Here follow the records of my deeds regarding the switch to the SPDX:
\# Clone the correct package
fedpkg clone mariadb10.11
\# Expand the sources and apply the SPECfile %prep section (in which e.g. unused bundled code is removed)
fedpkg prep
Now I used the 'askalono' tool on top of the resulting directory
\# I began by analyzing only the errors
askalono crawl mariadb-10.11.8/ 1>/dev/null
=========== =========== ===========
=========== =========== ===========
| mariadb-10.11.8/storage/rocksdb/rocksdb/java/jmh/LICENSE-HEADER.txt
| Error: Confidence threshold not high enough for any known license
The text says the code is licensed under both 'GPL-2.0-only' and 'Apache-2.0'
and points to the specific files in the directory tree with the full text of these licenses.
There is also file:
| mariadb-10.11.8/storage/rocksdb/rocksdb/README.md
which says:
"RocksDB is dual-licensed under both the GPLv2 (found in the COPYING file in the root directory) and Apache 2.0 License (found in the LICENSE.Apache file in the root directory).
You may select, at your option, one of the above-listed licenses."
So the correct SPDX identifier should be: '( GPL-2.0-only OR Apache-2.0 )'
There are about 1200 files licensed this way, as can bee seen with this command:
grep -i apache -r mariadb-10.11.8
All of them are from RocksDB SE, but 3:
mariadb-10.11.8/mysys/crc32/crc32c.cc:// COPYING file in the root directory) and Apache 2.0 License
mariadb-10.11.8/mysys/crc32/crc32c.cc:// (found in the LICENSE.Apache file in the root directory).
mariadb-10.11.8/mysys/crc32/crc_ppc64.h: * b) the Apache License, Version 2.0
mariadb-10.11.8/mysys/crc32/crc32c_ppc.h:// COPYING file in the root directory) and Apache 2.0 License
mariadb-10.11.8/mysys/crc32/crc32c_ppc.h:// (found in the LICENSE.Apache file in the root directory).
All of the files says:
// This source code is licensed under both the GPLv2 (found in the
// COPYING file in the root directory) and Apache 2.0 License
// (found in the LICENSE.Apache file in the root directory).
But the "mariadb-10.11.8/mysys/crc32/crc_ppc64.h"
* This program is free software; you can redistribute it and/or
* modify it under the terms of either:
*
* a) the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option)
* any later version, or
* b) the Apache License, Version 2.0
So the SPDX identified for this one particular file is '( GPL-2.0-or-later OR Apache-2.0 )'
Making the final SPDX identifier regarding the Apache licenses as follows: '( GPL-2.0-only OR Apache-2.0 ) AND ( GPL-2.0-or-later OR Apache-2.0 )'
=========== =========== ===========
=========== =========== ===========
\# Then I by analyzed everything but errors:
askalono crawl mariadb-10.11.8/ 2>/dev/null
| mariadb-10.11.8/vio/docs/COPYING.openssl
| License: OpenSSL (original text)
| Score: 0.913
Correct.
Note: the 'OpenSSL' license is actually a combination of 'OpenSSL-standalone' and 'SSLeay-standalone'
so the shorter texts would match to, but in this case, this is a full 'OpenSSL' license:
https://spdx.org/licenses/OpenSSL.html
=========== =========== ===========
=========== =========== ===========
GPL & LGPL
There is a difference between "GPL-2.0-only" and "GPL-2.0-or-later"
https://spdx.org/licenses/GPL-2.0-only.htmlhttps://spdx.org/licenses/GPL-2.0-or-later.html
I understood that the license text is identical (I've ran 'diff' on top of them to verify)
and the difference is decided by the license header present in the files containing the code itself.
