subject:"Re\: \[spdx\] SPDX identifiers for \"or\-later\" or \"\+\" mentions"

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread Steve Winslow

Hello all,

As a gentle reminder (and as Alexios noted earlier), please restrict use of the 
spdx@ email list for general announcements only to help keep it as a 
lower-traffic list for the broader SPDX audience.

spdx-le...@lists.spdx.org  can be used for 
discussions relating to the License List or license identifiers such as the 
discussion raised here. Or as Karsten mentioned below, 
https://github.com/spdx/change-proposal can be used for raising a change 
proposal for easier cross-team consideration.

If you are not yet subscribed to spdx-legal@, you can do so at 
https://lists.spdx.org/g/Spdx-legal.

Steve

> On Oct 20, 2023, at 2:24 PM, Karsten Klein  
> wrote:
> 
> Hi all,
> 
> me and others have been raising this several times before. I regard this is a 
> rather a poliitical blooper. 
> 
> However, to manifest the critique and channel the discusion and arguments, I 
> propose filing a change proposal at https://github.com/spdx/change-proposal. 
> This increases visibility and weight within the SPDX community.
> 
> You may also find 
> https://github.com/spdx/change-proposal/blob/main/proposals/Modifiers.md 
> enlighting.
> 
> Kind regards,
> Karsten 
> 
> 
>> Am 20.10.2023 um 18:32 schrieb Kyle Mitchell :
>> 
>> 
>> I'm not familiar with the reasons for `-only` and `-or-later` GNU-specific 
>> extensions, either. If there's a short summary somewhere, I'd appreciate a 
>> link. Not least to link other people to.
>> 
>> I've had to deal with some fallout. Technical changes for compliance tools. 
>> I don't know how many GitHub issues and e-mails pleading confusion.
>> 
>> I can confirm Richard's point on defaults: The typical approach I've seen is 
>> to interpret `GPL-x.y` as version x.y only. If two readings are possible, 
>> only the more conservative is safe. This was also arguably implied by the 
>> expression syntax. No `+`, no other license versions. In tooling I maintain, 
>> we convert `GPL-2.0-or-later` into `GPL-2.0+` and `GPL-2.0-only` into 
>> `GPL-2.0` 
>> ,
>>  then pretend `-or-later` and `-only` never happened.
>> 
>> I've been under various pressures to "fork" or "superset" SPDX pretty much 
>> since the beginning of implementation for package managers. That includes 
>> ignoring deprecation of the unsuffixed GNU license IDs more recently. 
>> Thousands of devs quite naturally put `GPLv2` or the like in license 
>> metadata to start. Then we badgered them over to `GPL-2.0` or `GPL-2.0+`, 
>> which at least made sense for uniformity. Yet another round of deprecation 
>> warnings, this time to treat the licenses unlike all the rest, felt like 
>> jerking them around.
>> 
>> From the outside looking in, the license list is just a list of strings. If 
>> you also take expressions, that grammar's simpler than the C-style math 
>> students implement in intro compiler courses. Discovering that's somehow 
>> also a source of arbitrary-feeling, user-facing deprecations disappoints 
>> people. From the EU group's or any other, similar perspective, there's not a 
>> lot of "standard" here to adopt if you're not doing full documents.
>> 
>> What's done is done. Offering this up just for perspective, from 
>> "downstream".
>> 
>> For something constructive, I'd support a clarification that `GPL-2.0` = 
>> `GPL-2.0-only` and `GPL-2.0+` = `GPL-2.0-or-later`, semantically, coupled 
>> with a rollback of the deprecations on the bare IDs.
>> 
>> --
>> Kyle E. Mitchell, attorney // Oakland, California, USA
>> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1791): https://lists.spdx.org/g/spdx/message/1791
Mute This Topic: https://lists.spdx.org/mt/102069167/21656
Group Owner: spdx+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread Karsten Klein

