru
Joined: 17 Jun 2004
Posts: 595
|
| Posted: Wed May 22, 2019 9:22 pm Post subject: |
|
|
| Tony0945 wrote: | | Not sure legally how a provider can restrict a formerly less restrictive license. It's like say MSI notifying me, "We changed pricing on that motherboard you bought last year. You owe us $20 more." Or maybe your license depends on your date of acquisition. |
They can release a new version under a new license. In the case of MongoDB, you can use version 4.0.3 or earlier under the Gnu AGPL, but if you want newer functionality, you need to comply with the SSPL. It's like MSI notifying you that you can keep using your motherboard, but if you want the latest BIOS version, you need to hand over another $20. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Thu May 23, 2019 12:08 am Post subject: |
|
|
| Carnildo wrote: | | They can release a new version under a new license. In the case of MongoDB, you can use version 4.0.3 or earlier under the Gnu AGPL, but if you want newer functionality, you need to comply with the SSPL. It's like MSI notifying you that you can keep using your motherboard, but if you want the latest BIOS version, you need to hand over another $20. |
I see. That makes sense. |
|
| Back to top |
|
|
ulm
Developer
Joined: 04 Oct 2004
Posts: 98
Location: Mainz, Germany
|
| Posted: Thu May 23, 2019 5:08 pm Post subject: |
|
|
The change is now live again. |
|
| Back to top |
|
|
MerlinYoda
n00b
Joined: 23 May 2007
Posts: 17
Location: Indiana, United States, Earth, Sol System, Milky Way Galaxy, "The Universe"
|
| Posted: Thu May 23, 2019 7:28 pm Post subject: |
|
|
| Tony0945 wrote: | | I only changed to accepting everything out of frustration with Adobe and Oracle. I suppose we still have that PITA with separate fetch for oracle. |
I switched away from anything Oracle-related for a Java VM on Gentoo long ago actually (that separate fetch was definitely a PITA). I've been using IcedTea instead and never looked back. |
|
| Back to top |
|
|
MerlinYoda
n00b
Joined: 23 May 2007
Posts: 17
Location: Indiana, United States, Earth, Sol System, Milky Way Galaxy, "The Universe"
|
| Posted: Thu May 23, 2019 7:50 pm Post subject: |
|
|
| ulm wrote: | To provide additional background: What finally triggered the change was that dev-db/mongodb moved from AGPL-3 to the non-free SSPL-1 license (see ZDNet article). Other distros like Debian and Redhat reacted by dropping MongoDB altogether. However, Gentoo users wouldn't even have noticed the license change with the old ACCEPT_LICENSE="* -@EULA" default, which may have exposed them to legal risk if they offered it as a service.
With the new "@FREE" default, such changes from free to non-free will be signalled by the package manager and require approval by the user (or unmerging of the package if the new terms are unacceptable).
And of course, this it only the default. Gentoo is about choice, so users can set their own ACCEPT_LICENSE in make.conf. |
So, if I'm reading the license right, if some of the software that some service provider used towards offering MongoDB as part of that service was actually closed-source such that the service provider didn't have access to that source code in order to provide it to those they provide services to as noted in Section 13, then they couldn't then use the product as per Section 12. I thought RMS could be a little militant in his free software views, but this license takes the cake on stretching the definition of "freedom" and is way beyond anything even he ever suggested.
Wouldn't the simpler solution have been to classify the SSPL under the EULA category (as it's certainly making specific demands of a certain class of end users even though the source of the software that is licensed under it is freely available)? |
|
| Back to top |
|
|
ulm
Developer
Joined: 04 Oct 2004
Posts: 98
Location: Mainz, Germany
|
| Posted: Fri May 24, 2019 5:17 am Post subject: |
|
|
| MerlinYoda wrote: | | So, if I'm reading the license right, if some of the software that some service provider used towards offering MongoDB as part of that service was actually closed-source such that the service provider didn't have access to that source code in order to provide it to those they provide services to as noted in Section 13, then they couldn't then use the product as per Section 12. I thought RMS could be a little militant in his free software views, but this license takes the cake on stretching the definition of "freedom" and is way beyond anything even he ever suggested. |
Right, section 13 of the SSPL-1 is the problematic part. It requires the user to make the source code of all sorts of only loosely related programs (like "backup software") available. Also it is ill-defined, e.g., does "all programs that you use to make the Program or modified version available as a service" include the firmware of all routers in the data center?
| MerlinYoda wrote: | | Wouldn't the simpler solution have been to classify the SSPL under the EULA category (as it's certainly making specific demands of a certain class of end users even though the source of the software that is licensed under it is freely available)? |
SSPL-1 is not an EULA, because it doesn't require acceptance. It explicitly says in section 9: "You are not required to accept this License in order to receive or run a copy of the Program." IANAL, but I have my doubts if section 13 would be enforceable on someone running an unmodified version of MongoDB. (Basically, if you don't accept the license, then you aren't bound by its terms, and copyright law won't apply when merely running the program.)
