Bug 2045491

Summary: license tag for below subpackage incorrect / incomplete
Product: [Fedora] Fedora Reporter: Fabio Valentini <decathorpe>
Component: rust-belowAssignee: Michel Lind <michel>
Status: CLOSED ERRATA QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: davide, michel, rust-sig
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rust-below-0.5.0-2.fc36 rust-below-0.5.0-2.fc37 rust-below-0.5.0-2.fc34 rust-below-0.5.0-2.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-19 22:17:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabio Valentini 2022-01-25 16:50:36 UTC
I recently rebuilt below to apply a security update, but noticed that it does not specify its package license correctly. The rust-below package produces a statically linked binary, shipped in the "below" subpackage. However, the package's License tag does not reflect the fact that a lot of code from different crates with different licenses is included.

To determine the list of crate licenses, you can use the following steps:

- run a mock build with "--without check" (so test-only dependencies are not installed)
- inspect the list of rust-*-devel packages that are installed in the buildroot for their licenses

For example, running this script in a "mock shell" after a build with "--without check" prints the sorted list of crate licenses:

for i in $(rpm -qa | grep "rust-.*-devel"); do
   rpm -q $i --qf "%{LICENSE}\n";
done | sort | uniq

You can look at ripgrep for an example how packages handle this:
https://src.fedoraproject.org/rpms/rust-ripgrep/blob/rawhide/f/rust-ripgrep.spec#_32

If you want a per-crate license breakdown, you can install "dnf-utils" into the mock chroot, and run this command instead:

dnf repoquery --cacheonly "rust-*-devel" --installed --qf "# %{LICENSE}: %{source_name} %{version}"

You can look at python-launcher as an example of a package that includes the detailed breakdown:
https://src.fedoraproject.org/rpms/rust-python-launcher/blob/rawhide/f/rust-python-launcher.spec#_67

The downside of including the detailed breakdown is that it needs to be updated every time the package is built, while the simplified list is usually pretty static, unless some dependencies change.

================================================================================

Output of the license helper scripts for below 0.4.1 against current rawhide are pasted below. Either way, the correct License tag for the "-n %{crate}" subpackage of rust-below should be something like this (if you resolve all "or" choices where you're don't actually have a choice because of other components' licenses):

License: ASL 2.0 and BSD and MIT

Note that this License tag should only be included in the "-n %{crate}" subpackage. The "ASL 2.0" License tag for the source package is still correct.

================================================================================

Output of bash script for below 0.4.1 ("simplified license breakdown"):

ASL 2.0
ASL 2.0 or Boost
ASL 2.0 or MIT
BSD
BSD or MIT or ASL 2.0
LGPLv2 or BSD
MIT
MIT or ASL 2.0
MPLv2.0 or MIT or ASL 2.0
Unlicense or MIT

================================================================================

Output of dnf repoquery for below 0.4.1 ("detailed license breakdown"):