This "*-only" and "*-or-later" differenciation simmilar in other versions of GPL and LGLP
Now meet this little cute monstrosity:
\# This command is supposed to:
\# - find all occurrences of the string "Public License"
\# - prefixed by "GNU", "Lesser", "Library", "General", each word is optional (to match both GPL and LGPL and all variants of how people write them)
\# - while every word can have any number of any white characters - including newlines - between them (to match text wrapped between lines)
\# - all of that followed by string "version" (to only match text mentioning the specific version)
\# - with any characters between the first part and the "version" string
\# - followed by a digit (to exclude any result not talking about a concrete version specifically, e.g. text around string "from time to time" in the GPL licenses)
\# - match 3 more characters (so we catch the whole version number)
\# - but the "version" string and number must occur no later than any dot "." or double newline (to only match text inside the license texts or license headers, but not code)
\# Once found,
\# - and match everything until dot or double newline (for further parsing of the strings "or later" etc)
\# - replace any newline with space (" "), so the whole above match (as well s everything else) is put on a single line
\# - replace string "mariadb-10.11.8/" with "NEWLINEmariadb-10.11.8/", so each result is on a separate line
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g'
This command gives 3685 results (I'll be measuring the number of results with | wc -l through this whole text),
and I hope it matches all possible variants of GPL and LGPL.
We are going to further parse it to divide the results for the separate licenses.
=========== =========== ===========
=========== =========== ===========
The 'askalono crawl' tool found number of occurrences of GPL and LGPL licenses, but it does not differentiate between "*-only" and "*-or-later" variants.
| mariadb-10.11.8/wsrep-lib/COPYING
| License: GPL-3.0-only (license header)
| Score: 0.825
This file actually talks about GPLv2, not v3.
| mariadb-10.11.8/wsrep-lib/LICENSE
| License: GPL-2.0-only (original text)
| Score: 0.988
| mariadb-10.11.8/scripts/sys_schema/COPYING
| License: GPL-2.0-only (original text)
| Score: 0.988
| mariadb-10.11.8/scripts/sys_schema/LICENSE
| License: GPL-2.0-only (license header)
| Score: 0.957
| mariadb-10.11.8/plugin/server_audit/COPYING
| License: GPL-2.0-only (original text)
| Score: 0.986
| mariadb-10.11.8/plugin/test_sql_service/COPYING
| License: GPL-2.0-only (original text)
| Score: 0.986
| mariadb-10.11.8/extra/readline/COPYING
| License: GPL-2.0-only (original text)
| Score: 0.984
| mariadb-10.11.8/storage/rocksdb/rocksdb/COPYING
| License: GPL-2.0-only (original text)
| Score: 0.988
| mariadb-10.11.8/COPYING
| License: GPL-2.0-only (original text)
| Score: 0.986
These are all GPLv2.
| mariadb-10.11.8/libmariadb/COPYING.LIB
| License: LGPL-2.1-only (original text)
| Score: 0.998
| mariadb-10.11.8/storage/mroonga/vendor/groonga/vendor/plugins/groonga-normalizer-mysql/doc/text/lgpl-2.0.txt
| License: LGPL-2.0-only (original text)
| Score: 0.996
| mariadb-10.11.8/storage/mroonga/vendor/groonga/COPYING
| License: LGPL-2.1-only (original text)
| Score: 0.997
| mariadb-10.11.8/storage/mroonga/COPYING
| License: LGPL-2.1-only (original text)
| Score: 0.997
| mariadb-10.11.8/storage/maria/libmarias3/docs/introduction/license.rst
| License: LGPL-2.1-only (original text)
| Score: 0.980
| mariadb-10.11.8/storage/maria/libmarias3/LICENSE
| License: LGPL-2.1-only (original text)
| Score: 0.998
=========== =========== ===========
=========== =========== ===========
However to make sure which licenses appears in the source code tree, we have to GREP each variant:
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 3"