But the point is that we have existing definitions of our license groups, like @EULA or @BINARY-REDISTRIBUTABLE. IMHO it doesn't make sense to tweak them, in order to make them fit a new license that we consider to be nasty. The clear dividing line is between licenses that are in @FREE and those that are not, and this is also what most other distributions use. |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5937
|
| Posted: Fri May 24, 2019 2:49 pm Post subject: |
|
|
sorry to hear about mongodb, and i hate to be that guy, but did you guys have to break portage for everybody when a news notice for mongodb would have been sufficient? turns out this broke releng too https://github.com/gentoo/releng/commit/fd1479bfedbf65a68f8565510252e1abfc267831
now everyone is going to go back to "* -@eula" and get ticked off because of one package they probably don't use. 
edit: sorry, i forgot the  i was too busy switching profiles. 
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
ulm
Developer
Joined: 04 Oct 2004
Posts: 98
Location: Mainz, Germany
|
| Posted: Fri May 24, 2019 3:29 pm Post subject: |
|
|
Oh really. We've been discussing the license change with RelEng since February. The license team has verified that everything in stage3 is covered by @FREE, and did some work to ensure that install media are covered by the @BINARY-REDISTRIBUTABLE group. So that commit you have quoted above is simply the outcome of that discussion, not an indication of any breakage. |
|
| Back to top |
|
|
MerlinYoda
n00b
Joined: 23 May 2007
Posts: 17
Location: Indiana, United States, Earth, Sol System, Milky Way Galaxy, "The Universe"
|
| Posted: Fri May 24, 2019 5:46 pm Post subject: |
|
|
| ulm wrote: |
SSPL-1 is not an EULA, because it doesn't require acceptance. It explicitly says in section 9: "You are not required to accept this License in order to receive or run a copy of the Program." IANAL, but I have my doubts if section 13 would be enforceable on someone running an unmodified version of MongoDB. (Basically, if you don't accept the license, then you aren't bound by its terms, and copyright law won't apply when merely running the program.)
But the point is that we have existing definitions of our license groups, like @EULA or @BINARY-REDISTRIBUTABLE. IMHO it doesn't make sense to tweak them, in order to make them fit a new license that we consider to be nasty. The clear dividing line is between licenses that are in @FREE and those that are not, and this is also what most other distributions use. |
Huh, I overlooked that part. IANAL either but I'd have to say that it is certainly contradictory and, as such, looks unenforceable (or at least section 13 is unenforceable because of section 9). Looks like someone just put this one together hastily and didn't run it by someone else (or, at least, not the right sort of someone else). Although, in that same section they state that "propagating" a work covered by the license indicates acceptance of the license so maybe they think that offering MongoDB up as a service counts as "propagation" and can therefore bind service providers to the terms of section 13. I don't think it would qualify though and wouldn't be surprised if it all falls apart right in front of them if it ever got challenged in court.
Anyway, if SSPL-1 isn't going to get classified as @EULA and it isn't @FREE, then I guess it simply falls under @BINARY-REDISTRIBUTABLE. However, it seems like such an odd categorization seeing as the only thing keeping it from being Free software is Section 13 and it's questionable whether it is even enforceable at this point. Also inclusion of SSPL-1 in that group taints every other license that falls in the @BINARY-REDISTRIBUTABLE meta-grouping that doesn't also fall under @FREE.
The more I look at it the more it seems like some sort of "quasi-EULA" group is needed for licenses like this that try to come off as free software but then turn around and try to impose some lame/punitive restrictions in the same way that a full-fledged EULA would. If so inclined, you could proceed to group @EULA and this new quasi-EULA under another meta-group called @RESTRICTIVE (or something like that) and change the default to "* -@RESTRICTIVE". |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Fri May 24, 2019 6:20 pm Post subject: |
|
|
MerlinYoda, I advise you to unmask (if needed) and install the elicense package. Look at the sequence of calls that I posted above. Test with both defaults, old and new, and I think you will find that you are using very few licenses that need to be put in /etc/portage/package.license
I am definitely a convert to the more restrictive default with this handy tool available.
In accordance with the Gentoo philosophy, you can accept any license you want. You don't need to keep the default or you can keep the dault and use package.license. It's still your choice. The elicense tool does make management much easier. Note that I echoed the elicense output right into the license file with ">>". if you didn't want all the installed licenses, you can easily edit the file with nano. An ebuild is blocked and you don't know what should be in package.license?
Change the default to accept everything in make.conf. source /etc/profile, emerge the new -package, go back to the default and run elicense.
I have over a thousand packages installed. Only five had to be added to package.license. The gentoo-sources kernel was one of them. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
