Hello here,
First, thank you all for your work on the Alpine Linux!
My question is related to the versioning of the packages. Looking at https://pkgs.alpinelinux.org/packages, almost every single package is versioned as a.b.c-rd where a b c d are numbers, d is the 'patch release' of the version a.b.c.
As the name implies, I suppose the patch release is a bug or security fix.
What about the licensing of the package?
It is possible that the license of a package is changing within a patch release, or can we ensure that the license is always the same within for a fixed a.b.c version, whatever the r number is ?
Background is legal compliance: when we deliver a software based on Alpine Linux (delivered as Docker container), we need to ensure that the license of every single component is properly defined and delivered with our software.
But "clearing" a component requires getting the source code, and is always time consuming. I see [here](https://unix.stackexchange.com/questions/496755/how-to-get-the-source-code-used-to-build-the-packages-of-the-base-alpine-linux-d/) how to get the exact source code of a package, but this is much more complex that getting just the tag of the related GitHub repository.
So for compliance purposes, if the license remains the same, I would like to take any package of version a.b.c and ignore the release patch. What do you think?
NB: I am posting the question on Stack Exchange too, in the opensource channel: it might be interesting to others not on that mailing list.
https://opensource.stackexchange.com/questions/13745/alpine-linux-and-package-versioning-can-the-license-change-in-a-release-patch
Thanks,
Eric
revbumps can alter package build options. New options can pull new
dependencies. New deps can bring new licenses.
As for fetching sources - if you find working with APKBUILDS too hard,
pkgs.a.o has links to build logs for every package, maybe parsing such
logs will be easier?
On Thu, Feb 23, 2023 at 9:26 AM Bleher, Eric
<eric.bleher.ext@siemens.com> wrote:
>
> Hello here,
>
>
>
> First, thank you all for your work on the Alpine Linux!
>
>
>
> My question is related to the versioning of the packages. Looking at https://pkgs.alpinelinux.org/packages, almost every single package is versioned as a.b.c-rd where a b c d are numbers, d is the ‘patch release’ of the version a.b.c.
>
>
>
> As the name implies, I suppose the patch release is a bug or security fix.
>
>
>
> What about the licensing of the package?
>
> It is possible that the license of a package is changing within a patch release, or can we ensure that the license is always the same within for a fixed a.b.c version, whatever the r number is ?
>
>
> Background is legal compliance: when we deliver a software based on Alpine Linux (delivered as Docker container), we need to ensure that the license of every single component is properly defined and delivered with our software.
>
> But "clearing" a component requires getting the source code, and is always time consuming. I see [here](https://unix.stackexchange.com/questions/496755/how-to-get-the-source-code-used-to-build-the-packages-of-the-base-alpine-linux-d/) how to get the exact source code of a package, but this is much more complex that getting just the tag of the related GitHub repository.
>
>
>
> So for compliance purposes, if the license remains the same, I would like to take any package of version a.b.c and ignore the release patch. What do you think?
>
>
> NB: I am posting the question on Stack Exchange too, in the opensource channel: it might be interesting to others not on that mailing list.
>
> https://opensource.stackexchange.com/questions/13745/alpine-linux-and-package-versioning-can-the-license-change-in-a-release-patch
>
>
>
> Thanks,
>
> Eric
>
>
>
>