Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2051.outbound.protection.outlook.com [40.107.8.51]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 105CC221C80 for <~alpine/users@lists.alpinelinux.org>; Thu, 23 Feb 2023 06:26:02 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RLPElZCzn4ztedvy/SlURsKjjzoqALTMTe5N/XI6arcR3QFsniuYZDb1Q/KCCrRnm9lDjyrkD+yBXm7SRXTa/swrjEhBfX723XOXj5RZAD9GJLbcFT9TO6XeVtqY4sVPNcpaEKcV6w/eKa5xPm4xmtT4zo9X50L/PwohgIdKwM/JvcIfoy+2zY3tuEftpKhgrVnueb2iwvhDJwaEk4Mz4YVR8i7tNjmqsnSU0+3juEqLchfStaJSRGyrBtHYtnWzxaM73qcoZw504J0KcJlHMrSRGPZiLI0QDpwZ60mJnie0r9ZFBJ7c+/72fUMu0PV4r8D1uMxMDjIeeceLaAPwaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oGpunNxRoAHmQvdbpUp7gRR4NG42R31ZEbfCc/mqE+Q=; b=Gs8a71xxhnNavPDb6cr8DVtfUVXxaFQvFxDwbYgvHObckMxr/ADAc2D8X5L5oD3m4n4lHGbeIbYTi5I6mc96yTAcU5nBfmtm4/BrE2Ze4KvOptaY36mKLo6M8Oax4bPQidue55zodzcTCtJnkIYY9ZBCz/1zs9lZAJs5fy0x2wXTg5LdrpgTw5LnvTx7x3wNuWphc6T8dENajHUVqiM8Ld6s1EG3RxP1LEjP1ILJ8CEW7sErDnc6IUL/zIj5QJYpHrBwtB8+ytuIPXKjLgKUnEZYic2fScPnuaQA9V8ujnxqgyKiwzZmQnhJ3XvXMr+iiaP69ZFPYg+fumT6psZe5w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oGpunNxRoAHmQvdbpUp7gRR4NG42R31ZEbfCc/mqE+Q=; b=GdocLnPmvL2WrWb509/ZXrfcj9FLrx6ardg4jK2DihLB7FGhG/s9HNlr+Dym7wGWeSwoYDlWPmPU1xPEakDg96LrIYPNaPtOGy18M/0/ZhNUvIT4kmggLPXkG8To+QMCtkCXWEPMlRPIGWA2P+C9ET8C3H48VKvsJOjtxyPT3pLrIbGe1dd88U2Dzxk1NDr1p2PcumXfE3vHDwD7j6Gq6vGQpo2hifzICdDCEIr2itiK6vBzIDVvEcasRRCqoG2aORPJFBmU8wx4KBnfW0fYKcr1Qc4CQOGLt0aQtwh2oGSlRo0w3mUzvJoF0FytnI5+WPgfr/1uD7MbsqK0ykHqAw== Received: from DB4PR10MB6285.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:383::18) by PRAPR10MB5322.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:297::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6134.19; Thu, 23 Feb 2023 06:26:01 +0000 Received: from DB4PR10MB6285.EURPRD10.PROD.OUTLOOK.COM ([fe80::ae1b:4d19:9566:12de]) by DB4PR10MB6285.EURPRD10.PROD.OUTLOOK.COM ([fe80::ae1b:4d19:9566:12de%5]) with mapi id 15.20.6134.021; Thu, 23 Feb 2023 06:26:01 +0000 From: "Bleher, Eric" To: "~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org> Subject: Alpine Linux and package versioning: can the license change in a release patch ? Thread-Topic: Alpine Linux and package versioning: can the license change in a release patch ? Thread-Index: AdlG5id7LGKfYX3MSJe26wipKcVHLQ== Date: Thu, 23 Feb 2023 06:26:00 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-02-22T19:49:48Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=54189e00-b5d2-4bec-b75d-0e87bea745b2; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0 document_confidentiality: Restricted authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DB4PR10MB6285:EE_|PRAPR10MB5322:EE_ x-ms-office365-filtering-correlation-id: 044337d8-580c-4c33-0921-08db1566d504 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: /4C878maze24eooANpmFX0biN4GVW24Smv+j3DH5lFfpnHZOPI8O4mQx3dN+61T+llT1rSMkPGH3UkCqbgEJugTtKiC+tlBOcPzAXLPhpKIsh0mRu82WMd54YPXU6WKynfZkF8lgAj9v/0mBcEMTRSVgt+HqJnv7lXtDB4NFJStl0cmvFmgbg1k4hXm3WsMApT00NkL7LfiwSKGpxY72YFzwUp1ZZiToErFn+a7tB6FuvCoL7F5mma49uoG+S9ZKTMv3+zKUCeLae6ReT1x+Z13yI2QeiMInnRmeV9x+phKC3kv93LZbt7egu5oYMvH0C6cJo8bs5vGLZ3e5WbqexL0iOUeOYPN7m5TRUwVUsPzXGIczn78m6QC7RAt30KulXxtzS4CJchw4W3/CEzThlJJRy9yQ1bF0HL5gDjDDpbYe5zT9xZ7VKSgGCsRkqp02LV4vy2a8omLyQrncOTCIFZvifMKCmrp83PUPk+YDnIJ7ZchE+qJbLbyY6pPBPfrtPYodtqS9W0cE08GGMQGq12UZ0yFkcBAgM0M3Ast1WKgerwBgpdU3L+9uB12kgxA/ts4HsjVTg1cwtVaZGQ2ZpKIQ1sO7Fj/jnNbuqvf0nqW5ux1ZGi8myV0Hh+uIlrgQZGSDlO1AWvfCFegc19Xp+2QKCcDlZm36C4Gv3JSZzs3r/TXnrEilzPGxslnMowrQ x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB4PR10MB6285.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230025)(4636009)(376002)(346002)(136003)(39860400002)(396003)(366004)(451199018)(83380400001)(166002)(478600001)(71200400001)(2906002)(5660300002)(9686003)(86362001)(41300700001)(966005)(52536014)(8936002)(33656002)(7696005)(55016003)(122000001)(38100700002)(26005)(186003)(38070700005)(82960400001)(6506007)(66946007)(64756008)(66476007)(316002)(66446008)(8676002)(66556008)(76116006);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?+Nc988BV7Axq1prIlz1WAcMW5oO0xy9EtQo4SUCeFcMJcRyj9SaD4GgFCD+b?= =?us-ascii?Q?phKUE4HXcl6eUcRTIEICJwY2+O/9zAzEecFmGOG+r35fV0P3Ut5n3WLmcSNe?= =?us-ascii?Q?tQYajj4ubbMCm2iKfxzMVIa79dENengZXNQ6OtgOOH2ruvjfWvTRkOfMcg7q?