# ASL 2.0 or Boost: rust-ryu 1.0.9
# ASL 2.0 or MIT: rust-autocfg 1.0.1
# ASL 2.0 or MIT: rust-cexpr 0.6.0
# ASL 2.0 or MIT: rust-fnv 1.0.7
# ASL 2.0 or MIT: rust-lock_api 0.4.5
# ASL 2.0 or MIT: rust-parking_lot 0.11.2
# ASL 2.0 or MIT: rust-parking_lot_core 0.8.5
# ASL 2.0 or MIT: rust-peeking_take_while 0.1.2
# ASL 2.0 or MIT: rust-proc-macro-crate 1.1.0
# ASL 2.0 or MIT: rust-rustc-hash 1.1.0
# ASL 2.0 or MIT: rust-signal-hook 0.3.13
# ASL 2.0 or MIT: rust-signal-hook-mio 0.2.1
# ASL 2.0 or MIT: rust-signal-hook-registry 1.4.0
# ASL 2.0 or MIT: rust-signal-hook0.1 0.1.17
# ASL 2.0 or MIT: rust-structopt 0.3.25
# ASL 2.0 or MIT: rust-structopt-derive 0.4.18
# ASL 2.0 or MIT: rust-thread_local 1.1.4
# ASL 2.0: rust-below-common 0.4.1
# ASL 2.0: rust-below-config 0.4.1
# ASL 2.0: rust-below-dump 0.4.1
# ASL 2.0: rust-below-model 0.4.1
# ASL 2.0: rust-below-render 0.4.1
# ASL 2.0: rust-below-store 0.4.1
# ASL 2.0: rust-below-view 0.4.1
# ASL 2.0: rust-below_derive 0.4.1
# ASL 2.0: rust-cgroupfs 0.4.1
# ASL 2.0: rust-clang-sys 1.3.0
# ASL 2.0: rust-fb_procfs 0.4.1
# ASL 2.0: rust-xi-unicode 0.3.0
# BSD or MIT or ASL 2.0: rust-num_enum 0.5.5
# BSD or MIT or ASL 2.0: rust-num_enum_derive 0.5.5
# BSD: rust-bindgen 0.59.2
# BSD: rust-instant 0.1.12
# BSD: rust-libbpf-sys 0.5.0~2
# LGPLv2 or BSD: rust-libbpf-cargo 0.9.3
# LGPLv2 or BSD: rust-libbpf-rs 0.14.0
# MIT or ASL 2.0: rust-ahash 0.7.6
# MIT or ASL 2.0: rust-anyhow 1.0.52
# MIT or ASL 2.0: rust-bitflags 1.3.2
# MIT or ASL 2.0: rust-cargo-platform 0.1.2
# MIT or ASL 2.0: rust-cc 1.0.72
# MIT or ASL 2.0: rust-cfg-if 1.0.0
# MIT or ASL 2.0: rust-chrono 0.4.19
# MIT or ASL 2.0: rust-crossbeam-channel 0.5.2
# MIT or ASL 2.0: rust-crossbeam-utils 0.8.6
# MIT or ASL 2.0: rust-derivative 2.2.0
# MIT or ASL 2.0: rust-dirs-next 2.0.0
# MIT or ASL 2.0: rust-dirs-sys-next 0.1.2
# MIT or ASL 2.0: rust-either 1.6.1
# MIT or ASL 2.0: rust-enum-map 1.1.0
# MIT or ASL 2.0: rust-enum-map-derive 0.5.0
# MIT or ASL 2.0: rust-env_logger 0.9.0
# MIT or ASL 2.0: rust-erased-serde 0.3.17
# MIT or ASL 2.0: rust-futures-core 0.3.19
# MIT or ASL 2.0: rust-getrandom 0.2.3
# MIT or ASL 2.0: rust-glob 0.3.0
# MIT or ASL 2.0: rust-half 1.8.2
# MIT or ASL 2.0: rust-heck0.3 0.3.3
# MIT or ASL 2.0: rust-humantime 2.1.0
# MIT or ASL 2.0: rust-ident_case 1.0.1
# MIT or ASL 2.0: rust-itertools 0.10.3
# MIT or ASL 2.0: rust-itoa 1.0.1
# MIT or ASL 2.0: rust-jobserver 0.1.24
# MIT or ASL 2.0: rust-lazy_static 1.4.0
# MIT or ASL 2.0: rust-lazycell 1.3.0
# MIT or ASL 2.0: rust-libc 0.2.113
# MIT or ASL 2.0: rust-log 0.4.14
# MIT or ASL 2.0: rust-maplit 1.0.2
# MIT or ASL 2.0: rust-match_cfg 0.1.0
# MIT or ASL 2.0: rust-memmap 0.7.0
# MIT or ASL 2.0: rust-memmap2 0.3.1
# MIT or ASL 2.0: rust-minimal-lexical 0.2.1
# MIT or ASL 2.0: rust-num-complex0.3 0.3.1
# MIT or ASL 2.0: rust-num-integer 0.1.44
# MIT or ASL 2.0: rust-num-iter 0.1.42
# MIT or ASL 2.0: rust-num-rational0.3 0.3.2
# MIT or ASL 2.0: rust-num-traits 0.2.14
# MIT or ASL 2.0: rust-num0.3 0.3.1
# MIT or ASL 2.0: rust-num_cpus 1.13.1
# MIT or ASL 2.0: rust-numtoa 0.2.4
# MIT or ASL 2.0: rust-once_cell 1.9.0
# MIT or ASL 2.0: rust-openat 0.1.21
# MIT or ASL 2.0: rust-pest 2.1.3
# MIT or ASL 2.0: rust-pkg-config 0.3.24
# MIT or ASL 2.0: rust-plain 0.2.3
# MIT or ASL 2.0: rust-ppv-lite86 0.2.16
# MIT or ASL 2.0: rust-proc-macro-error 1.0.4
# MIT or ASL 2.0: rust-proc-macro-error-attr 1.0.4
# MIT or ASL 2.0: rust-proc-macro2 1.0.36
# MIT or ASL 2.0: rust-quote 1.0.14
# MIT or ASL 2.0: rust-rand 0.8.4
# MIT or ASL 2.0: rust-rand_chacha 0.3.1
# MIT or ASL 2.0: rust-rand_core 0.6.3
# MIT or ASL 2.0: rust-regex 1.5.4
# MIT or ASL 2.0: rust-regex-syntax 0.6.25
# MIT or ASL 2.0: rust-remove_dir_all 0.7.0
# MIT or ASL 2.0: rust-scopeguard 1.1.0
# MIT or ASL 2.0: rust-semver 1.0.4
# MIT or ASL 2.0: rust-semver-parser 0.10.2
# MIT or ASL 2.0: rust-semver0.11 0.11.0
# MIT or ASL 2.0: rust-serde 1.0.134
# MIT or ASL 2.0: rust-serde_cbor 0.11.2
# MIT or ASL 2.0: rust-serde_derive 1.0.134
# MIT or ASL 2.0: rust-serde_json 1.0.74
# MIT or ASL 2.0: rust-shlex 1.1.0
# MIT or ASL 2.0: rust-smallvec 1.7.0
# MIT or ASL 2.0: rust-stable_deref_trait 1.2.0
# MIT or ASL 2.0: rust-static_assertions 1.1.0
# MIT or ASL 2.0: rust-syn 1.0.86
# MIT or ASL 2.0: rust-tempfile 3.2.0
# MIT or ASL 2.0: rust-term 0.7.0
# MIT or ASL 2.0: rust-thiserror 1.0.30
# MIT or ASL 2.0: rust-thiserror-impl 1.0.30
# MIT or ASL 2.0: rust-threadpool 1.8.1
# MIT or ASL 2.0: rust-time0.1 0.1.44
# MIT or ASL 2.0: rust-toml 0.5.8
# MIT or ASL 2.0: rust-ucd-trie 0.1.3
# MIT or ASL 2.0: rust-unicode-segmentation 1.8.0
# MIT or ASL 2.0: rust-unicode-width 0.1.9
# MIT or ASL 2.0: rust-unicode-xid 0.2.2
# MIT or ASL 2.0: rust-vec_map 0.8.2
# MIT or ASL 2.0: rust-version_check 0.9.4
# MIT or ASL 2.0: rust-wasmer_enumset 1.0.1
# MIT or ASL 2.0: rust-wasmer_enumset_derive 0.5.0
# MIT or ASL 2.0: rust-zstd-safe 4.1.3
# MIT or ASL 2.0: rust-zstd-sys 1.6.2
# MIT: rust-ansi_term 0.12.1
# MIT: rust-atty 0.2.14
# MIT: rust-bytes 1.1.0
# MIT: rust-cargo_metadata 0.12.3
# MIT: rust-clap2 2.34.0
# MIT: rust-crossterm 0.20.0
# MIT: rust-crossterm0.19 0.19.0
# MIT: rust-cursive 0.16.3
# MIT: rust-cursive_buffered_backend 0.5.0
# MIT: rust-cursive_core 0.2.2
# MIT: rust-darling0.12 0.12.4
# MIT: rust-darling_core0.12 0.12.4
# MIT: rust-darling_macro0.12 0.12.4
# MIT: rust-hostname 0.3.1
# MIT: rust-memoffset 0.6.5
# MIT: rust-mio 0.7.14
# MIT: rust-nix0.22 0.22.2
# MIT: rust-nom 7.1.0
# MIT: rust-os_info 3.0.9
# MIT: rust-owning_ref 0.4.1
# MIT: rust-scroll 0.10.2
# MIT: rust-scroll_derive 0.10.5
# MIT: rust-strsim 0.10.0
# MIT: rust-strum_macros 0.21.1
# MIT: rust-take_mut 0.2.2
# MIT: rust-termion 1.5.6
# MIT: rust-textwrap0.11 0.11.0
# MIT: rust-users 0.11.0
# MIT: rust-vsprintf 2.0.0
# MIT: rust-which 4.2.2
# MIT: rust-zstd 0.9.2
# MPLv2.0 or MIT or ASL 2.0: rust-slog 2.7.0
# MPLv2.0 or MIT or ASL 2.0: rust-slog-async 2.7.0
# MPLv2.0 or MIT or ASL 2.0: rust-slog-term 2.8.0
# Unlicense or MIT: rust-aho-corasick 0.7.18
# Unlicense or MIT: rust-memchr 2.4.1
# Unlicense or MIT: rust-same-file 1.0.6
# Unlicense or MIT: rust-termcolor 1.1.2
# Unlicense or MIT: rust-walkdir 2.3.2

