 Miro Slav, can you please all rise? Thank you everybody. So he's going to speak about the case of SBTX versus Fedora. Thank you. Over to you sir. It's usually a habit that you sit down when the jury say you may be seated but you are forgiven. Okay. So members of the jury, your duty today will be to determine whether the defendant is guilty or not guilty based only on the facts and the evidence provided in the case and we will be talking about the case of SBTX versus Fedora. So thank you for the coming and thank you even to the audience watching the stream live. First, let me introduce you into the problem we have. That's the Callaway system and the guy who is guilty of this system is Tom Callaway who is coincidentally sitting here on the bench of the guilty people. He made the system out of the blue because in that time, what was the time Tom? That would be in 2003, 2004. 2003, yeah. And there was no standard, I'm probably should speak on the mic, right, yeah. And in that time, there was no standard about licensing at all. So when the license was GPL version 2, yeah, Tom said let's use GPL v2 string for that. And we live with that for long, long time. Much time later, we had some problems with the software. That's when the stuff and SBOM started. And there were two standard right now. We have SBTX and Cyclone DX, which is used for the SBOMs. And one of the things for that is the licensing. So licensing starts to be standardized and SBTX used identifier for separate licenses. So when you use the SBTX identifier, you know exactly what license it is and it's never a whole family of the license like we had in the Fedora. By the way, who knows what SBOM is? And who doesn't know what SBOM is? Okay, so we have some people in the audience. I may refer you to my presentation on devconf.cz this summer where I spoke about what the hell is SBOM. But it basically is something like that, this picture. And it describes you, your system. Because usually the requirements for the system is just the top level and you never know what's below. So it's the map. Some people like the metamorphosis like that is a list of ingredients. And you know where on the end of the list is the chili. It can spoil the things. Yeah, there's a question. I prefer saying your honor. So in this picture, the fun is of this teeny place. But from the SBOM things, we actually don't think. SBOM doesn't care about sustainability of the things. Whether it's sustainable in the future or not, you just describe the system and to note that, for example, this block has some security vulnerability. It just provides you a map of the system and know what exactly there is. A lot of things for the SBOM, you can fetch using rpm-query all and you get all this information. That's like name of the package, upstream website, what files it includes, et cetera. But one thing I think is the licensing. So that's part of the SBOM. And that's why we are doing the change in the Fedora itself. To move to something which is standardized because every software right now in the world, which do something with the licensing, use some standard and for what I most see is the SPDX. So if we want to continue further and be first, we need to use the SPDX. So last year we started Initiative and a Change Proposal to Move to SPDX Identifiers. This is where we are right now. And the blue part is which text we already converted, which is pretty awesome. We are at 40% right now, which is a good number. It's starting slowing down a little bit, but we are doing a lot of stuff. We are adding like five new licenses to SPDX every week or something like that. So it's pretty fast for a human. Slow from the whole distribution point of view. And the yellowish and reddish part is the part which we have to finish yet. And the yellow part, I mark it as trivial conversion, which a lot of people hate me for that. Because it's trivial from a technical point of view. But when you start speaking to lawyers, it doesn't seem to be as such trivial as it seems to be. One of the reasons is that we are changing how we evaluate license. Previously you can evaluate the license and now we don't evaluate. So if some systems say, projects say this is GPL version 2 or if you are shipping with Fedora, it's MIT. And previously you may choose MIT because that was for Fedora. And now you should say GPL or MIT and depends on the context. So right now we have to evaluate all the licenses as well. So the trivial part is not so trivial and the red part is not trivial at all because we usually don't know to which part it should convert. And the non-trivial part looks like something like this. So if you try to convert MIT and BSD license string, we give you a hint that it's one of the MIT choice and BSD choice. And you actually evaluate the license because previously in the Callaway system BSD, MIT and other licenses referred to whole family of licenses, which is right now, not possible. Okay. And now I want to meet your defendant and it's a form of quiz and you will be the jury and decide if it was the right answer. And I want to ask you to all stand up, please. And here we have the question and this is one of the change-owners. And who is this guy? And if it is David Kansherk, raise your right hand and if it is David Kansherk, raise your left hand. And if you, I will shortly reveal the correct answer and if it is incorrect, please sit down. If you guess it correctly, you can stand down. Credit for this quiz go to Radek Vokal who introduced it in DEF CON. So guess who is it? David Kansherk or David Cantrell? Raise your hand. The change-owners. This is this guy, this guy on the boat. It's not so visible. And it's David Cantrell and he's here in the, yeah, so not on the boat. And second change-owner is it Emily Lovejoy or Gillay Lovejoy? This one will be tricky. One, two, three. It's Gillay Lovejoy. And who is this? Is it Miroslav Sukhi or Marek Sukhi? It's Miroslav Sukhi and it's me. And now slightly different. Who is Richard Fontana? Is it the guy on the left side or the guy on the right side? Okay. Both are Richard Fontana. This is the Richard Fontana lawyer and this is the Richard Fontana the actor. Obviously, Richard Fontana the lawyer is working on the change proposal. But this change was tricky and both questions are correct. And when the migration to SPDX in the whole Fedora will be finished based on current approximation and estimation, will it be sooner than October 24 or later than October next year? And this is hard. It varies because the estimation started to be summer 2024 and you see the graph was slowing down. So right now the estimation is December 2024. So you can do better if you migrate your packages. And so some people still standing. So last question. Oh, sorry. Do you like the migration to SPDX identifiers? Yes. Correct answer is yes. And yeah. I was looking actually for standing ovation but you didn't get so many questions so you are not standing anymore. So my fault picking doing that. So that's basically all of I presented because I can speak about it a long, long time and I reserve more time for your questions. So what's your question? And then there we have. It's not so. I will rephrase your question. Thank