Bug 2226961

Summary: "Unapproved license" reported by rpminspect
Product: [Fedora] Fedora Reporter: Václav Kadlčík <vkadlcik>
Component: annobinAssignee: Nick Clifton <nickc>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: fweimer, jakub, nickc, sipoyare, yahmad
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-03 09:24:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Václav Kadlčík 2023-07-27 07:15:36 UTC 
Latest rpminspect reports in Fedora CI complain about the license:

license:
--------
1) Unapproved license in annobin-12.22-1.fc39.src: GPL-2.0-or-later WITH GCC-exception-2.0 

Result: BAD
Waiver Authorization: Not Waivable

Suggested Remedy: The specified license abbreviation is not listed as approved in the license database.  The license database is specified in the rpminspect
configuration file.  Check this file and send a pull request to the appropriate upstream project to update the database.  If the license is listed in the
database but marked unapproved, you may need to work with the legal team regarding options for this software.

... and so on and so forth for every RPM


Can be seen in CI:
https://artifacts.dev.testing-farm.io/bb75dbf2-816b-473c-84fe-d3715188cd1c/work-rpminspectl3etnk_p/rpminspect/execute/data/guest/default-0/rpminspect-1/data/viewer.html#


It's not a blocking issue but would be nice to have it fixed.

Reproducible: Always

Steps to Reproduce:
1. wget https://raw.githubusercontent.com/rpminspect/rpminspect-data-fedora/main/fedora.yaml
2. rpminspect -c fedora.yaml -T license annobin-12.22-1.fc39
Comment 1 Florian Weimer 2023-07-27 16:37:44 UTC 
Nick, where does GPL-2.0-or-later WITH GCC-exception-2.0 come from? Is it because you are statically linking against GCC parts? Shouldn't it be GPL-3.0-or-later WITH GCC-exception-3.1 then?
Comment 2 Nick Clifton 2023-07-28 10:14:39 UTC 
(In reply to Florian Weimer from comment #1)
> Nick, where does GPL-2.0-or-later WITH GCC-exception-2.0 come from?

The demangling code in libiberty.  Specifically: cp-demangle.c, 
cp-demangle.h, cplus-dem.d, d-demangle.c, demangle.h.

Note - as of annobin 12.18, I have removed the dependency of linking
annocheck with the libiberty.a library from the binutils-devel package,
and instead brought a copy of the necessary sources into the annobin
repository.

> Is it
> because you are statically linking against GCC parts? Shouldn't it be
> GPL-3.0-or-later WITH GCC-exception-3.1 then?

As far as I can tell these files are all GPL v2 + exception, even on the
upstream gcc master branch.

>> The license database is specified in the rpminspect configuration file

Do you know where I can find this configuration file ?  I looked in the 
rpminspect and rpminspect-data-fedora packages, but could not find it.
Comment 3 Florian Weimer 2023-07-28 10:19:54 UTC 
(In reply to Nick Clifton from comment #2)
> (In reply to Florian Weimer from comment #1)
> > Nick, where does GPL-2.0-or-later WITH GCC-exception-2.0 come from?
> 
> The demangling code in libiberty.  Specifically: cp-demangle.c, 
> cp-demangle.h, cplus-dem.d, d-demangle.c, demangle.h.

Ohh.

> >> The license database is specified in the rpminspect configuration file
> 
> Do you know where I can find this configuration file ?  I looked in the 
> rpminspect and rpminspect-data-fedora packages, but could not find it.

Do you mean the license data file? It's in fedora-license-data.
Comment 4 Nick Clifton 2023-07-31 12:42:28 UTC 
(In reply to Florian Weimer from comment #3)

> Do you mean the license data file? It's in fedora-license-data.

Ah, thanks.  A quick scan of the license database in that package shows that "GPL-2.0-only WITH GCC-exception-2.0" is allowed, but that "GPL-2.0-or-later WITH GCC-exception-2.0" is undocumented.  I have submitted a License Review request for the extended version:

  https://gitlab.com/fedora/legal/fedora-license-data/-/issues/271
Comment 5 Nick Clifton 2023-08-03 09:24:46 UTC 
The license has been approved, so I am going to close this BZ.