Bug#696185: [copyright-format] Use short names from SPDX

[Russ Allbery]

Simon McVittie  writes:

> Sorry, (c) seems very unlikely: earlier versions of SPDX had the same
> convention as DEP-5, but later versions moved to "GPL-2.0-only" and
> "GPL-2.0-or-later", which I think was the result of a request from the
> FSF to make it clearer whether the "or later" clause of the {A,L,}GPL
> family was allowed or excluded.

It was, yes.  The current SPDX identifiers for those licenses are a
political compromise that I wouldn't want to revisit if I were SPDX.

> I would personally be in favour of (b) as our long-term direction, but
> for now the status quo is basically a variation of (a): keep using the
> Debian-specific names where they exist, but where there is no
> Debian-specific name for a license, the SPDX name is as good a name as
> any other.

Agreed on both counts.

Fedora is adopting SPDX wholesale, so while we were dubious at first
whether SPDX had staying power, it looks like it does and is slowly
becoming the standard in free software.  In the long term, that's probably
the direction we want to go.  In the short term, I don't think there's a
huge hurry; there are minor advantages to aligning with them, but SPDX
still has a ton of work to do to absorb all of the licenses in Fedora,
which will help us when we're ready to do a switch.  (But I would
definitely use SPDX identifiers where there isn't a Debian standard to
follow, since it will make that switch easier.)

-- 
Russ Allbery (r...@debian.org)  

Bug#696185: [copyright-format] Use short names from SPDX

[Simon McVittie]

Please keep the subject line in place when replying to bugs, to give
readers some context (maintainers will often be seeing bug mail as a
single message among many unrelated messages).

On Sat, 03 Sep 2022 at 16:22:46 +0500, Akbarkhon Variskhanov wrote:
> FSF[1] as well as SPDX[2] request using the suffixes "-only" or
> "-or-later" with GNU licenses:
> 
> > Therefore, when you use SPDX license indicators, please use these:
> > GPL-2.0-only or GPL-2.0-or-later
> 
> DEP-5 uses the bare form, i.e. "GPL-3" or "GPL-3+". I added this
> difference to the wiki page.
> 
> What's not clear is how are we going to approach this discrepancy?
> Shall we a) ignore this, b) adopt SPDX/FSF naming, or c) suggest SPDX
> to stick to uniform naming convention, which is using "+" to denote
> later versions of a license?

Sorry, (c) seems very unlikely: earlier versions of SPDX had the same
convention as DEP-5, but later versions moved to "GPL-2.0-only" and
"GPL-2.0-or-later", which I think was the result of a request from the
FSF to make it clearer whether the "or later" clause of the {A,L,}GPL
family was allowed or excluded.

Forms like GPL-2.0, LGPL-3.0+ and so on are still listed in
https://spdx.org/licenses/ as deprecated equivalents of GPL-2.0-only,
LGPL-3.0-or-later and so on.

I would personally be in favour of (b) as our long-term direction,
but for now the status quo is basically a variation of (a): keep using
the Debian-specific names where they exist, but where there is no
Debian-specific name for a license, the SPDX name is as good a name as
any other.

> [2] https://spdx.dev/ids/

I believe the canonical reference for the SPDX license identifiers is
https://spdx.org/licenses/ which also lists all the deprecated forms.

smcv