Auditing Licenses in KDE Frameworks FreeBSD Packaging
FreeBSD is getting more serious about license metadata in the packages produced by the project -- that is, the binary distribution of software produced from licensed source code. A lot of software in FreeBSD "proper" is (naturally) BSD-licensed, and a lot of Free Software packaged by FreeBSD is (also naturally) GPL licensed. But the different licenses carry different obligations, so it's good to keep track of the exact licensing applied to each bit of software.
To this end, there's the LICENSE=
line in each port's Makefile. Its meaning is "this software has such-and-such a license". For conciseness, SPDX identifiers are used, so that you can write
LICENSE=LGPL21
and we know what you mean. Because licenses can carry textual obligations (e.g. the GPL expects you to receive a copy, and the BSD licenses generally require you to include the copyright notice with distributions), there's
an additional setting to include the actual text, called LICENSE_FILES
:
LICENSE_FILES=COPYING.LIB
There's a third source of license information, and that is the headers of the sources themselves. Usually you put a copyright-and-license header at the top of each file; some licenses such as the MPL even require some administration in there. The reuse.software site (by the FSFE) provides good guidance and best-practices information for providing licensing metadata in software packages.
Anyway, for KDE Frameworks 5 I was going through the ports Makefiles and adding LICENSE
information. The KDE Licensing Policy tells me that frameworks should be licensed LGPL21+, with a few variants allowed; an interesting one is (at your option) "LGPL21 or LGPL3 or any later version approved by KDE e.V." Right now, in 2017, this choice is the same as LGPL21+ because no later versions exist, but it is not always-in-the-future-same, so I hesitate to write
LICENSE=LGPL21+
for KDE Frameworks until I've checked the files. The license text is usually included, but it's not quite consistently named, so I need to look into the tarballs anyway. And as a double-check, I read a couple of source headers to see if the license named in the code, matches the license text elsewhere (e.g. some files say LGPL 2.1 only).
It's a bit of a slow process -- one which upstream (that is, the source code) could support a little better with consistent naming. It's also a process that needs to be monitored continually, to ensure that the whole body of software remains properly and consistently licensed -- hopefully following best practices, too.
Anyway, as of today only ten of the KDE Frameworks 5 ports in the official FreeBSD ports repository have all their licensing information set, to the best of my ability to check their accuracy. As an ongoing project in keeping-license-info up-to-date it's not very high-priority but something that gets done in-between other things.