From 67f4f8bcc271aaf399cf2796d9ab0f813100e4e3 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Thu, 13 Jun 2024 23:02:10 +0200 Subject: [PATCH] Convert MariaDB 10.11 to SPDX license style Here follow the records of my deeds regarding the switch to the SPDX: \# Clone the correct package fedpkg clone mariadb10.11 \# Expand the sources and apply the SPECfile %prep section (in which e.g. unused bundled code is removed) fedpkg prep Now I used the 'askalono' tool on top of the resulting directory \# I began by analyzing only the errors askalono crawl mariadb-10.11.8/ 1>/dev/null =========== =========== =========== =========== =========== =========== | mariadb-10.11.8/storage/rocksdb/rocksdb/java/jmh/LICENSE-HEADER.txt | Error: Confidence threshold not high enough for any known license The text says the code is licensed under both 'GPL-2.0-only' and 'Apache-2.0' and points to the specific files in the directory tree with the full text of these licenses. There is also file: | mariadb-10.11.8/storage/rocksdb/rocksdb/README.md which says: "RocksDB is dual-licensed under both the GPLv2 (found in the COPYING file in the root directory) and Apache 2.0 License (found in the LICENSE.Apache file in the root directory). You may select, at your option, one of the above-listed licenses." So the correct SPDX identifier should be: '( GPL-2.0-only OR Apache-2.0 )' There are about 1200 files licensed this way, as can bee seen with this command: grep -i apache -r mariadb-10.11.8 All of them are from RocksDB SE, but 3: mariadb-10.11.8/mysys/crc32/crc32c.cc:// COPYING file in the root directory) and Apache 2.0 License mariadb-10.11.8/mysys/crc32/crc32c.cc:// (found in the LICENSE.Apache file in the root directory). mariadb-10.11.8/mysys/crc32/crc_ppc64.h: * b) the Apache License, Version 2.0 mariadb-10.11.8/mysys/crc32/crc32c_ppc.h:// COPYING file in the root directory) and Apache 2.0 License mariadb-10.11.8/mysys/crc32/crc32c_ppc.h:// (found in the LICENSE.Apache file in the root directory). All of the files says: // This source code is licensed under both the GPLv2 (found in the // COPYING file in the root directory) and Apache 2.0 License // (found in the LICENSE.Apache file in the root directory). But the "mariadb-10.11.8/mysys/crc32/crc_ppc64.h" * This program is free software; you can redistribute it and/or * modify it under the terms of either: * * a) the GNU General Public License as published by the Free Software * Foundation; either version 2 of the License, or (at your option) * any later version, or * b) the Apache License, Version 2.0 So the SPDX identified for this one particular file is '( GPL-2.0-or-later OR Apache-2.0 )' Making the final SPDX identifier regarding the Apache licenses as follows: '( GPL-2.0-only OR Apache-2.0 ) AND ( GPL-2.0-or-later OR Apache-2.0 )' =========== =========== =========== =========== =========== =========== \# Then I by analyzed everything but errors: askalono crawl mariadb-10.11.8/ 2>/dev/null | mariadb-10.11.8/vio/docs/COPYING.openssl | License: OpenSSL (original text) | Score: 0.913 Correct. Note: the 'OpenSSL' license is actually a combination of 'OpenSSL-standalone' and 'SSLeay-standalone' so the shorter texts would match to, but in this case, this is a full 'OpenSSL' license: https://spdx.org/licenses/OpenSSL.html =========== =========== =========== =========== =========== =========== GPL & LGPL There is a difference between "GPL-2.0-only" and "GPL-2.0-or-later" https://spdx.org/licenses/GPL-2.0-only.html https://spdx.org/licenses/GPL-2.0-or-later.html I understood that the license text is identical (I've ran 'diff' on top of them to verify) and the difference is decided by the license header present in the files containing the code itself. This "*-only" and "*-or-later" differenciation simmilar in other versions of GPL and LGLP Now meet this little cute monstrosity: \# This command is supposed to: \# - find all occurrences of the string "Public License" \# - prefixed by "GNU", "Lesser", "Library", "General", each word is optional (to match both GPL and LGPL and all variants of how people write them) \# - while every word can have any number of any white characters - including newlines - between them (to match text wrapped between lines) \# - all of that followed by string "version" (to only match text mentioning the specific version) \# - with any characters between the first part and the "version" string \# - followed by a digit (to exclude any result