Bug 233775

I'd be happy to review this package. Look for a full review in a bit. 

OK - Package meets naming and packaging guidelines
OK - Spec file matches base package name.
OK - Spec has consistant macro usage.
OK - Meets Packaging Guidelines.
See below - License(GPL)
See below - License field in spec matches
See below - License file included in package
OK - Spec in American English
OK - Spec is legible.
OK - Sources match upstream md5sum:
45a66691aa3b22996862e3e5bac4289c  haproxy-1.2.17.tar.gz
45a66691aa3b22996862e3e5bac4289c  haproxy-1.2.17.tar.gz.1
OK - BuildRequires correct
OK - Package has %defattr and permissions on files is good.
OK - Package has a correct %clean section.
OK - Package has correct buildroot
OK - Package is code or permissible content.
OK - Packages %doc files don't affect runtime.
OK - Package has rm -rf RPM_BUILD_ROOT at top of %install

OK - Package compiles and builds on at least one arch.
OK - Package has no duplicate files in %files.
OK - Package doesn't own any directories other packages own.
OK - Package owns all the directories it creates.
See below - No rpmlint output.
OK - final provides and requires are sane.

SHOULD Items:

OK - Should build in mock.
OK - Should build on all supported archs
OK - Should have dist tag
OK - Should package latest version

Issues:

1. You might ask upstream to include a copy of the GPL and the other odd license?
Not a blocker.

2. What parts of the code are under the odd MIT-like O'Reilly license?
It might be good to list them. Also, I can't find mention of this license in the
code
anywhere. Where is it stated?

3. rpmlint says:
E: haproxy non-standard-uid /var/lib/haproxy haproxy
E: haproxy non-standard-gid /var/lib/haproxy haproxy

These can be ignored.
Not a blocker.

(In reply to comment #2)
> Issues:
> 
> 1. You might ask upstream to include a copy of the GPL and the other odd license?
> Not a blocker.

I'll send upstream a note and see if he'll put a COPYING or the like in the
source distribution.  Along with a manifest of which files are under which
license.  The source code files which are GPL say so in the boiler plate at the
top of the .c files.
 
> 2. What parts of the code are under the odd MIT-like O'Reilly license?
> It might be good to list them. Also, I can't find mention of this license in the
> code
> anywhere. Where is it stated?

The .c files that are under the MIT-like license from O'Reilly say in the header
at the top of the file that they are copied from Mastering Algorithms in C by
Kyle Loudon.  It gives the ISBN number and a link to the book's page on
O'Reilly.  I wondered about what license these files were under so I downloaded
the original examples .tgz from O'Reilly where these files came from and read
the license in there. 

So no, the license is not specifically mentioned in haproxy itslf, but the
source code that is from the Loudon Book is duely noted.

All in all, each .c file in haproxy says where it came from, who wrote it, and
if its under GPL it states that.

1. ok. Sounds good. 
2. ok. I looked, but didn't see those headers for some reason. ;( 
I found them now... makes sense to me. 

One thing that bothers me about that license... the part that says: 

" This code
#   is under copyright and cannot be included in any other book,
#   publication, or  educational product  without  permission  from
#   O'Reilly & Associates."

Is Fedora a "educational product" ? Could it be considered such?

FYI, the entire thing reads: 

The source code on this disk can be freely used, adapted, and redistributed in
source or  binary form, so long as an acknowledgment appears in derived source
files. The citation should list that the code comes from the  book  "Mastering
Algorithms with C"  by Kyle Loudon,  published by O'Reilly & Associates.  This
code is under copyright and cannot be included in any other book, publication,
or  educational product  without  permission  from  O'Reilly & Associates.  No
warranty is attached; we cannot take responsibility for errors or  fitness for
use.

Asking the FSF for an opinion on that "unique license".

Any word back from FSF ?  Is their response required for approval?

Yes, they said the license as is is non-free. This is a blocker, however, I've
not stopped this, as the FSF is trying to negotiate with O'Reilly to see if
they're willing to change the license.

I am however, blocking this against FE-Legal, until I hear back again from the
FSF/O'Reilly.

(In reply to comment #8)
> I am however, blocking this against FE-Legal, until I hear back again from the
> FSF/O'Reilly.

Just checking in to see if FSF/O'Reilly has gotten back to anyone.  Thanks.

Nothing yet. I'll poke the FSF again.

Any further news? Hopefully they can work something out... 

Any updates from the FSF?

Not yet. They're rather busy with GPLv3 fallout at the time, but I'll poke them
again.