retuns 16 results, from which:
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 3" | grep -i --binary-files=text -e " lesser" -e " library"
0 is LGPL
and
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 3" | grep -v -i --binary-files=text -e " lesser" -e " library"
16 is GPL
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 3" | grep -i --binary-files=text -e "later" -e " or"
16 results "GPL-3.0-or-later"
and
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 3" | grep -v -i --binary-files=text -e "later" -e " or"
0 results "GPL-3.0-only"
=========== =========== ===========
=========== =========== ===========
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2"
retuns 3669 results, from which:
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library"
577 is LGPL
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library"
3092 is GPL
=========== =========== ===========
=========== =========== ===========
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text -e "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.0"
120 is LGPL 2.0
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.0" | grep -i --binary-files=text -e "later" -e " or "
77 is "LGPL-2.0-or-later"
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.0" | grep -v -i --binary-files=text -e "later" -e " or "
43 is "LGPL-2.0-only"
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2\.[^0]"
457 is LGPL 2.1
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2\.[^0]" | grep -i --binary-files=text -e "later" -e " or "
132 is "LGPL-2.1-or-later"
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2\.[^0]" | grep -v -i --binary-files=text -e "later" -e " or "
325 is "LGPL-2.1-only"
=========== =========== ===========
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.[0\s]" -e "version 2.\s"
3091 is GPL 2.0
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.[0\s]" -e "version 2.\s" | grep -i --binary-files=text -e "later" -e " or "
229 is "GPL-2.0-or-later"
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2[ ,;\<]" -e "version 2.[0\s]" -e "version 2.\s" | grep -v -i --binary-files=text -e "later" -e " or "
2862 is "GPL-2.0-only"
grep -Pzoi '(?s)((GNU\s*)?(Lesser\s*)?(Library\s*)?(General\s*)?Public\s*License)(?:(?!\.\n|\n\n).)*?version\s*\d[\s\S]{0,3}(?:(?!\.\n|\n\n).)*' -r mariadb-10.11.8/ \
| sed ':a;N;$!ba;s/\n/ /g' | sed 's|mariadb-10.11.8/|\nmariadb-10.11.8/|g' \
| grep -i --binary-files=text "version 2" | grep -v -i --binary-files=text -e " lesser" -e " library" | grep -i --binary-files=text -e "version 2\.[123456789]"
1 GPL 2.1
weird ... GPL 2.1 doesn't exists, only LGPL 2.1 does
and by examining the file, it's a false positive, as the writer switched the words in way unexpected to me: "Lesser GNU General Public License, Version 2.1"
=========== =========== ===========
=========== =========== ===========
| mariadb-10.11.8/plugin/handler_socket/libhsclient/COPYRIGHT.txt
| License: BSD-3-Clause-HP (original text)
| Score: 0.919
| mariadb-10.11.8/plugin/handler_socket/perl-Net-HandlerSocket/COPYRIGHT.txt
| License: BSD-3-Clause-HP (original text)
| Score: 0.919
| mariadb-10.11.8/plugin/handler_socket/handlersocket/COPYRIGHT.txt
| License: BSD-3-Clause-HP (original text)
| Score: 0.919
| mariadb-10.11.8/libmariadb/cmake/COPYING-CMAKE-SCRIPTS
| License: BSD-3-Clause-HP (original text)
| Score: 0.937
| mariadb-10.11.8/storage/innobase/COPYING.Google
| License: BSD-3-Clause (original text)
| Score: 0.917
| mariadb-10.11.8/storage/innobase/COPYING.Percona
| License: BSD-3-Clause (original text)
| Score: 0.917
| mariadb-10.11.8/storage/rocksdb/rocksdb/LICENSE.leveldb
| License: BSD-3-Clause (original text)
| Score: 0.953
BSD-3-Clause-HP:
https://spdx.org/licenses/BSD-3-Clause-HP.html
This license is almost identical to BSD-3-Clause, but adds "patent infringement" to the disclaimer.