= =?us-ascii?Q?6nU0hVY199FvAvk523HgkQpg6K7zwBQ7Vp4OWMOrYYFQFOmoUcSiITU0rsX3?= =?us-ascii?Q?PYK1XwcIP4EAqfL0CmjzWvFlBJMPsueE8yX4F3ji2NU4DCvYXmN7MThXqFsr?= =?us-ascii?Q?SMzjiSW25NncwHfCQAPlcryz9OoE6jsBJPhd6T8Kw63BLncoZwxqMaXolC/o?= =?us-ascii?Q?TTToOkrqmXl3SU7rzBpHWyeK83+cXAwa/0wOsV8fgxMIbwI5gjIBr5ZwBA+c?= =?us-ascii?Q?laosy3825eLeWNldWIYD19BBATopWB0e/vKSbz39vo0TBcJssMr00X00+3gn?= =?us-ascii?Q?O7ntyE3UENoJijSRLtqrAM1PQIFQuRFs9ctLgL3SfMSReiVCd5K/E7PJKf0u?= =?us-ascii?Q?KTnrhcamyEiO0BA9ty2Lnf1sOHoIVWxj0zFUBHBlAY/tWhhbSzyEj+xsEVgO?= =?us-ascii?Q?XHdS8wDJa4zCnUHdIK+iRUKOkE5BTqHld+FbpE3Mx8rcz8TUXPt/uMCqz4Wl?= =?us-ascii?Q?VZB9uGfkUp88TFLdPQpvsrM9/KYuqOlD/A6kHvduAloyASMbi/rSNKGIIrln?= =?us-ascii?Q?cnZXwzMOiITwbKAEr5xHFxssN37VlpCGD+/QWvpOUm5dZ2v02i82Jho64Xo4?= =?us-ascii?Q?O3R+ok4ehmVoz0NwZ6SY6yoX2ik1tAL+DvwYxykxv/rdljtJgqB1yoH0Djf+?= =?us-ascii?Q?WYN9t+Z1SUpCO+eNqxM3OGdyEfif8l0W54iNttOZD1DrikajyTD8mFO7fRSE?= =?us-ascii?Q?uiiihlqQgnBh7EspL4K91BwpKkyczBke6B5jfM4icu26vTmf9sKhmUpM5Hnj?= =?us-ascii?Q?ZfLKT8lDrrZ/gV1NvWLn6gyoDpbjOS4ANuzgW5q4Cd1t5yPDHnFqK2t9D4Xf?= =?us-ascii?Q?FP9bbY3VrQRHjOWqMh5xXYZxagwFQSAF3IAARPwDc/VEjwUwq60I2Uap6M56?= =?us-ascii?Q?vA4/lvHdk3078SVVy90DjJ+glzbdqkPSXqPlChhji2tDxf+iTuzISL60unRn?= =?us-ascii?Q?aForCr1SMz6NyhbQ+DN6i6xcHOBID6f9OG3s7ZFElW8FkP+WiCGBBPlchA9f?= =?us-ascii?Q?mHBGw2eH3a2iN4IazhVhUuRakrezzk11rVaow4Gm9EI5KCMCd2rP4I3dRhLA?= =?us-ascii?Q?6Pmf3/nNLl0t5bQbe4x3CzKxTJgpeDotQGjv4j6ch7I4nkG2UThEp6GDUGtV?= =?us-ascii?Q?n1B3RixAsI+uaKIGCCU/CoSGmX5tJxOyauvXhLFZjvodSVNCSVVevcHwXsWv?= =?us-ascii?Q?7TSoMqoKM74RTMm9DsA9y2oQE6Y/UJIxo8Pdf6iqu2pczlKGPQ107uFF/I+6?= =?us-ascii?Q?4S8RU2pCn41qtjl8qtaFOVPqNVYqYmVJgZXTgJWyTsXfq/GHEA6g5FXlNYLc?= =?us-ascii?Q?QYOWHh63TAbHvTF6SIFkYimHC7IcLaMS4iwisbgSM3mjHSP/clmMa2676iDg?= =?us-ascii?Q?CvWIHehTQ6moxyYt3hty57tSsN3icoJxNYPAE2LqkoCuwa5C9Y29fL2OtFWh?= =?us-ascii?Q?Ig=3D=3D?= Content-Type: multipart/alternative; boundary="_000_DB4PR10MB6285C2EFA0AB9030B31514ABBFAB9DB4PR10MB6285EURP_" MIME-Version: 1.0 X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DB4PR10MB6285.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 044337d8-580c-4c33-0921-08db1566d504 X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2023 06:26:00.7559 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 1ZkNYEB/XYcxbV3t5iQmmO4u0dZ1sUu3GqapGBaYhiBZoQvnj3Zb38TTLMUGs4rU5lFtxfCXfXpTU8bDP65KdRB7YwXcqIlQxaN/ba+wnyo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PRAPR10MB5322 --_000_DB4PR10MB6285C2EFA0AB9030B31514ABBFAB9DB4PR10MB6285EURP_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello here, First, thank you all for your work on the Alpine Linux! My question is related to the versioning of the packages. Looking at https:= //pkgs.alpinelinux.org/packages, almost every single package is versioned a= s a.b.c-rd where a b c d are numbers, d is the 'patch release' of the vers= ion a.b.c. As the name implies, I suppose the patch release is a bug or security fix. What about the licensing of the package? It is possible that the license of a package is changing within a patch rel= ease, or can we ensure that the license is always the same within for a fix= ed a.b.c version, whatever the r number is ? Background is legal compliance: when we deliver a software based on Alpine = Linux (delivered as Docker container), we need to ensure that the license o= f every single component is properly defined and delivered with our softwar= e. But "clearing" a component requires getting the source code, and is always = time consuming. I see [here](https://unix.stackexchange.com/questions/49675= 5/how-to-get-the-source-code-used-to-build-the-packages-of-the-base-alpine-= linux-d/) how to get the exact source code of a package, but this is much m= ore complex that getting just the tag of the related GitHub repository. So for compliance purposes, if the license remains the same, I would like t= o take any package of version a.b.c and ignore the release patch. What do y= ou think? NB: I am posting the question on Stack Exchange too, in the opensource chan= nel: it might be interesting to others not on that mailing list. https://opensource.stackexchange.com/questions/13745/alpine-linux-and-packa= ge-versioning-can-the-license-change-in-a-release-patch Thanks, Eric --_000_DB4PR10MB6285C2EFA0AB9030B31514ABBFAB9DB4PR10MB6285EURP_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello here,