Comment 1 Ben Cotton 2022-02-08 20:55:55 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.

Comment 2 Fedora Update System 2022-02-19 22:13:21 UTC
FEDORA-2022-41a18e2c88 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2022-41a18e2c88

Comment 3 Fedora Update System 2022-02-19 22:14:32 UTC
FEDORA-2022-ed6f555530 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-ed6f555530

Comment 4 Fedora Update System 2022-02-19 22:15:29 UTC
FEDORA-2022-1439a6a0a6 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-1439a6a0a6

Comment 5 Fedora Update System 2022-02-19 22:16:28 UTC
FEDORA-2022-a3bb370a46 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-a3bb370a46

Comment 6 Fedora Update System 2022-02-19 22:17:39 UTC
FEDORA-2022-1439a6a0a6 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 7 Fedora Update System 2022-02-19 22:18:31 UTC
FEDORA-2022-a3bb370a46 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Fedora Update System 2022-02-20 01:31:00 UTC
FEDORA-2022-ed6f555530 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-ed6f555530`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-ed6f555530

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-02-20 01:48:37 UTC
FEDORA-2022-41a18e2c88 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-41a18e2c88`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-41a18e2c88

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2022-02-22 00:26:10 UTC
FEDORA-2022-41a18e2c88 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Fedora Update System 2022-02-22 01:17:44 UTC
FEDORA-2022-ed6f555530 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.