Hi all,me and others have been raising this several times before. I regard this is a rather a poliitical blooper. However, to manifest the critique and channel the discusion and arguments, I propose filing a change proposal at https://github.com/spdx/change-proposal. This increases visibility and weight within the SPDX community.You may also find https://github.com/spdx/change-proposal/blob/main/proposals/Modifiers.md enlighting.Kind regards,Karsten Am 20.10.2023 um 18:32 schrieb Kyle Mitchell :I'm not familiar with the reasons for `-only` and `-or-later` GNU-specific extensions, either. If there's a short summary somewhere, I'd appreciate a link. Not least to link other people to.I've had to deal with some fallout. Technical changes for compliance tools. I don't know how many GitHub issues and e-mails pleading confusion.I can confirm Richard's point on defaults: The typical approach I've seen is to interpret `GPL-x.y` as version x.y only. If two readings are possible, only the more conservative is safe. This was also arguably implied by the _expression_ syntax. No `+`, no other license versions. In tooling I maintain, we convert `GPL-2.0-or-later` into `GPL-2.0+` and `GPL-2.0-only` into `GPL-2.0`, then pretend `-or-later` and `-only` never happened.I've been under various pressures to "fork" or "superset" SPDX pretty much since the beginning of implementation for package managers. That includes ignoring deprecation of the unsuffixed GNU license IDs more recently. Thousands of devs quite naturally put `GPLv2` or the like in license metadata to start. Then we badgered them over to `GPL-2.0` or `GPL-2.0+`, which at least made sense for uniformity. Yet another round of deprecation warnings, this time to treat the licenses unlike all the rest, felt like jerking them around.From the outside looking in, the license list is just a list of strings. If you also take expressions, that grammar's simpler than the C-style math students implement in intro compiler courses. Discovering that's somehow also a source of arbitrary-feeling, user-facing deprecations disappoints people. From the EU group's or any other, similar perspective, there's not a lot of "standard" here to adopt if you're not doing full documents.What's done is done. Offering this up just for perspective, from "downstream".For something constructive, I'd support a clarification that `GPL-2.0` = `GPL-2.0-only` and `GPL-2.0+` = `GPL-2.0-or-later`, semantically, coupled with a rollback of the deprecations on the bare IDs.--Kyle E. Mitchell, attorney // Oakland, California, USA

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#1790) |

Reply To Group

| Reply To Sender

Mute This Topic

| New Topic

Your Subscription |
Contact Group Owner |

Unsubscribe

[arch...@mail-archive.com]
_._,_._,_

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread Kyle Mitchell

I'm not familiar with the reasons for `-only` and `-or-later` GNU-specific 
extensions, either. If there's a short summary somewhere, I'd appreciate a 
link. Not least to link other people to.

I've had to deal with some fallout. Technical changes for compliance tools. I 
don't know how many GitHub issues and e-mails pleading confusion.

I can confirm Richard's point on defaults: The typical approach I've seen is to 
interpret `GPL-x.y` as version x.y *only*. If two readings are possible, only 
the more conservative is safe. This was also arguably implied by the expression 
syntax. No `+`, no other license versions. In tooling I maintain, we convert 
`GPL-2.0-or-later` into `GPL-2.0+` and `GPL-2.0-only` into `GPL-2.0` 
,
 then pretend `-or-later` and `-only` never happened.

I've been under various pressures to "fork" or "superset" SPDX pretty much 
since the beginning of implementation for package managers. That includes 
ignoring deprecation of the unsuffixed GNU license IDs more recently. Thousands 
of devs quite naturally put `GPLv2` or the like in license metadata to start. 
Then we badgered them over to `GPL-2.0` or `GPL-2.0+`, which at least made 
sense for uniformity. Yet another round of deprecation warnings, this time to 
treat the licenses *unlike *all the rest, felt like jerking them around.

>From the outside looking in, the license list is just a list of strings. If 
>you also take expressions, that grammar's simpler than the C-style math 
>students implement in intro compiler courses. Discovering that's somehow also 
>a source of arbitrary-feeling, user-facing deprecations disappoints people. 
>From the EU group's or any other, similar perspective, there's not a lot of 
>"standard" here to adopt if you're not doing full documents.

What's done is done. Offering this up just for perspective, from "downstream".

For something constructive, I'd support a clarification that `GPL-2.0` = 
`GPL-2.0-only` and `GPL-2.0+` = `GPL-2.0-or-later`, semantically, coupled with 
a rollback of the deprecations on the bare IDs.

--
Kyle E. Mitchell, attorney // Oakland, California, USA


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1789): https://lists.spdx.org/g/spdx/message/1789
Mute This Topic: https://lists.spdx.org/mt/102069167/21656
Group Owner: spdx+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread Alexios Zavras

This is definitely a discussion for the SPDX Legal mailing list – adding it and 
moving the general list to bcc.

As everyone can imagine, the SPDX Legal team has spent a lot of time discussing 
this topic, analyzing a number of license families.

If I remember correctly, a couple of the issues discussed back then were:

  *   When saying “licensed under X”, it’s not always clear whether this means 
“under X only” or “under X or any later version”
 *   This actually also depends on the license, and there are licenses that 
do not allow “X only” at all (e.g. MPL-2.0)
  *   When finding a license text in a source code repository, without any 
mention of “licensed under X” text, one cannot determine whether “X” or “X or 
later” is implied (since both have the same license text).