not talking about a concrete version specifically, e.g. text around string "from time to time" in the GPL licenses) \# - match 3 more characters (so we catch the whole version number) \# - but the "version" string and number must occur no later than any dot "." or double newline (to only match text inside the license texts or license headers, but not code) \# Once found, \# - and match everything until dot or double newline (for further parsing of the strings "or later" etc) \# - replace any newline with space (" "), so the whole above match (as well s everything else) is put on a single line \# - replace string "mariadb-10.11.8/" with "NEWLINEmariadb-10.11.8/", so each result is on a separate line grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' This command gives 3685 results (I'll be measuring the number of results with | wc -l through this whole text), and I hope it matches all possible variants of GPL and LGPL. We are going to further parse it to divide the results for the separate licenses. =========== =========== =========== =========== =========== =========== The 'askalono crawl' tool found number of occurrences of GPL and LGPL licenses, but it does not differentiate between "*-only" and "*-or-later" variants. | mariadb-10.11.8/wsrep-lib/COPYING | License: GPL-3.0-only (license header) | Score: 0.825 This file actually talks about GPLv2, not v3. | mariadb-10.11.8/wsrep-lib/LICENSE | License: GPL-2.0-only (original text) | Score: 0.988 | mariadb-10.11.8/scripts/sys_schema/COPYING | License: GPL-2.0-only (original text) | Score: 0.988 | mariadb-10.11.8/scripts/sys_schema/LICENSE | License: GPL-2.0-only (license header) | Score: 0.957 | mariadb-10.11.8/plugin/server_audit/COPYING | License: GPL-2.0-only (original text) | Score: 0.986 | mariadb-10.11.8/plugin/test_sql_service/COPYING | License: GPL-2.0-only (original text) | Score: 0.986 | mariadb-10.11.8/extra/readline/COPYING | License: GPL-2.0-only (original text) | Score: 0.984 | mariadb-10.11.8/storage/rocksdb/rocksdb/COPYING | License: GPL-2.0-only (original text) | Score: 0.988 | mariadb-10.11.8/COPYING | License: GPL-2.0-only (original text) | Score: 0.986 These are all GPLv2. | mariadb-10.11.8/libmariadb/COPYING.LIB | License: LGPL-2.1-only (original text) | Score: 0.998 | mariadb-10.11.8/storage/mroonga/vendor/groonga/vendor/plugins/groonga-normalizer-mysql/doc/text/lgpl-2.0.txt | License: LGPL-2.0-only (original text) | Score: 0.996 | mariadb-10.11.8/storage/mroonga/vendor/groonga/COPYING | License: LGPL-2.1-only (original text) | Score: 0.997 | mariadb-10.11.8/storage/mroonga/COPYING | License: LGPL-2.1-only (original text) | Score: 0.997 | mariadb-10.11.8/storage/maria/libmarias3/docs/introduction/license.rst | License: LGPL-2.1-only (original text) | Score: 0.980 | mariadb-10.11.8/storage/maria/libmarias3/LICENSE | License: LGPL-2.1-only (original text) | Score: 0.998 =========== =========== =========== =========== =========== =========== However to make sure which licenses appears in the source code tree, we have to GREP each variant: grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 3" retuns 16 results, from which: grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 3" | grep -i --binary-files=text -e " lesser" -e " library" 0 is LGPL and grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 3" | grep -v -i --binary-files=text -e " lesser" -e " library" 16 is GPL grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 3" | grep -i --binary-files=text -e "later" -e " or" 16 results "GPL-3.0-or-later" and grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 3" | grep -v -i --binary-files=text -e "later" -e " or" 0 results "GPL-3.0-only" =========== =========== =========== =========== =========== =========== grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" retuns 3669 results, from which: grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" 577 is LGPL grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library" 3092 is GPL =========== =========== =========== =========== =========== =========== grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text -e "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.0" 120 is LGPL 2.0 grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.0" | grep -i --binary-files=text -e "later" -e " or " 77 is "LGPL-2.0-or-later" grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.0" | grep -v -i --binary-files=text -e "later" -e " or " 43 is "LGPL-2.0-only" grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2\.