`lib.licenses.gpl3` & co. are now deprecated

The lib.licenses.gpl3 attribute refers to GPL 3.0 only. Unfortunately, it is not clear from the attribute name so people will often use that without realizing lib.licenses.gpl3Plus might be more precise. It does not help that GitHub displays the license discovered in the attached ?GPL copy even when projects often include extra terms that allow user to choose later versions of GPL.

What happened

To reduce the confusion, licenses: Make single-version-only GPL explicit by jtojnar · Pull Request #92348 · NixOS/nixpkgs · GitHub deprecated the following license attributes:

  • agpl3 in favour of agpl3Only
  • fdl11 in favour of fdl11Only
  • fdl12 in favour of fdl12Only
  • fdl13 in favour of fdl13Only
  • gpl1 in favour of gpl1Only
  • gpl2 in favour of gpl2Only
  • gpl3 in favour of gpl3Only
  • lgpl2 in favour of lgpl2Only
  • lgpl21 in favour of lgpl21Only
  • lgpl3 in favour of lgpl3Only

This change is in line with the GNU recommendations.

What should you do

We ask that new package expressions do not use the deprecated lib.licenses.?gpl? attributes in meta.license. Instead they should use either lib.licenses.?gpl?Plus or lib.licenses.?gpl?Only attributes.

We also ask authors of pull request changing expressions using lib.licenses.?gpl? to determine if the project allows choosing later versions of the license and change the meta.license appropriately.

Finally, we ask reviewers to double check these changes and point pull request authors to this announcement if they did not read it.

How to determine license

Projects might mention license terms in the README file or on their homepage.

If that is not the case, check few source files. They might contain a blurb similar to the following in the comment at the top of a file:

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

You can also try to grep (or search on GitHub) the repository for license.

Do not rely on the contents of COPYING file or the license shown by the GitHub/GitLab interface (which is determined from the COPYING file) – the file only contains the text of GNU ?GPL itself as mandated by the license. The extra terms allowing to use later versions of the license would be stored in the source code/documentation.

If no statement about license terms is found, you should ask the project maintainers to clarify.

11 Likes

Perhaps of interest, repology lists the licenses as specified by different package repos:

For instance:
curl -s https://repology.org/api/v1/project/bash | jq '.[] | select(.repo == "fedora_rawhide", .repo == "nix_unstable") | { repo, licenses }'

This just from the top of my head :slight_smile: it should be possible to query for packages where the license in nix_unstable is a gpl derivation, and differs from that in fedora or gentoo (sadly, Debian doesn’t provide a license field).

1 Like

Thanks for the license improvements @jtojnar. It’d be great if we could get an OfBorg PR check that flags the build if the license is deprecated.

2 Likes

I tried out whether we can add the check to checkMeta, which is run by ofborg in the eval check:

It works in principle, but the error message is quite bad, and I see no way to add a hint at what goes wrong, without adding e.g. a “tip” feature to types.nix that would display a list of messages after the type error.

$ nix-instantiate -E ‘with import ./. { config = { checkMeta = true; checkMetaRecursively = true; }; }; gonic’
error: Package ‘gonic-0.11.0-0.11.0’ in /home/philip/nixpkgs/pkgs/servers/gonic/default.nix:55 has an invalid meta attrset:
- key ‘license’ has a value { “deprecated” = true; “fullName” = “GNU General Public License v3.0 only”; “shortName” = “gpl3Only”; “spdxId” = “GPL-3.0-only”; “url” = “GNU General Public License v3.0 only | Software Package Data Exchange (SPDX)”; } of an invalid type set; expected list of non-deprecated licenses or non-deprecated license or string, refusing to evaluate.

(use ‘–show-trace’ to show detailed location information)

1 Like