Auditing Licenses in KDE Frameworks FreeBSD Packaging

FreeBSD is getting more serious about license metadata in the packages produced by the project — that is, the binary distribution of software produced from licensed source code. A lot of software in FreeBSD “proper” is (naturally) BSD-licensed, and a lot of Free Software packaged by FreeBSD is (also naturally) GPL licensed. But the different licenses carry different obligations, so it’s good to keep track of the exact licensing applied to each bit of software.

To this end, there’s the LICENSE= line in each port’s Makefile. Its meaning is “this software has such-and-such a license”. For conciseness, SPDX identifiers are used, so that you can write

LICENSE=LGPL21

and we know what you mean. Because licenses can carry textual obligations (e.g. the GPL expects you to receive a copy, and the BSD licenses generally require you to include the copyright notice with distributions), there’s
an additional setting to include the actual text, called LICENSE_FILES:

LICENSE_FILES=COPYING.LIB

There’s a third source of license information, and that is the headers of the sources themselves. Usually you put a copyright-and-license header at the top of each file; some licenses such as the MPL even require some administration in there. The reuse.software site (by the FSFE) provides good guidance and best-practices information for providing licensing metadata in software packages.

Anyway, for KDE Frameworks 5 I was going through the ports Makefiles and adding LICENSE information. The KDE Licensing Policy tells me that frameworks should be licensed LGPL21+, with a few variants allowed; an interesting one is (at your option) “LGPL21 or LGPL3 or any later version approved by KDE e.V.” Right now, in 2017, this choice is the same as LGPL21+ because no later versions exist, but it is not always-in-the-future-same, so I hesitate to write

LICENSE=LGPL21+

for KDE Frameworks until I’ve checked the files. The license text is usually included, but it’s not quite consistently named, so I need to look into the tarballs anyway. And as a double-check, I read a couple of source headers to see if the license named in the code, matches the license text elsewhere (e.g. some files say LGPL 2.1 only).

It’s a bit of a slow process — one which upstream (that is, the source code) could support a little better with consistent naming. It’s also a process that needs to be monitored continually, to ensure that the whole body of software remains properly and consistently licensed — hopefully following best practices, too.

Anyway, as of today only ten of the KDE Frameworks 5 ports in the official FreeBSD ports repository  have all their licensing information set, to the best of my ability to check their accuracy. As an ongoing project in keeping-license-info up-to-date it’s not very high-priority but something that gets done in-between other things.

2 thoughts on “Auditing Licenses in KDE Frameworks FreeBSD Packaging

  1. Definitely cool stuff! 😀

    One small correction though:

    “LGPL21“ and “LGPL21+” are not valid SPDX identifiers.

    Valid SPDX 2.x identifiers are:
    • LGPL-2.1
    • LGPL-2.1+

    Valid SPDX 3.x identifiers are:
    • LGPL-2.1-only
    • LGPL-2.1-or-later

    The “-only” and “-or-later” coming back in 3.x is due to a coordination of SPDX with the FSF, to make sure the identifiers for the *GPL family express those licenses’ intentions in a more unambiguous manner. The rest of the licenses will continue to use the “+” operand to express the fact that downstream may use any other version of the license as well.

    • Huh, that’s interesting (good of you to point it out, too). The FreeBSD license list which defines all the identifiers used in `LICENSE=` lines **claims** to be derived from SPDX, but the identifiers in there are, in fact, strings like `LGPL21`. Which are possibly easier to type — but there’s no particular reason to do so. I’ll inquire further.