Dual License

[vkrizan]

Hello,

I've noticed that this project seems to be dual licensed, however it is not evident from the project's LICENSE file nor from Readme.

The original code is under LGPL-3.0 license, however the new CVSSv4 is under BSD-2-Clause license.

This might have an impact when packaging this to Fedora Project.

Thank you for helping with this.

EDIT: Pypi also has incomplete information wrt license https://pypi.org/project/cvss/

[vkrizan]

Note to self: This might be a case of multiple licensing: https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#Multiple_Licensing_Scenarios

[skontar]

So, the CVSSv4 code is a port from https://github.com/RedHatProductSecurity/cvss-v4-calculator which is BSD-2-Clause. I have actually no idea how to do this correctly.

[vkrizan]

Me neither. Fedora packaging guidelines suggests this for multiple licensing:

If your package contains files which are under multiple, distinct, and independent licenses, then the spec must reflect this by using "and" as a separator. Fedora maintainers are highly encouraged to avoid this scenario whenever reasonably possible, by dividing files into subpackages (subpackages can each have their own License: field).

Pypi might have different guideline.

Separation into subpackages would not be possible as the Python module is directly tied through __init__.py.

[skontar]

I am thinking if we could be able to dual-license the original code and change it here to be just one license through whole code base.

[vkrizan]

Dual license might have similar challenges.

Maybe this might help: https://peps.python.org/pep-0639/ + https://peps.python.org/pep-0639/appendix-user-scenarios/#my-package-includes-other-code-under-different-licenses

I think that either dual or multiple licenses should be mentioned in Readme and have LICENSE files provided.

[skontar]

I thought if we dual license the original Javascript code, we could change the code in this codebase to be consistent. But I guess I need to talk to some legal people.

[jobselko]

I will look into it, discussed with @skontar.