However after manual review, none of the licenses listed above contains the word "patent" (case insensitive)
and all seems to be just the basic "BSD-3-Clause"
=========== =========== ===========
=========== =========== ===========
| mariadb-10.11.8/storage/rocksdb/rocksdb/LICENSE.Apache
| License: Apache-2.0 (original text)
| Score: 1.000
OK
=========== =========== ===========
=========== =========== ===========
| mariadb-10.11.8/storage/rocksdb/rocksdb/docs/LICENSE-DOCUMENTATION
| License: CC-BY-4.0 (original text)
| Score: 0.995
OK
=========== =========== ===========
=========== =========== ===========
Furthermore, there are several occurrences of the BISON exception.
Please note that the SPDX upstream does not have a specific indentifier for it,
so we are using identifiers defined by Fedora project:
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
grep -i -e "of Bison" -r mariadb-10.11.9
All occurences are tied to GPL-3.0-or-later, so the correct resulting identifier is:
( GPL-3.0-or-later WITH Bison-exception-2.2 )
=========== =========== ===========
=========== =========== ===========
At this moment I finished going through results of 'askalono' tool.
Now I used
grep -i -e "licens" -r mariadb-10.11.8/
which yields roughly 24000 results, and go through them manually.
After first go-through, I've refined the search a bit, ignoring common occurences:
grep -i licens -r mariadb-10.11.8/ | \
grep -v \
-e "// This source code is licensed under both the GPLv2 (found in the" \
-e "// COPYING file in the root directory) and Apache 2.0 License" \
-e "// (found in the LICENSE.Apache file in the root directory)." \
-e "// Use of this source code is governed by a BSD-style license that can be" \
-e "// found in the LICENSE file. See the AUTHORS file for names of contributors." \
-e "it under the terms of the GNU General Public License as published by" \
-e "the Free Software Foundation; version 2 of the License." \
-e "GNU General Public License for more details." \
-e "You should have received a copy of the GNU General Public License" \
-e "it under the terms of the GNU General Public License, version 2.0," \
-e "but not limited to OpenSSL) that is licensed under separate terms," \
-e "as designated in a particular file or component or in included license" \
-e "separately licensed software that they have included with MySQL." \
-e "GNU General Public License, version 2.0, for more details." \
-e "License as published by the Free Software Foundation; either" \
-e "version 2.1 of the License, or (at your option) any later version." \
-e "Lesser General Public License for more details." \
-e "License along with this library; if not, write to the Free Software" \
-e "License version 2.1 as published by the Free Software Foundation." \
-e "the terms of the GNU General Public License as published by the Free Software" \
-e "License along with this library; if not, write to the Free" \
-e "version 2 of the License, or (at your option) any later version." \
-e "Library General Public License for more details." \
-e "License along with this library; if not see <http://www.gnu.org/licenses>" \
| grep -i licens
squeezing the results to roughly 3400 lines, for the second go through.
Even then, it is tremendously attention demanding, and likely place for oversights.
I've managed to discover the following:
=========== =========== ===========
=========== =========== ===========
grep -i -e "under the GPL 1, 2 or 3 license" -r mariadb-10.11.8/
Files:
mariadb-10.11.8/extra/mariabackup/quicklz/quicklz.c
mariadb-10.11.8/extra/mariabackup/quicklz/quicklz.h
states:
"QuickLZ can be used for free under the GPL 1, 2 or 3 license"
which makes it " ( GPL-1.0-only OR GPL-2.0-only GPL-3.0-only ) ", since the word "later" is not used.
=========== =========== ===========
=========== =========== ===========
grep -i -e "BSD 2-Clause" -r mariadb-10.11.8/
Files:
mariadb-10.11.8/storage/rocksdb/rocksdb/util/xxhash.cc
mariadb-10.11.8/storage/rocksdb/rocksdb/util/xxhash.h
mariadb-10.11.8/storage/rocksdb/rocksdb/util/xxh3p.h
has the BSD 2-Clause License, which SPDX identifier is 'BSD-2-Clause'
=========== =========== ===========
=========== =========== ===========
grep -w -e "MIT" -r mariadb-10.11.8/
File:
mariadb-10.11.8/libmariadb/external/zlib/ucm.cmake
is licesned under MIT, which SPDX identifier is also 'MIT'.