[^0]" 457 is LGPL 2.1 grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2\.[^0]" | grep -i --binary-files=text -e "later" -e " or " 132 is "LGPL-2.1-or-later" grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2\.[^0]" | grep -v -i --binary-files=text -e "later" -e " or " 325 is "LGPL-2.1-only" =========== =========== =========== grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.[0\s]" -e "version 2.\s" 3091 is GPL 2.0 grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.[0\s]" -e "version 2.\s" | grep -i --binary-files=text -e "later" -e " or " 229 is "GPL-2.0-or-later" grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.[0\s]" -e "version 2.\s" | grep -v -i --binary-files=text -e "later" -e " or " 2862 is "GPL-2.0-only" grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \ | sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \ | grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2\.[123456789]" 1 GPL 2.1 weird ... GPL 2.1 doesn't exists, only LGPL 2.1 does and by examining the file, it's a false positive, as the writer switched the words in way unexpected to me: "Lesser GNU General Public License, Version 2.1" =========== =========== =========== =========== =========== =========== | mariadb-10.11.8/plugin/handler_socket/libhsclient/COPYRIGHT.txt | License: BSD-3-Clause-HP (original text) | Score: 0.919 | mariadb-10.11.8/plugin/handler_socket/perl-Net-HandlerSocket/COPYRIGHT.txt | License: BSD-3-Clause-HP (original text) | Score: 0.919 | mariadb-10.11.8/plugin/handler_socket/handlersocket/COPYRIGHT.txt | License: BSD-3-Clause-HP (original text) | Score: 0.919 | mariadb-10.11.8/libmariadb/cmake/COPYING-CMAKE-SCRIPTS | License: BSD-3-Clause-HP (original text) | Score: 0.937 | mariadb-10.11.8/storage/innobase/COPYING.Google | License: BSD-3-Clause (original text) | Score: 0.917 | mariadb-10.11.8/storage/innobase/COPYING.Percona | License: BSD-3-Clause (original text) | Score: 0.917 | mariadb-10.11.8/storage/rocksdb/rocksdb/LICENSE.leveldb | License: BSD-3-Clause (original text) | Score: 0.953 BSD-3-Clause-HP: https://spdx.org/licenses/BSD-3-Clause-HP.html This license is almost identical to BSD-3-Clause, but adds "patent infringement" to the disclaimer. However after manual review, none of the licenses listed above contains the word "patent" (case insensitive) and all seems to be just the basic "BSD-3-Clause" =========== =========== =========== =========== =========== =========== | mariadb-10.11.8/storage/rocksdb/rocksdb/LICENSE.Apache | License: Apache-2.0 (original text) | Score: 1.000 OK =========== =========== =========== =========== =========== =========== | mariadb-10.11.8/storage/rocksdb/rocksdb/docs/LICENSE-DOCUMENTATION | License: CC-BY-4.0 (original text) | Score: 0.995 OK =========== =========== =========== =========== =========== =========== Furthermore, there are several occurrences of the BISON exception. Please note that the SPDX upstream does not have a specific indentifier for it, so we are using identifiers defined by Fedora project: https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ grep -i -e "of Bison" -r mariadb-10.11.9 All occurences are tied to GPL-3.0-or-later, so the correct resulting identifier is: ( GPL-3.0-or-later WITH Bison-exception-2.2 ) =========== =========== =========== =========== =========== =========== At this moment I finished going through results of 'askalono' tool. Now I used grep -i -e "licens" -r mariadb-10.11.8/ which yields roughly 24000 results, and go through them manually. After first go-through, I've refined the search a bit, ignoring common occurences: grep -i licens -r mariadb-10.11.8/ | \ grep -v \ -e "// This source code is licensed under both the GPLv2 (found in the" \ -e "// COPYING file in the root directory) and Apache 2.0 License" \ -e "// (found in the LICENSE.Apache file in the root directory)." \ -e "// Use of this source code is governed by a BSD-style license that can be" \ -e "// found in the LICENSE file. See the AUTHORS file for names of contributors." \ -e "it under the terms of the GNU General Public License as published by" \ -e "the Free Software Foundation; version 2 of the License." \ -e "GNU General Public License for more details." \ -e "You should have received a copy of the GNU General Public License" \ -e "it under the terms of the GNU General Public License, version 2.0," \ -e "but not limited to