[aur-dev] AUR 4 and licensing
Hello, Currently the content of the AUR is in a sort of gray zone. All of the contents are technically copyrighted, and since there is no explicit license it defaults to 'all rights reserved'. To mitigate this I’d propose making a ToS for the AUR that for one says that the user agrees to either license the PKGBUILD and accompanying scripts under a specific license, or that they agree to assign copyright to Arch Linux. While it wouldn’t be possible to apply it to the packages already upload, I’d suggest implementing this change during the migration to AUR 4.0.0 when the official AUR will be started afresh, causing all newly uploaded packages to fall under the ToS. Comments? -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
Hello, I agree, this problem should be fixed. I suggest that whenever uploading a PKGBUILD one must agree that one is willing to licence the content of the scripts under GPLv3. I guess a checkbox should be enaught. By the way GNOME extensions are handled more or less the same way so it should also work for arch. Best regards Gordian Hello, Currently the content of the AUR is in a sort of gray zone. All of the contents are technically copyrighted, and since there is no explicit license it defaults to 'all rights reserved'. To mitigate this I’d propose making a ToS for the AUR that for one says that the user agrees to either license the PKGBUILD and accompanying scripts under a specific license, or that they agree to assign copyright to Arch Linux. While it wouldn’t be possible to apply it to the packages already upload, I’d suggest implementing this change during the migration to AUR 4.0.0 when the official AUR will be started afresh, causing all newly uploaded packages to fall under the ToS. Comments? -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
On 12/04, Gordian Edenhofer wrote:
Hello,
I agree, this problem should be fixed. I suggest that whenever uploading a PKGBUILD one must agree that one is willing to licence the content of the scripts under GPLv3. I guess a checkbox should be enaught. By the way GNOME extensions are handled more or less the same way so it should also work for arch.
Alas that wouldn’t work since with AUR 4.0.0 you will use git to upload packages, and can also use git to create them. A short Terms of Services, just a few sentences that are short enough that people will actually read them, seems like the only possibility to me. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
On Sun, 12 Apr 2015 at 01:47:10, Johannes Löthberg wrote:
[...] To mitigate this I’d propose making a ToS for the AUR that for one says that the user agrees to either license the PKGBUILD and accompanying scripts under a specific license, or that they agree to assign copyright to Arch Linux.
While it wouldn’t be possible to apply it to the packages already upload, I’d suggest implementing this change during the migration to AUR 4.0.0 when the official AUR will be started afresh, causing all newly uploaded packages to fall under the ToS. [...]
I like this idea. GPL3 is probably the best choice, given that we already use the GPL for most projects. Since we are not going to remove any accounts when moving to AUR 4.0.0, I suggest showing the ToS when registering and when logging into the AUR for the first time (unless they were already accepted previously).
On 12/04, Lukas Fleischer wrote:
On Sun, 12 Apr 2015 at 01:47:10, Johannes Löthberg wrote:
[...] To mitigate this I’d propose making a ToS for the AUR that for one says that the user agrees to either license the PKGBUILD and accompanying scripts under a specific license, or that they agree to assign copyright to Arch Linux.
While it wouldn’t be possible to apply it to the packages already upload, I’d suggest implementing this change during the migration to AUR 4.0.0 when the official AUR will be started afresh, causing all newly uploaded packages to fall under the ToS. [...]
I like this idea. GPL3 is probably the best choice, given that we already use the GPL for most projects.
Since we are not going to remove any accounts when moving to AUR 4.0.0, I suggest showing the ToS when registering and when logging into the AUR for the first time (unless they were already accepted previously).
Sounds like a plan. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
It is possible in git to message the user who is trying to push to the repo. Therefore it would be easy to notify git-users that by uploading they agree to distribute their PKGBUILD under GPLv3. I personally think that this behavior is more appropriate than just asking once when the account is created respectively updated. It would remind the user each and every time that they must agree to license their files under GPL. Maybe it might even make sense to combine both proposed solutions.
On 12/04, Gordian Edenhofer wrote:
It is possible in git to message the user who is trying to push to the repo. Therefore it would be easy to notify git-users that by uploading they agree to distribute their PKGBUILD under GPLv3. I personally think that this behavior is more appropriate than just asking once when the account is created respectively updated. It would remind the user each and every time that they must agree to license their files under GPL. Maybe it might even make sense to combine both proposed solutions.
Showing it during a push would be flawed because then it’s too late for them not to agree to it. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
On 12/04/15 16:25, Lukas Fleischer wrote:
I like this idea. GPL3 is probably the best choice, given that we already use the GPL for most projects.
Many PKGBUILDs won't even pass the threshold of originality (ie. not copyrightable = Public Domain). And for patches, forcing (or encouraging) a GPL 3 license for a non-GPL program is a really really bad idea. Patches should be under the same (or more liberal) license as the original program, in order to promote sharing and even being merged upstream. A PKGBUILD is (usually) little more than a series of ./configure and make incantations.* A MIT/CC-BY license would be more than enough if any. * They may be hard to discover and maintain, and it is certainly nice to recognise such efforts, but stating a bunch of configure flags doesn't create copyright.
On Sun, 12 Apr 2015 16:25:04 +0200 Lukas Fleischer <lfleischer@archlinux.org> wrote:
On Sun, 12 Apr 2015 at 01:47:10, Johannes Löthberg wrote:
[...] To mitigate this I’d propose making a ToS for the AUR that for one says that the user agrees to either license the PKGBUILD and accompanying scripts under a specific license, or that they agree to assign copyright to Arch Linux.
While it wouldn’t be possible to apply it to the packages already upload, I’d suggest implementing this change during the migration to AUR 4.0.0 when the official AUR will be started afresh, causing all newly uploaded packages to fall under the ToS. [...]
I like this idea. GPL3 is probably the best choice, given that we already use the GPL for most projects.
Since we are not going to remove any accounts when moving to AUR 4.0.0, I suggest showing the ToS when registering and when logging into the AUR for the first time (unless they were already accepted previously).
How would this work with patches? If you have to cherry-pick a patch from upstream after a release, you can't just relicense it like that.
On 13/04, Doug Newgard wrote:
On Sun, 12 Apr 2015 16:25:04 +0200 Lukas Fleischer <lfleischer@archlinux.org> wrote:
On Sun, 12 Apr 2015 at 01:47:10, Johannes Löthberg wrote:
[...] To mitigate this I’d propose making a ToS for the AUR that for one says that the user agrees to either license the PKGBUILD and accompanying scripts under a specific license, or that they agree to assign copyright to Arch Linux.
While it wouldn’t be possible to apply it to the packages already upload, I’d suggest implementing this change during the migration to AUR 4.0.0 when the official AUR will be started afresh, causing all newly uploaded packages to fall under the ToS. [...]
I like this idea. GPL3 is probably the best choice, given that we already use the GPL for most projects.
Since we are not going to remove any accounts when moving to AUR 4.0.0, I suggest showing the ToS when registering and when logging into the AUR for the first time (unless they were already accepted previously).
How would this work with patches? If you have to cherry-pick a patch from upstream after a release, you can't just relicense it like that.
The patch would obviously still be licensed under whatever the project uses. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
participants (5)
-
Doug Newgard
-
Gordian Edenhofer
-
Johannes Löthberg
-
Linas
-
Lukas Fleischer