Also text in:
mariadb-10.11.8/storage/mroonga/vendor/groonga/README.md
specifically:
"* License: The MIT license. See vendor/mruby-source/MITL for details."
*SUGGESTS* that all files under
mariadb-10.11.8/storage/mroonga/vendor/groonga/vendor/mruby/*
are also licensed under MIT,
however the directory is actually named "vendor/mruby", not "vendor/mruby-source", and the "MITL" file is missing,
and the single file
mariadb-10.11.8/storage/mroonga/vendor/groonga/vendor/mruby/CMakeLists.txt
is licensed undel LGPL 2.1,
so it would be best to ask MariaDB upstream to clarify the license.
Moreover file:
mariadb-10.11.8/storage/maria/libmarias3/docs/_themes/sphinx_rtd_theme/static/css/theme.css
states:
"* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)"
which makes it 'OFL-1.1 AND MIT'
without parenthesis, as they are licenses of two distinct files.
Files:
mariadb-10.11.8/storage/rocksdb/rocksdb/util/murmurhash.cc
mariadb-10.11.8/storage/rocksdb/rocksdb/util/murmurhash.h
states, after the license header of '( GPL-2.0-only OR Apache-2.0 )':
"All code is released to the public domain. For business purposes, Murmurhash is under the MIT license."
The original website no longer exists, and "public domain" is too vague for SPDX.
However we should mark the 'MIT' license, since it's NOT up to us - package maintainer - to guess the effective license (whether the package user will use the code for business purposes or not).
=========== =========== ===========
=========== =========== ===========
grep -w -e "CC0" -r mariadb-10.11.8/
Files:
mariadb-10.11.8/unittest/mysys/crc32-t.c
mariadb-10.11.8/storage/rocksdb/rocksdb/util/timer_queue_test.cc
mariadb-10.11.8/storage/rocksdb/rocksdb/util/timer_queue.h
mariadb-10.11.8/mysql-test/suite/innodb/include/crc32.pl
mention the CC0 license, which makes it 'CC0-1.0'
=========== =========== ===========
=========== =========== ===========
grep -i -e "PHP license" -r mariadb-10.11.8/
Files:
mariadb-10.11.8/libmariadb/libmariadb/ma_stmt_codec.c
mariadb-10.11.8/libmariadb/libmariadb/ma_charset.c
mariadb-10.11.8/libmariadb/libmariadb/mariadb_stmt.c
mariadb-10.11.8/libmariadb/libmariadb/ma_password.c
mariadb-10.11.8/libmariadb/libmariadb/ma_loaddata.c
mention the PHP 3.0 and PHP 3.01 licenses, which makes it 'PHP-3.0 AND PHP-3.01'
=========== =========== ===========
=========== =========== ===========
grep -i -e "The authors of MySQL hereby grant" -r mariadb-10.11.8/
279 files from the command above states:
The authors of MySQL hereby grant you an additional
permission to link the program and your derivative works with the
separately licensed software that they have included with MySQL.
which I have no idea how to process.
=========== =========== ===========
=========== =========== ===========
File 'storage/archive/azlib.h'
is licensed under zlib license.