I've spoken with Willy (the author of haproxy) a few times recently, he has a
patch to replace all the O'Reilly code and with appropriately licensed code. He
is now testing it.  When that release comes out, I'll package up that vesion and
then the licensing issue will be moot.

O'Reilly responded to the FSF and claimed to be in the process of changing the
license on that code to a "BSD-ish" license, but so far, this has not occurred.

Even though it may be moot, I figured I would pass it along. I've sent another
email to O'Reilly asking them to actually make this licensing change.

http://examples.oreilly.com/masteralgoc/

A new tarball has been uploaded there, and the source code is now under the MIT
license. HAproxy should be able to pick this code up and resolve the licensing
pain (if they want to).

That is great news.  I've forwarded the info to Willy upstream.

New package and spec.  I've switched to the 1.3.12 branch which is the new stable upstream branch 
instead of 1.2.17.  There are some new files and a patch from upstream against 1.3.12.1 to clear up the 
licensing issue now that O'Reilly has changed to MIT license for its code.

SPEC url: http://jjh.fedorapeople.org/haproxy/haproxy.spec
SRPM url: http://jjh.fedorapeople.org/haproxy/haproxy-1.3.12.1-1.fc7.src.rpm

It probably needs a full review again since this is a whole new branch of code.  

OK - Spec file matches base package name.
OK - Spec has consistant macro usage.
OK - Meets Packaging Guidelines.
See below - License (GPLv2+)
See below - License field in spec matches
OK - License file included in package
OK - Spec in American English
OK - Spec is legible.
OK - Sources match upstream md5sum:
032f976cf82e1ba48702e25545155147  haproxy-1.3.12.1.tar.gz
032f976cf82e1ba48702e25545155147  haproxy-1.3.12.1.tar.gz.1
OK - BuildRequires correct
OK - Package has %defattr and permissions on files is good.
OK - Package has a correct %clean section.
OK - Package has correct buildroot
OK - Package is code or permissible content.
OK - Packages %doc files don't affect runtime.
OK - Package has rm -rf RPM_BUILD_ROOT at top of %install

OK - Package compiles and builds on at least one arch.
OK - Package has no duplicate files in %files.
OK - Package doesn't own any directories other packages own.
OK - Package owns all the directories it creates.
See below - No rpmlint output.
OK - final provides and requires are sane.

SHOULD Items:

OK - Should build in mock.
OK - Should build on all supported archs
OK - Should have sane scriptlets.
OK - Should have dist tag
OK - Should package latest version

Issues:

1. I think the License tag here should be "GPLv2+ and LGPLv2+ and MIT".
The bulk of the program is under the GPLv2+, but those pesky example bits are
now MIT. Also, many of the header files are LGPLv2+.
It's all nice and confusing. I might try and get spot to look it over. ;)

Also, I am not sure it's permissable to change license's via a patch.
You may need to wait until upstream does a new release with the new
license text in place.

2. rpmlint says (as before):
haproxy.i386: E: non-standard-uid /var/lib/haproxy haproxy
haproxy.i386: E: non-standard-gid /var/lib/haproxy haproxy
Can be ignored.

Everything else looks good, hopefully we can get this approved soon.

Spot: can you take a look at the current license situation?

I would really rather that we didn't change the license with a patch. Please try
to get upstream to make a new tarball, even if it is just for Fedora.

As to the License: tag, use "GPLv2+ and MIT". The examples are standalone MIT,
the code is GPLv2+. The headers are LGPLv2 (not LGPLv2+), but since we don't
package up the headers, we don't need to reference them in the License tag.

Just to clear up any confusion, the patch I applied was sent to me from Willy 
upstream.  I'll also check and see if he'll create a new tarball.  The License
tag I've updated.  I'll create a new srpm when I hear back from Willy about a
new tarball.

Upstream release a new version with the licensing patch applied and a few bug fixes too.

SRPM: http://jjh.fedorapeople.org/haproxy/haproxy-1.3.12.2-1.fc7.src.rpm
SPEC: http://jjh.fedorapeople.org/haproxy/haproxy.spec

The License tag is still just GPLv2+... can you update it to "GPLv2+ and MIT" ?
(You can do that before you check it in)

Otherwise everything looks good in this last version, so this package is APPROVED. 

license tag is updated

New Package CVS Request
=======================
Package Name: haproxy
Short Description: TCP/HTTP reverse proxy for high availability environments
Owners: jjh
Branches: FC-6 F-7 EL-4 EL-5
InitialCC: 
Cvsextras Commits:

Since the license issues are all cleared up, can someone remove the FE-Legal blocker?

Lifting FE-Legal. Have fun!

cvs done.