Propose CFEP-21 license packages for static/header libraries

[carterbox]

@hmaarrfk, mentioned this in a discussion today, and every so often I wonder about whether licenses for header-only libraries are being satisfied. I wrote something up to see if we can make this official policy.

[beckermr]

Seems good to me. Note that we cannot patch run exports so we won't be able to go back and fix old packages that should have run exports. This is not a big deal but useful to set expectations on how compliant we can be.

[hmaarrfk]

Seems good to me. Note that we cannot patch run exports so we won't be able to go back and fix old packages that should have run exports. This is not a big deal but useful to set expectations on how compliant we can be.

We can however start a migration. That can likely help this issue.

[carterbox]

@conda-forge/core
This PR falls under the CFEP Approval policy, please vote and/or comment on this PR.
This PR needs 60% of core to vote yea to pass.
To vote please leave Approve (yea) or Request Changes (nay) reviews.
If you would like changes to the current language please leave a comment or push to this branch.
This vote will end on 2022-08-02 (August 2).

[isuruf]

Not all licenses require the distribution of the license when the code is distributed in binary form.

[carterbox]

Thanks for pointing this out. Common licenses like BSD3 and MIT do require distribution of the notice and or license with the binary form though. My thought is that it is easier to require all packages to attribute, than to have reviewers check against a running list of which licenses require attribution.

[pkgw]

Mmm, I think we should encourage people to be looking at and thinking about the licenses, rather than not. It shouldn't be hard to keep a list of licenses that do/don't have requirements, and if there are gray areas, I think we should be looking into them.

[beckermr]

I think we state that packages whose licenses require license file distribution must use a run export or other mechanism to do this.

Others are free to not. There is no reason for us to require more work from folks when the underlying package does not require it.

[carterbox]

I think we should encourage people to be looking at and thinking about the licenses

This is a very good point, maintainers should understand the license of their packages, but then why keep a list of licenses that require attribution, that would discourage people from looking at the licenses because they would just look at the list.

There is no reason for us to require more work from folks when the underlying package does not require it.

As I stated, I think it is more (human) work overall to determine on a case-by-case basis whether a license requires attribution than to just export a license package for every header library. I also don't see any harm in attributing when it is not required.

As a compromise, I propose that header-only libraries without license packages are required to have a comment that the license does not require attribution. Otherwise, it is unclear whether the maintainers have considered this CFEP.

[beckermr]

See my comment above.