Add explicit MPL-2.0 licence notice "Exhibit A"

[ijackson]

Unlike most other Free Software licences, the MPL explicitly says it applies only to files with a specific notice:

1.4. "Covered Software"
means Source Code Form to which the initial Contributor has attached
the notice in Exhibit A, the Executable Form of such Source Code
Form, and Modifications of such Source Code Form, in each case
including portions thereof.

Unfortunately, this means that copying the MPL text into tree, and setting the "license" Cargo option, leaves an ambiguous situation. One might presume that the intent was to actually use the MPL for the whole project, but the legal licence text explicitly rejects that.

Thankfully, according to the licence text, it is not actually necessary to add the notice to every file:

If it is not possible or desirable to put the notice in a particular
file, then You may include the notice in a location (such as a LICENSE
file in a relevant directory) where a recipient would be likely to look
for such a notice.

So clarify this situation by adding one central explicit copy of the MPL "Exhibit A" text, and declare it to apply to everything.

Putting it in Cargo.toml puts it next to the "license =" tag. Another possibility would be README.md but IMO this legal technicality doesn't really warrant such exposure.

I added another sentence so that it's clear that this statement about
the MPL doesn't contradict the intent to also offer LGPL 3.0.

(Putting it in the LICENCE file, as the text itself suggests, would mean either (i) renaming the verbatim copy of the MPL 2.0 and writing a new file or (ii) adding it as a rubric to the top of the MPL 2.0 text in LICENCE - resulting in a LICENCE file which is not identical to the usual MPL-2.0 text file. Neither of those seem desirable.)

(FYI we, the Arti developers, have had similar MRs accepted in other projects, eg soc/option-ext#4. Our original ticket for this kind of thing was https://gitlab.torproject.org/tpo/core/arti/-/issues/845)

[garro95]

Sorry, I can't get your point. Each rust file in this project has a copyright notice explicitly reporting

 *  This program is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU Lesser General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version, or (at your opinion) under the terms
 *  of the Mozilla Public License version 2.0.

[garro95]

I will close this. Feel free to reopen it in case I missed something

[ijackson]

Hi. Thanks for your attention. Sorry for the late reply; I was away last week.

Unfortunately the standard file header text is not sufficient. The MPL explicitly says that it only applies when we've "attached the notice in Exhibit A". Ie, only the precise text of its Exhibit A counts. Since the existing standard file header is not "the notice in Exhibit A", because it has different wording, the various statements about the MPL are contradictory:

The file header in each file says the MPL applies, but the actual text of the MPL says it doesn't.

I think we could fix this by (a) adding the Exhbit A notice to every file, or (b) by adding it somewhere central and saying it applies everywhere. In this MR I did (a).

Another option would be (c) replace the standard text in each file header with a minimal SPDX-style declaration (eg like this only declaring SPDX-License-Identifier: LGPL-3.0 OR MPL-2.0) and put a longer explanation somewhere central.

I'm happy to do whichever of these you prefer. Please let me know.

(I don't think I can reopen this MR. Maybe I should file a ticket?)

[ijackson]

Oh I also notice that the SPDX string in Cargo.toml is wrong. It should be LGPL-3.0-or-later. See https://spdx.org/licenses/

[garro95]

To be consistent, I would rather add the full "Exhibit A" text on each source code file.

I think we could fix this by (a) adding the Exhbit A notice to every file, or (b) by adding it somewhere central and saying it applies everywhere. In this MR I did (a).

I think that in this MR you did (b), right? I would go for (a) instead

[musicinmybrain]

Oh I also notice that the SPDX string in Cargo.toml is wrong. It should be LGPL-3.0-or-later. See https://spdx.org/licenses/

Looking at #23, it seems like contributors were asked for consent to relicense to “LGPL 3,” with no mention of later versions, so (if I’m not missing something) LGPL-3.0-only is probably the correct replacement for the deprecated LGPL-3.0, and LGPL-3.0-or-later.txt should be renamed to match.

[musicinmybrain]

Oh, but the existing source code headers specify “any later version.” Hmm. Maybe GPL-3.0-or-later is correct after all.