OpenSSL) that is licensed under separate terms," \ -e "as designated in a particular file or component or in included license" \ -e "separately licensed software that they have included with MySQL." \ -e "GNU General Public License, version 2.0, for more details." \ -e "License as published by the Free Software Foundation; either" \ -e "version 2.1 of the License, or (at your option) any later version." \ -e "Lesser General Public License for more details." \ -e "License along with this library; if not, write to the Free Software" \ -e "License version 2.1 as published by the Free Software Foundation." \ -e "the terms of the GNU General Public License as published by the Free Software" \ -e "License along with this library; if not, write to the Free" \ -e "version 2 of the License, or (at your option) any later version." \ -e "Library General Public License for more details." \ -e "License along with this library; if not see " \ | grep -i licens squeezing the results to roughly 3400 lines, for the second go through. Even then, it is tremendously attention demanding, and likely place for oversights. I've managed to discover the following: =========== =========== =========== =========== =========== =========== grep -i -e "under the GPL 1, 2 or 3 license" -r mariadb-10.11.8/ Files: mariadb-10.11.8/extra/mariabackup/quicklz/quicklz.c mariadb-10.11.8/extra/mariabackup/quicklz/quicklz.h states: "QuickLZ can be used for free under the GPL 1, 2 or 3 license" which makes it " ( GPL-1.0-only OR GPL-2.0-only GPL-3.0-only ) ", since the word "later" is not used. =========== =========== =========== =========== =========== =========== grep -i -e "BSD 2-Clause" -r mariadb-10.11.8/ Files: mariadb-10.11.8/storage/rocksdb/rocksdb/util/xxhash.cc mariadb-10.11.8/storage/rocksdb/rocksdb/util/xxhash.h mariadb-10.11.8/storage/rocksdb/rocksdb/util/xxh3p.h has the BSD 2-Clause License, which SPDX identifier is 'BSD-2-Clause' =========== =========== =========== =========== =========== =========== grep -w -e "MIT" -r mariadb-10.11.8/ File: mariadb-10.11.8/libmariadb/external/zlib/ucm.cmake is licesned under MIT, which SPDX identifier is also 'MIT'. Also text in: mariadb-10.11.8/storage/mroonga/vendor/groonga/README.md specifically: "* License: The MIT license. See vendor/mruby-source/MITL for details." *SUGGESTS* that all files under mariadb-10.11.8/storage/mroonga/vendor/groonga/vendor/mruby/* are also licensed under MIT, however the directory is actually named "vendor/mruby", not "vendor/mruby-source", and the "MITL" file is missing, and the single file mariadb-10.11.8/storage/mroonga/vendor/groonga/vendor/mruby/CMakeLists.txt is licensed undel LGPL 2.1, so it would be best to ask MariaDB upstream to clarify the license. Moreover file: mariadb-10.11.8/storage/maria/libmarias3/docs/_themes/sphinx_rtd_theme/static/css/theme.css states: "* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)" which makes it 'OFL-1.1 AND MIT' without parenthesis, as they are licenses of two distinct files. Files: mariadb-10.11.8/storage/rocksdb/rocksdb/util/murmurhash.cc mariadb-10.11.8/storage/rocksdb/rocksdb/util/murmurhash.h states, after the license header of '( GPL-2.0-only OR Apache-2.0 )': "All code is released to the public domain. For business purposes, Murmurhash is under the MIT license." The original website no longer exists, and "public domain" is too vague for SPDX. However we should mark the 'MIT' license, since it's NOT up to us - package maintainer - to guess the effective license (whether the package user will use the code for business purposes or not). =========== =========== =========== =========== =========== =========== grep -w -e "CC0" -r mariadb-10.11.8/ Files: mariadb-10.11.8/unittest/mysys/crc32-t.c mariadb-10.11.8/storage/rocksdb/rocksdb/util/timer_queue_test.cc mariadb-10.11.8/storage/rocksdb/rocksdb/util/timer_queue.h mariadb-10.11.8/mysql-test/suite/innodb/include/crc32.pl mention the CC0 license, which makes it 'CC0-1.0' =========== =========== =========== =========== =========== =========== grep -i -e "PHP license" -r mariadb-10.11.8/ Files: mariadb-10.11.8/libmariadb/libmariadb/ma_stmt_codec.c mariadb-10.11.8/libmariadb/libmariadb/ma_charset.c mariadb-10.11.8/libmariadb/libmariadb/mariadb_stmt.c mariadb-10.11.8/libmariadb/libmariadb/ma_password.c mariadb-10.11.8/libmariadb/libmariadb/ma_loaddata.c mention the PHP 3.0 and PHP 3.01 licenses, which makes it 'PHP-3.0 AND