=========== =========== ===========
=========== =========== ===========
Files:
strings/dtoa.c
libmariadb/libmariadb/ma_dtoa.c
are licensed under 'dtoa' license:
https://spdx.org/licenses/dtoa.html
=========== =========== ===========
=========== =========== ===========
These files are licensed under FSFAP:
| grep -i -e "medium without royalty" -r .
https://spdx.org/licenses/FSFAP.html
=========== =========== ===========
=========== =========== ===========
File 'storage/mroonga/vendor/groonga/lib/grn_ecmascript.c'
is licensed under 'blessing' license:
https://spdx.org/licenses/blessing.html
=========== =========== ===========
=========== =========== ===========
File 'storage/connect/unzip.c'
is licensed under 'Info-ZIP' license:
https://spdx.org/licenses/Info-ZIP.html
=========== =========== ===========
=========== =========== ===========
File 'libmysqld/lib_sql.cc'
is licensed under 'Boehm-GC' license:
https://spdx.org/licenses/Boehm-GC.html
=========== =========== ===========
=========== =========== ===========
Files:
mariadb-10.11.8/mysys/psi_noop.c
mariadb-10.11.8/include/mysql/psi/psi_base.h
mariadb-10.11.8/include/mysql/psi/psi_memory.h
States:
Without limiting anything contained in the foregoing, this file,
which is part of C Driver for MySQL (Connector/C), is also subject to the
Universal FOSS Exception, version 1.0, a copy of which can be found at
http://oss.oracle.com/licenses/universal-foss-exception.
which is IMO something that needs to be added to SPDX database.
=========== =========== ===========
=========== =========== ===========
Files like these:
mariadb-10.11.8/storage/maria/libmarias3/tests/include.am
mariadb-10.11.8/storage/maria/libmarias3/docs/_themes/sphinx_rtd_theme/search.html
states that they are licensed under BSD license, which text should be attached,
but the closest license file I found was GPL or LGPL.
Someone with better search-fu, or clarification from MariaDB upstream, would be welcomed.
There are other files under various types of BSD, GPL and LGPL licenses, so even if they would switch the license, we likely should have it already covered.
=========== =========== ===========
=========== =========== ===========
So the resulting "License:" field should be:
( GPL-2.0-only OR Apache-2.0 ) AND ( GPL-2.0-or-later OR Apache-2.0 ) AND BSD-2-Clause AND BSD-3-Clause AND CC-BY-4.0 AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ( GPL-3.0-or-later WITH Bison-exception-2.2 ) AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OpenSSL AND MIT AND OFL-1.1 AND CC0-1.0 AND PHP-3.0 AND PHP-3.01 AND zlib AND dtoa AND FSFAP AND blessing AND Info-ZIP AND Boehm-GC
=========== =========== ===========
=========== =========== ===========
I hope I caught all of the licenses.
If that's not the case, please contribute a fix or at least report a bug against this package so we can correct it.
A detailed examination of chaotic, and on many places (at least) seemingly outdated,
file "THIRDPARTY" might be good place to start review of my work.
UPDATE:
Results of thorough review from Ales Nezbeda <anezbeda@redhat.com> were incorporated into this commit.
The AWS plugin returns:
-- Can't build aws_key_management - AWS SDK not available (AWS SDK has Apache 2.0 License which is not compatible with GPLv2. Set -DNOT_FOR_DISTRIBUTION=ON if you need it)
I'm not sure what is meant by that, both are free licenses.
But even with 'BuildRequires: aws-devel' the build wasn't possible
Build should now work correctly for both variants:
%bcond_without galera
%bcond_with galera
wsrep and clustercheck bits are meant to only be packed fi galera sub-package is being built
Resolves: #2283500
--
Script used for checking the files inside "/usr/share/mariadb*"
| # Find directories that start with 'mariadb' under /usr/share/
| find /usr/share/ -type d -name 'mariadb*' | while read -r dir; do
| # For each directory found, recursively find all files and directories
| find "$dir" -print0 | while IFS= read -r -d '' file; do
| rpm -qf "$file" | grep -i -e "not owned"
| done
| done
Results:
| file /usr/share/mariadb-server is not owned by any package
| file /usr/share/mariadb-server/groonga is not owned by any package
| file /usr/share/mariadb-server/groonga-normalizer-mysql is not owned by any package
| file /usr/share/mariadb/mroonga is not owned by any package
Installation path macros are not allowed in file dependencies.