you very much. So my question is this change only for the licenses or you will publish the SPDX files or the requirements provided and things they get to the Fedora and the format that will be accessible to the scanners or security scanners I get. Because sorry, tomorrow I have a little bit of supply chain in rail and actually Redcat has already started to provide an beta in one of the portals. So I'm curious how it looks in Fedora. So again, the question is like whether how... If Fedora provides the SPDX but not the change to the licensing packages but the SPDX files for the individual. So as far as I know, Fedora provides S-bombs for the containers made of the Fedora but not for the whole distribution and even the S-bombs for the containers are very easy and not going down into the details and just for the others, like the S-bombs can be really, really huge. It's a huge rabbit hole because you can have S-bombs for the artifacts that's what we are actually producing. Then you have S-bombs which is for building systems which includes not just the map you've seen but other maps which is required for the building, the packages as built requires. You can have the S-bomb which includes stuff for designing so other stuff which you need to for designing so before you start building them. For example, Inkscape for drafting the logos and the other way around, you can have S-bombs for deployment because your system may need Postgres DB but it can reside on the different system so it doesn't need to be tracked in some scenarios but in some scenarios it needs to be tracked or S3 which is provided by other vendor on the internet so when you say providing the S-bomb it's a really wide area but for our change proposal I don't dive into that because that's a really huge topic and right now I'm and we the change owners are focusing just on the changing the license identifiers even that is a huge topic and what we are and even in this area there was a proposal that we do the analysis on every commit to this git which is really great idea and one day it will likely happen and there are some tools that actually do that for example, SUSE has the cable system which we probably plan to use or investigate but if we do that right now we would have to work and build the system for both the Callaway system and the SPDX systems and somehow make it live together which will be tricky so I pursued others that we first migrate everything to SPDX and then some two years later maybe it's my expectation we will do some system make some system which will warn you every time you do change that hey there may be new license or some license disappear so this is the future in Federa probably I have a second question but I don't want to... I will give chance there and then maybe back to you my question is a bit twofold I was wondering if you have any view on what the most common licenses are in Federa right now since you are going through all the changes and doing the statistical analysis and I was part of that what is your view on the proposal that has appeared recently to follow suit what Debbie does and just... similar to copies of common license tax instead of having multiple copies of the same license so the question is common licenses I don't dare to say which license is common in Federa we have a lot of MIT a lot of GPL version 2 or later a lot of BSD I've seen some pretty long list licenses like 80... 800 characters long license identifier and... yeah... right now because we are in the middle and we mix the call away system as PDX and the call away system itself it was not defined in any form but one wiki page so... later when we finish this work it may be actually easy to determine the whole license for whole Federa distribution because there is a library which evaluates licenses so we may put all the strings beside and concatenate with all operators and it evaluates the license and we may get the license for whole Federa distribution so that would be awesome and yeah... the idea about linking to common licenses actually last week Richard kicked this off on the legal... Federa legal list so yeah... so it is proposal it tests some problems like what is common license, what is not so for others like GPL version 2 may be common license I don't think to that but there are some other licenses which has credentials contribution like at the top copyrighted 2024 by Miroslav Suki and it's part of the license and license checkers ignores this contribution but the license itself say it's free if you this license exactly this form in the software so you can't actually link it to some common example where here comes contribution because there has to be that contribution in the comment part yeah... that's the part where things start complicated and it's sufficient to link the header or whether you have to include part it's tricky and right now we have like 20,000 packages to go and we still defer some stuff like copyright only or CC0 already debatable stuff so we just noted and we will still have to do some fixes later in some cases so there is a lot of stuff and not sure whether like saving one kilo of text is right now the biggest priority but yeah all people are trying to address that and it's fine and I welcome such an issue at it ok, my question is also because there are multiple formats for S-Bone and why you choose one over other for example as you have SPDX and why you choose this one SPDX instead of so so the SPDX actually was not S-Bombs thing at the start it was the license management project so at the start they have huge list of licenses as far as I know they are still one which actually care about the licenses too much the Cycon DX is the new one and it's focus on the tracking vulnerability so they don't care too much about the licenses and they care about the vulnerabilities in the in the blocks so I'm not even aware whether they have some list of the licenses and then they don't differ so much like the SPDX so my wild guess and I may be incorrect is that in few years even the Cycon DX will use the SPDX list because it's really comprehensive and very well maintained so can I ask your honor I was investigating one of my victims and there was a problem in evidence and in layman terms is there some tooling that can help me converting my packages to the SPDX valid license yes, thank you for the question and it's in the package license validate and if you are on license of Dash Fedora to SPDX with the old system it will tell you to which string you can convert it but there is a problem with license evaluation so you may run checker and we have license check scan tools escalone and every tool has its own problems so there's no thing which I can point this is the best tool you can use and we are still evolving and the ecosystem is evolving your honor I just want to add to that one annoying feature of that tool is if you already have an SPDX license it tells you it's not a valid license string I may address it after this presentation because we are already at the end I'm aware of that so we are at the end of the hearing thank you for the coming thank you thanks a lot that was fantastic the next we have Tim Flink no sorry you are the one name