PHP-3.01' =========== =========== =========== =========== =========== =========== grep -i -e "The authors of MySQL hereby grant" -r mariadb-10.11.8/ 279 files from the command above states: The authors of MySQL hereby grant you an additional permission to link the program and your derivative works with the separately licensed software that they have included with MySQL. which I have no idea how to process. =========== =========== =========== =========== =========== =========== File 'storage/archive/azlib.h' is licensed under zlib license. =========== =========== =========== =========== =========== =========== Files: strings/dtoa.c libmariadb/libmariadb/ma_dtoa.c are licensed under 'dtoa' license: https://spdx.org/licenses/dtoa.html =========== =========== =========== =========== =========== =========== These files are licensed under FSFAP: | grep -i -e "medium without royalty" -r . https://spdx.org/licenses/FSFAP.html =========== =========== =========== =========== =========== =========== File 'storage/mroonga/vendor/groonga/lib/grn_ecmascript.c' is licensed under 'blessing' license: https://spdx.org/licenses/blessing.html =========== =========== =========== =========== =========== =========== File 'storage/connect/unzip.c' is licensed under 'Info-ZIP' license: https://spdx.org/licenses/Info-ZIP.html =========== =========== =========== =========== =========== =========== File 'libmysqld/lib_sql.cc' is licensed under 'Boehm-GC' license: https://spdx.org/licenses/Boehm-GC.html =========== =========== =========== =========== =========== =========== Files: mariadb-10.11.8/mysys/psi_noop.c mariadb-10.11.8/include/mysql/psi/psi_base.h mariadb-10.11.8/include/mysql/psi/psi_memory.h States: Without limiting anything contained in the foregoing, this file, which is part of C Driver for MySQL (Connector/C), is also subject to the Universal FOSS Exception, version 1.0, a copy of which can be found at http://oss.oracle.com/licenses/universal-foss-exception. which is IMO something that needs to be added to SPDX database. =========== =========== =========== =========== =========== =========== Files like these: mariadb-10.11.8/storage/maria/libmarias3/tests/include.am mariadb-10.11.8/storage/maria/libmarias3/docs/_themes/sphinx_rtd_theme/search.html states that they are licensed under BSD license, which text should be attached, but the closest license file I found was GPL or LGPL. Someone with better search-fu, or clarification from MariaDB upstream, would be welcomed. There are other files under various types of BSD, GPL and LGPL licenses, so even if they would switch the license, we likely should have it already covered. =========== =========== =========== =========== =========== =========== So the resulting "License:" field should be: ( GPL-2.0-only OR Apache-2.0 ) AND ( GPL-2.0-or-later OR Apache-2.0 ) AND BSD-2-Clause AND BSD-3-Clause AND CC-BY-4.0 AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ( GPL-3.0-or-later WITH Bison-exception-2.2 ) AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OpenSSL AND MIT AND OFL-1.1 AND CC0-1.0 AND PHP-3.0 AND PHP-3.01 AND zlib AND dtoa AND FSFAP AND blessing AND Info-ZIP AND Boehm-GC =========== =========== =========== =========== =========== =========== I hope I caught all of the licenses. If that's not the case, please contribute a fix or at least report a bug against this package so we can correct it. A detailed examination of chaotic, and on many places (at least) seemingly outdated, file "THIRDPARTY" might be good place to start review of my work. UPDATE: Results of thorough review from Ales Nezbeda were incorporated into this commit. --- mariadb10.11.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mariadb10.11.spec b/mariadb10.11.spec index ad56e1f..13b9986 100644 --- a/mariadb10.11.spec +++ b/mariadb10.11.spec @@ -162,7 +162,7 @@ Epoch: 3 Summary: A very fast and robust SQL database server URL: http://mariadb.org -License: GPLv2 and LGPLv2 +License: ( GPL-2.0-only OR Apache-2.0 ) AND ( GPL-2.0-or-later OR Apache-2.0 ) AND BSD-2-Clause AND BSD-3-Clause AND CC-BY-4.0 AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ( GPL-3.0-or-later WITH Bison-exception-2.2 ) AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OpenSSL AND MIT AND OFL-1.1 AND CC0-1.0 AND PHP-3.0 AND PHP-3.01 AND zlib AND dtoa AND FSFAP AND blessing AND Info-ZIP AND Boehm-GC Source0: https://downloads.mariadb.org/interstitial/mariadb-%{version}/source/mariadb-%{version}.tar.gz %if %{with bundled_fmt}