Starting with F40, these break flatpak builds entirely because
dnf5 only recognizes file deps in /etc, /usr/bin, and /usr/sbin,
not /app/etc. At this point, mariadb-connector-c-config is the
sole provider of my.cnf.
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_file_and_directory_dependencies
These sub-packages (errmsg and common) are only required by the same build
of mariadb. When built with the automatic provides (that adds %{_isa} as well),
these noarch sub-packages cause koji to complain and build to fail with:
BuildError: The following noarch package built differently on different
architectures: mariadb-errmsg-10.11.6-2.fc40.noarch.rpm
rpmdiff output was:
removed PROVIDES mariadb-errmsg(x86-32) = 3:10.11.6-2.fc40
removed PROVIDES mariadb10.11-errmsg(x86-32) = 3:10.11.6-2.fc40
added PROVIDES mariadb-errmsg(x86-64) = 3:10.11.6-2.fc40
added PROVIDES mariadb10.11-errmsg(x86-64) = 3:10.11.6-2.fc40
Explanation for removed notes follow:
| * Enable creation of the log file by logrotate (needed since
| /var/log/ isn't writable by mysql user); and set the same 640
| permissions we normally use.
This is an ancient artefact.
It originates in this commit from 2012 in the 'mysql' package in Fedora:
https://src.fedoraproject.org/rpms/mysql/c/d3bdaa4a?branch=rawhide
That was at the time, when the DB log resided directly in '/var/log/', rather than '/var/log/some-dir-specific-for-the-DB/'.
Since that is no longer the case, the 'create 600 mysql mysql' directive is no longer necessary.
| * Comment out the actual rotation commands, so that user must edit
| the file to enable rotation. This is unfortunate, but the fact
| that the script will probably fail without manual configuration
| (to set a root password) means that we can't really have it turned
| on by default. Fortunately, in most configurations the log file
| is low-volume and so rotation is not critical functionality.
This is no longer true.
Since MariaDB 10.4, which introduced authentication via the UNIX socket,
the 'root' and 'mysql' users can authenticate without login and password.
So we can go back to using 'mysqladmin', or 'mariadb-admin' in this case, to flush logs
| See discussions at RH bugs 799735, 547007
| * Note they are from Fedora 15 / 16
I found no more useful information there. Only information already mentioned in other notes here.
| Update 3/2017
| * it would be big unexpected change for anyone upgrading, if we start shipping it now.
| Maybe it is good candidate for shipping with MariaDB 10.2 ?
Introduction of MariaDB 10.11 is the perfect time.
| * the 'mysqladmin flush logs' doesn´t guarantee, no entries are lost
| during flushing, the operation is not atomic.
| We should not ship it in that state
True, however, no one likely cares about that, in reality, since those logs don't hold any journal-like entries.
Explained here:
https://github.com/MariaDB/server/pull/1556#issuecomment-941886220
| Update 6/2018
| * the SIGHUP causes server to flush all logs. No password admin needed, the only constraint is
| beeing able to send the SIGHUP to the process and read the mysqld pid file, which root can.
| * Submited as PR: https://github.com/MariaDB/server/pull/807
It has been dicussed on the upstream thoroughly and was found far from ideal.
Now, that we can use 'mysqladmin', or 'mariadb-admin' in this case, safely again,
there's no argument to keep using the PID file for flushing logs.
| Update 02/2021
| * Enhance the script as proposed in:
| https://mariadb.com/kb/en/rotating-logs-on-unix-and-linux/
Enhanced again now. Significantly this time, however with a vision that the values will become an OS-independent defaults.
| * Discussion continues in:
| https://jira.mariadb.org/browse/MDEV-16621
Discussion finished.
Better start a new one, if needed.
Revert "Introduce the script for generating sources tarball without a code under a license which was not yet approved for Fedora or RHEL"
This reverts commit 7f8a0e15a6.
Note: MariaDB upstream removed TokuDB SE sources in 10.6.0