On Thu, May 28, 2026 at 11:55 AM Denys Dmytriyenko <[email protected]> wrote: > > Thanks Joshua, > > On Thu, May 28, 2026 at 11:06:09AM -0600, Joshua Watt via > lists.openembedded.org wrote: > > What follow is a proposal to allow our recipe LICENSE variable to be > > interpreted as valid SPDX licenses expressions; as proposed the LICENSE > > variables would not need to be mass converted to SPDX expressions > > immediately, > > as there would be code in place to do a conversion from the current LICENSE > > value to a valid SPDX expression. > > <cut> > > > * "CLOSED" is still allowed as a license type, but is deprecated and > > cannot > > be combined with any other license type (e.g. "CLOSED AND GPL-2.0-only" > > is > > not allowed). These should all be converted to use a bespoke license > > reference instead (e.g. "LicenseRef-${PN}-closed" + NO_GENERIC_LICENSE), > > even if that bespoke license text just states e.g. "Copyright John Doe. > > All rights reserved". > > > > * Much like the "CLOSED" license, the "Proprietary" license should > > probably > > be deprecated and removed in favor of a bespoke license > > Can you please elaborate on "allowed, but deprecated" statement for "CLOSED" > and "Proprietary" (in their pure form) licenses? Will the requirement for > converting them to bespoke licenses become mandatory? > > It is often used by customers creating recipes for their own software > components to simply set LICENSE to "CLOSED" and don't bother with > corresponding checksums or even provide a license text. I had worked on > some large projects with thousands of such recipes, where software is > either written in-house or come from tens of different vendors. I can > see this becoming problematic to convert all of them to bespoke licenses > with corresponding correct license texts...
Ideally, yes. But as stated, I was still allowing per-layer "generic" licenses, so you could, e.g. make a license file named "john-doe-proprietary" and place it in your layer with LICENCE_PATH set appropriately, then do: LICENSE = "LicenseRef-john-doe-proprietary" The problem with "CLOSED" as a license is that it's not a valid SPDX identifier, so if we keep it, everywhere we deal with licenses has to be special cased to account for it. "Proprietary" at least doesn't have that problem because it does have a generic license file (so it can be converted to "LicenseRef-Proprietary"), although using the generic text of "Proprietary license." for everyone that uses that one seems non-ideal, which is why I'm recommending it be removed. > > On the other hand, I wonder if from SPDX/SBOM/CRA perspective it is required > to have such software components clearly marked as "Copyright John Doe. All > rights reserved" when the product ships, instead of simply "CLOSED"? I'm not sure about CRA requirements w.r.t. proprietary licenses TBH, but I wouldn't be surprised if something like that was needed. > > -- > Denys
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2363): https://lists.openembedded.org/g/openembedded-architecture/message/2363 Mute This Topic: https://lists.openembedded.org/mt/119533872/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
