Mailing List Archive

On 2022-10-30 Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> Does anyone have opinions on the licensing of Exim?

> The project front-page ( https://exim.org/index.html )
> says "under the terms of the GNU General Public Licence",
> and links to the GPL page (which primarily promotes GPLv3,
> though older versions are present deeper in that site).

> The earliest version of that text I can locate is from May 2000
> ( exim-website git; 4bec300304 ), which predates GPLv3 (2007).
> GPLv2 was 1991.

> The file "LICENCE" in the exim git "/src" directory, which ends
> up in the top directory of the extracted tarball of a distribution,
> is GPLv2.
[...]

Hello,

Just a quick f'up, will try to answer in more detail on another day.
I have always relied on NOTICE which says GPLv2+ with OpenSSL linking
exception.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2022-10-30 Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
[...]
> Now, along comes SPDX: a standard for labelling files with
> the license that applies. Yup, we're late as usual...

> a) Do we care? Should we label every text file in sight?
> Or not take any action?
> b) Do existing licence conditions mentioned in specific file matter?
> For example: a few files are commented (my precis) "GPLv2 or later",
> some with "open source, do what you want".
> We could
> - not label such files
> - try to use a label matching the existing text
> - label with the project choice of licence
> c) What license should we label with?
> - Given the dates above, I'm tempted to say that GPLv2-only
> should be taken as the original intent. But I don't know
> how much freedom we have for change, nor what (if any)
> might be preferred.
> d) What are the legal implications of doing this labelling?
> Specifically, when different files are differently (not)labelled?

IANAL:
d) There should not be any changes, labelling with SPDX is documentation
it does not change who wrote the file, holds the copyright and under
which license it was released. Which also answers c/b).

a) Yes, but. It would be very nice if the whole exim distribution had
correct per-file attribution/copyright/license. However it is going to
be quite a bit of work and it is the type of work with - well - limited
appeal for many.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

• Jeremy Harris via Exim-users [2022-10-30 12:22]:
> Does anyone have opinions on the licensing of Exim?
>
> The project front-page ( https://exim.org/index.html )
> says "under the terms of the GNU General Public Licence",
> and links to the GPL page (which primarily promotes GPLv3,
> though older versions are present deeper in that site).
>
> The earliest version of that text I can locate is from May 2000
> ( exim-website git; 4bec300304 ), which predates GPLv3 (2007).
> GPLv2 was 1991.
>
> The file "LICENCE" in the exim git "/src" directory, which ends
> up in the top directory of the extracted tarball of a distribution,
> is GPLv2.

There's a file called src/NOTICE, added by ph10, which states that Exim
can be redistributed and/more modified under the terms of GPLv2 or any
later version.

The NOTICE file mentions that a copy of the GPL should be received, and
that copy is present in src/LICENCE, added there by ph10.

Lots of files refer to the file NOTICE for conditions of use and
distribution.

There's also a file called src/CONTRIBUTING, which deals with
contributions and what is assumed to apply for any contributions (author
retains copyright + contribution licenses under same terms as Exim).
Although that file was added in 2010
(https://git.exim.org/exim.git/commit/2daddfb8bf41421c78cbc9bf5cf5a24acc4b0ff8),
I'd say it's same to assume the same for any contributions prior to
that. OTOH, there's always a risk with making assumptions when dealing
with copyright law.

> Now, along comes SPDX: a standard for labelling files with
> the license that applies. Yup, we're late as usual...
>
> a) Do we care? Should we label every text file in sight?
> Or not take any action?

The first question would be: why bother at all? For new project, sure,
go ahead with SPDX -- but for existing? Exim carries quite a lot of
history. Luckily, the copyright to the roots is probably fully at the
University of Cambridge.

A quick read on SPDX indicates that SPDX license identifiers should
apply at the file level.

> b) Do existing licence conditions mentioned in specific file matter?
> For example: a few files are commented (my precis) "GPLv2 or later",
> some with "open source, do what you want".

If SPDX shall apply at the file level, then at least some files could be
labeled based on existing comments. Personally, I would either not do
such labelling on any file unless I was the original creator of the file
or at least be very selective of where I do the labelling. Why? Because
such labelling means that I'd have to be sure that

- I fully understand the intent of the original author based on the comment,
- I fully understand the scope and implications of SPDX label,
- I am absolutely sure that there's no gap between those.

Now, the SPDX labels seem simple enough, but still...

For Exim project, I'd say it'd be doable to label the project itself and
those files which specifically refer to the src/NOTICE file. To be on
the safe side, one could reach out to the University of Cambridge and
inform them them of the labelling.

> We could
> - not label such files

Safe approach, would probably be the advice of your typical lawyer.

