I was looking at https://pypi.org/project/volatility3/ and saw: """ In 2019, the Volatility Foundation released a complete rewrite of the framework, Volatility 3. The project was intended to address many of the technical and performance challenges associated with the original code base that became apparent over the previous 10 years. Another benefit of the rewrite is that Volatility 3 could be released under a custom license that was more aligned with the goals of the Volatility community, the Volatility Software License (VSL). See the LICENSE file for more details. """ Our ebuild for app-forensics/volatility3 currently declares LICENSE="GPL-2+". I suppose we need to fix this?
Thanks for catching this. AFAICS this is not a free software license: | If you make any Additions available to others, such as by providing | copies of them or providing access to them over the Internet, you | must make them publicly available, according to this paragraph. | [...] | – You must publish all source code for software under this license, | in the preferred form for making changes, through a freely | accessible distribution system widely used for similar source code, | so the developer and others can find and copy it. This fails both the "Desert island" and the "Dissident" test: https://wiki.gentoo.org/wiki/License_groups#When_is_a_license_a_free_software_license.3F Note that SPDX has assigned the VSL-1.0 identifier to the "Vovida Software License" (https://opensource.org/license/vovidapl-php) which is a different license. Presumably we should avoid that identifier altogether, in order not to cause confusion. I'd suggest Volatilty-1.0 as name. Not entirely sure about license groups. The license says nothing about distribution of binaries, so maybe we shouldn't add it to any group (including @BINARY-REDISTRIBUTABLE).
Upstream discussion: https://github.com/volatilityfoundation/volatility3/issues/208 Fedora discussion: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/OHECHDPLDJ7LLFUZXQMBBAXEXYTQMXOR/
(In reply to Ulrich Müller from comment #1) > I'd suggest Volatilty-1.0 as name. This should read "Volatility-1.0". (Copy and paste error, https://volatilityfoundation.org/license/ has "VOLATILTY SOFTWARE LICENSE". :)
Oh damn, It's one of my first packages copied from Pentoo to my personal overlay and later moved to Gentoo. I missed to check the license and fixed it now in https://github.com/gentoo/gentoo/pull/40660. Is it sufficient to add the license? Or is the license itself considered problematic so we have to drop the package?
(In reply to mario.haustein from comment #4) > Oh damn, It's one of my first packages copied from Pentoo to my personal > overlay and later moved to Gentoo. I missed to check the license and fixed > it now in https://github.com/gentoo/gentoo/pull/40660. It happens. I should've noticed as well. > > Is it sufficient to add the license? Or is the license itself considered > problematic so we have to drop the package? It's OK to add the licence as long as it's not wrongly added to a free group in license_groups. By default, licences aren't free unless they're added to such a group, so simply adding the licence to licenses/ and updating LICENSE in the ebuild should be OK.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b11fc31acf72ca71f9a1d9aca994d1b5a321710e commit b11fc31acf72ca71f9a1d9aca994d1b5a321710e Author: Mario Haustein <mario.haustein@hrz.tu-chemnitz.de> AuthorDate: 2025-02-19 21:55:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-02-19 22:20:48 +0000 app-forensics/volatility3: update LICENSE Closes: https://bugs.gentoo.org/949963 Signed-off-by: Mario Haustein <mario.haustein@hrz.tu-chemnitz.de> Closes: https://github.com/gentoo/gentoo/pull/40660 Signed-off-by: Sam James <sam@gentoo.org> .../{volatility3-2.11.0.ebuild => volatility3-2.11.0-r1.ebuild} | 2 +- .../{volatility3-2.8.0-r1.ebuild => volatility3-2.8.0-r2.ebuild} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fef652318b272109a57d3262f16aab28218c433 commit 8fef652318b272109a57d3262f16aab28218c433 Author: Mario Haustein <mario.haustein@hrz.tu-chemnitz.de> AuthorDate: 2025-02-19 21:54:40 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-02-19 22:20:47 +0000 licenses: add Volatility-1.0 Bug: https://bugs.gentoo.org/949963 Signed-off-by: Mario Haustein <mario.haustein@hrz.tu-chemnitz.de> Signed-off-by: Sam James <sam@gentoo.org> licenses/Volatility-1.0 | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