 

First, thank you all for your w= ork on the Alpine Linux!

 

My question is related to the v= ersioning of the packages. Looking at https://pkgs.alpinelinux.= org/packages, almost every single package is versioned as a.b.c-rd  where a b c d are numbers, d is the ‘patch rele= ase’ of the version a.b.c.

 

As the name implies, I suppose = the patch release is a bug or security fix.

 

What about the licensing of = the package?

It is possible that the lice= nse of a package is changing within a patch release, or can we ensure that = the license is always the same within for a fixed a.b.c version, whatever t= he r number is ?


Background is legal compliance: when we deliver a software based on Alpine = Linux (delivered as Docker container), we need to ensure that the license o= f every single component is properly defined and delivered with our softwar= e.

But "clearing" a comp= onent requires getting the source code, and is always time consuming. I see= [here](= https://unix.stackexchange.com/questions/496755/how-to-get-the-source-code-= used-to-build-the-packages-of-the-base-alpine-linux-d/) how to get the exact source code of a package, but this is much more compl= ex that getting just the tag of the related GitHub repository.

 

So for compliance purposes, if = the license remains the same, I would like to take any package of version a= .b.c and ignore the release patch. What do you think?


NB: I am posting the question on Stack Exchange too, in the opensource chan= nel: it might be interesting to others not on that mailing list.=

https://opensource.stackexchange.com/q= uestions/13745/alpine-linux-and-package-versioning-can-the-license-change-i= n-a-release-patch

 

Thanks,

Eric

 

 

--_000_DB4PR10MB6285C2EFA0AB9030B31514ABBFAB9DB4PR10MB6285EURP_--