> - try to use a label matching the existing text

Doable for files which refer to src/NOTICE, maybe doable for others as
well. When no specific license mentioned, either not label or reach out
to author and ask what label should apply (e.g. WTFPL when they say "do
what you want").

> - label with the project choice of licence

For files added after src/CONTRIBUTING was added, this could be an
option. Still, I'd reach out to relevant author(s) and inform of the
labelling.

> c) What license should we label with?
> - Given the dates above, I'm tempted to say that GPLv2-only
> should be taken as the original intent. But I don't know
> how much freedom we have for change, nor what (if any)
> might be preferred.

According to the NOTICE, it's GPLv2 or later, and that's what should
apply to the files wihch refer to the NOTICE file.

> d) What are the legal implications of doing this labelling?
> Specifically, when different files are differently (not)labelled?

In theory there are no legal implication, as labelling does not do any
magic. In practice, however, you may end up with a situation where
labelling will be used to make decisions which otherwise would require
human evaluation.

For files added after src/CONTRIBUTING was added, it's safe-ish to
assume same labelling as for the rest of Exim. Maybe reach out to the
author and inform them of the labelling (with a copy e.g. to the
exim-dev, to ensure that request and any response is documented).

> --
> Cheers,
> Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Jeremy Harris via Exim-users <exim-users@exim.org> (So 30 Okt 2022 13:22:25 CET):
> Does anyone have opinions on the licensing of Exim?

I didn't think about Exim's licensing ever. For me Exim is just Free and
Open Source, whatever this means in detail, but *personally* most
important: no restrictions are applied to Exim's use. (Which means, even
if you're a spammer or terrorist (from my limited point of view), you're
free to use Exim, I may hate you doing so, but I won't deny it.)

But, leaving this private thing aside…

> a) Do we care? Should we label every text file in sight?
> Or not take any action?

I wouldn't care too much right now.

> b) Do existing licence conditions mentioned in specific file matter?
> For example: a few files are commented (my precis) "GPLv2 or later",
> some with "open source, do what you want".
> We could
> - not label such files
> - try to use a label matching the existing text
> - label with the project choice of licence

In theory I'd say the file's license overrides the one provided
globally. But from practial point of view I wouldn't expect a user to
check every single file for the license. (But probably that's what SPDX
then could make a bit easier.)

> c) What license should we label with?
> - Given the dates above, I'm tempted to say that GPLv2-only
> should be taken as the original intent. But I don't know
> how much freedom we have for change, nor what (if any)
> might be preferred.

From a legal point of view (but IANAL by any means), we probably could
find an SPDX identifier matching the *current* license statement of each
individual file, to match the *current* intent. This implicates that
the *current* license is compatible with any previous one or is
confirmed by the holder of the previous license.


Changing *all* files might be doable, but I wouldn't feel comfortable
doing so, because it would require me to understand the licensing
details of every single file.

1) require *new* files having the SPDX identifier
2) (in a 2nd step) require modified files having that identifier

Both should be doable with hooks in our Git repo.

> d) What are the legal implications of doing this labelling?
> Specifically, when different files are differently (not)labelled?

Not sure at all.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -

On 30/10/2022 15:37, Andreas Metzler via Exim-users wrote:
> a) Yes, but. It would be very nice if the whole exim distribution had
> correct per-file attribution/copyright/license. However it is going to
> be quite a bit of work and it is the type of work with - well - limited
> appeal for many.

Would Debian use such markup in any way?
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, 31 Oct 2022, Heiko Schlittermann via Exim-users wrote:

>
> From a legal point of view (but IANAL by any means), we probably
> could find an SPDX identifier matching the *current* license
> statement of each individual file, to match the *current* intent.
> This implicates that the *current* license is compatible with any
> previous one or is confirmed by the holder of the previous license.
>
>
> Changing *all* files might be doable, but I wouldn't feel
> comfortable doing so, because it would require me to understand the
> licensing details of every single file.
>
> 1) require *new* files having the SPDX identifier
> 2) (in a 2nd step) require modified files having that identifier
>
> Both should be doable with hooks in our Git repo.

Theoretically 2) means we cannot change a file if we do not understand
its licensing details :-(

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2022-10-31 Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> On 30/10/2022 15:37, Andreas Metzler via Exim-users wrote:
> > a) Yes, but. It would be very nice if the whole exim distribution had
> > correct per-file attribution/copyright/license. However it is going to
> > be quite a bit of work and it is the type of work with - well - limited
> > appeal for many.

> Would Debian use such markup in any way?

Eventually. Debian has something called machine readable copyright
format to document per file copyright/license information. It emerged
in parallel with SPDX. However afaik we do not have packaged tooling to
automatically generate DEP-5 copyright files from SPDX license
identifiers. Reuse might do the trick.

(Currently the Debian packaging does not provide a machine readable
copyright file.)

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/