Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 89C4521FFF6
	for <~alpine/users@lists.alpinelinux.org>; Thu, 23 Feb 2023 10:04:07 +0000 (UTC)
Received: by mail-vs1-xe33.google.com with SMTP id x14so14342938vso.9
        for <~alpine/users@lists.alpinelinux.org>; Thu, 23 Feb 2023 02:04:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=I+mL1rPVzrKjgnMQuXpSoZ08DTL33Pi46HJbocQEFBM=;
        b=iNAfF1id6C/fwVhuvClJvNO4HGEjJXk/ed1eKHTF985ma9zzw2CUmTomfdj5U8rZ/N
         19z0X54P0U/3f097wEH2l8OsQ7A2OvetsL90uAWN9dkFi4rFwGwBfXQXfgfeOILJp8cW
         E3zJL8er3w0ysIk2Igta6CiM5JfiDQJkjh5sW0TwtS3Swpxd2IEsNWUEYsh8ivGZa3uM
         sPWBxH44HBworIRSCel0wRfnZ/Nm77TB/o4M9gdaiHPCa/RfyTwQ3xNAYJDzzS4ehUOt
         SzlUH4btXkdzH1rlDRT+v3uCIPZQKrAWyxvyywSx6p2ZjjWXgWqV3IcbrBqnWylzMBM2
         uZ2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=I+mL1rPVzrKjgnMQuXpSoZ08DTL33Pi46HJbocQEFBM=;
        b=J7R/En/zjDAygUpqeNuhvgeBrU8LXssboVGdwj8WslhzBa+bi45ThsXonqlFN+hxYx
         wtHfcpp7AhrpcdDUhohnr0kYkdTC21kq921KjI7YkI+34PQvHxk497nbglswbfbcpcL6
         qVJpPaY2YWbIXmcSY/peoefjJcmL63yaT8D+9splK7cTa7X1k8LrkjMfiKb2ya7cxmCz
         b0hLQu0WfvWxYYP4TFr3b3pcrOOAw9P/Ki+sLzqJymq8owGmejaZ7kek1zA6y0oDouJr
         CgaRjSiodp/e0BCGMKUgvPTXKhsSZcDLTT5HcuQxXauh65CvrkMaVs+9RWh8f/rhvbHN
         O0RQ==
X-Gm-Message-State: AO0yUKVuxONqP72O7xh2kCQBrwpVta83TXi1sdZHgXJIIPPZIJWIINpZ
	p5t6o50vTWjZxtOOS5rV2vex9nwUUzy0s4vfMnOSFlpY
X-Google-Smtp-Source: AK7set9BtXgdky8FnEKTV0gpbBvNNKiEATXTqYPwFaapCBRnMLQZTG3MhR+DdOSl599HCuCnkdXvY+zpFtWVYghfPP8=
X-Received: by 2002:a05:6102:2006:b0:3fe:6eb8:7961 with SMTP id
 p6-20020a056102200600b003fe6eb87961mr2362908vsr.21.1677146643889; Thu, 23 Feb
 2023 02:04:03 -0800 (PST)
MIME-Version: 1.0
References: <DB4PR10MB6285C2EFA0AB9030B31514ABBFAB9@DB4PR10MB6285.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <DB4PR10MB6285C2EFA0AB9030B31514ABBFAB9@DB4PR10MB6285.EURPRD10.PROD.OUTLOOK.COM>
From: Konstantin Kulikov <k.kulikov2@gmail.com>
Date: Thu, 23 Feb 2023 13:03:52 +0300
Message-ID: <CAD+eXGQqfQOOcfGVCFWQQCcYg4un+WTRbFVX0_eUQi98FTuzaA@mail.gmail.com>
Subject: Re: Alpine Linux and package versioning: can the license change in a
 release patch ?
To: "Bleher, Eric" <eric.bleher.ext@siemens.com>
Cc: "~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

revbumps can alter package build options. New options can pull new
dependencies. New deps can bring new licenses.

As for fetching sources - if you find working with APKBUILDS too hard,
pkgs.a.o has links to build logs for every package, maybe parsing such
logs will be easier?

On Thu, Feb 23, 2023 at 9:26 AM Bleher, Eric
<eric.bleher.ext@siemens.com> wrote:
>
> Hello here,
>
>
>
> First, thank you all for your work on the Alpine Linux!
>
>
>
> My question is related to the versioning of the packages. Looking at http=
s://pkgs.alpinelinux.org/packages, almost every single package is versioned=
 as a.b.c-rd  where a b c d are numbers, d is the =E2=80=98patch release=E2=
=80=99 of the version a.b.c.
>
>
>
> As the name implies, I suppose the patch release is a bug or security fix=
.
>
>
>
> What about the licensing of the package?
>
> It is possible that the license of a package is changing within a patch r=
elease, or can we ensure that the license is always the same within for a f=
ixed a.b.c version, whatever the r number is ?
>
>
> Background is legal compliance: when we deliver a software based on Alpin=
e Linux (delivered as Docker container), we need to ensure that the license=
 of every single component is properly defined and delivered with our softw=
are.
>
> But "clearing" a component requires getting the source code, and is alway=
s time consuming. I see [here](https://unix.stackexchange.com/questions/496=
755/how-to-get-the-source-code-used-to-build-the-packages-of-the-base-alpin=
e-linux-d/) how to get the exact source code of a package, but this is much=
 more complex that getting just the tag of the related GitHub repository.
>
>
>
> So for compliance purposes, if the license remains the same, I would like=
 to take any package of version a.b.c and ignore the release patch. What do=
 you think?
>
>
> NB: I am posting the question on Stack Exchange too, in the opensource ch=
annel: it might be interesting to others not on that mailing list.
>
> https://opensource.stackexchange.com/questions/13745/alpine-linux-and-pac=
kage-versioning-can-the-license-change-in-a-release-patch
>
>
>
> Thanks,
>
> Eric
>
>
>
>