People who are interested in learning more are welcome to read pages from our 
old wiki, like:

  *   
https://github.com/spdx/old-wiki/blob/main/Pages/Legal%20Team/or-later-vs-unclear-disambiguation.md
  *   
https://github.com/spdx/old-wiki/blob/main/Pages/Legal%20Team/later-version-clauses.md

--
zvr
From: s...@lists.spdx.org  On Behalf Of Patrice-Emmanuel 
SCHMITZ via lists.spdx.org
Sent: Friday, 20 October, 2023 17:13
To: Richard Fontana 
Cc: s...@lists.spdx.org; Gary O'Neall 
Subject: Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Like Richard, I also believe SPDX should not be overinfluenced by license 
steward, and consider exclusively legal aspects (and not political aspects).
Legally speaking, as soon the exact version number is expressly specified, I do 
not see the difference between "licensed under the GPL-3.0" and "licensed under 
the GPL-3.0-only". For example, if source code is expressly licensed under 
OSL-3.0 it looks clear enough, without the need to create some "-only" version 
of the OSL-3.0 identifier. But for sure, FSF has political reasons.
However, questions will be openly submitted to Project Officers and, as Max 
underlined, harmonisation according to a standard is good practice.



Le ven. 20 oct. 2023 à 16:17, Richard Fontana 
mailto:rfont...@redhat.com>> a écrit :
I am not really familiar with the reasons given by the FSF for persuading SPDX 
to adopt the `-only` and `-or-later` identifiers. I am not sure if those 
reasons were publicized. I generally believe SPDX should not be overly 
influenced by license stewards, or particular project maintainers, in making 
decisions about license identifiers.

One problem I have seen around the *GPL identifiers is that license scanning 
tools attempting to use SPDX identifiers seem to commonly identify *GPL license 
files themselves as inherently signifying the "-only" variant, when of course 
this is generally incorrect. The license text is ambiguous as to later versions 
by design. Perhaps scanning tools should continue to use the deprecated base 
identifier in such cases; maybe SPDX could recommend this.

I believe there is a consequence occurring here that the FSF probably didn't 
intend: a tendency (in the community of people surrounding the use of SPDX 
identifiers) to err on the side of assuming the "-only" version of the license 
applies, even in the face of textual evidence or background cultural practice 
that "-or-later" is likely the correct license. Of course, one can question 
whether any of this really matters most of the time.

Richard



On Fri, Oct 20, 2023 at 9:46 AM Patrice-Emmanuel Schmitz 
mailto:pe.schm...@googlemail.com>> wrote:
David,
It was SPDX's decision to accept those identifiers. This is done apparently 
after long debates and I'm not going to question it again.
However, it will be our decision to use it or not, for example as long the 
identifier GPL-3.0 exists, we may decide to use it and not use the legally 
equivalent GPL-3.0-only.
But once again, our decision is not fixed yet. It will be debated inside the EU 
Office of Publication, SEMIC, JOINUP and other EC projects.
Kind regards,
P-E



Le ven. 20 oct. 2023 à 15:02, David Edelsohn 
mailto:edels...@us.ibm.com>> a écrit :
Patrice,

“-only” or “-or-later” are not new identifiers for all SPDX identifiers.  The 
license steward for the GPL class of license has specified, and SPDX has 
agreed, that the identifiers are “GPL-3.0-only” and “GPL-3.0-or-later”, etc.  
Those are the officially recognized and approved SPDX identifiers.

Thanks, David

--
David Edelsohn, Ph.D.
STSM, IBM Open Ecosystem, CTO GNU Toolchain
IBM T.J. Watson Research Center
+1 914 945 4364

From: mailto:s...@lists.spdx.org>> on behalf of 
"Patrice-Emmanuel SCHMITZ via lists.spdx.org<http://lists.spdx.org>" 
mailto:googlemail@lists.spdx.org>>
Reply-To: "s...@lists.spdx.org<mailto:s...@lists.spdx.org>" 
mailto:s...@lists.spdx.org>>
Date: Friday, October 20, 2023 at 08:46
To: Gary O'Neall mailto:g...@sourceauditor.com>>
Cc: Richard

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread Patrice-Emmanuel SCHMITZ via lists.spdx.org

Like Richard, I also believe SPDX should not be overinfluenced by license
steward, and consider exclusively legal aspects (and not political aspects).
Legally speaking, as soon the exact version number is expressly specified,
I do not see the difference between "licensed under the GPL-3.0" and
"licensed under the GPL-3.0-only". For example, if source code is expressly
licensed under OSL-3.0 it looks clear enough, without the need to create
some "-only" version of the OSL-3.0 identifier. But for sure, FSF has
political reasons.
However, questions will be openly submitted to Project Officers and, as Max
underlined, harmonisation according to a standard is good practice.



Le ven. 20 oct. 2023 à 16:17, Richard Fontana  a
écrit :

> I am not really familiar with the reasons given by the FSF for persuading
> SPDX to adopt the `-only` and `-or-later` identifiers. I am not sure if
> those reasons were publicized. I generally believe SPDX should not be
> overly influenced by license stewards, or particular project maintainers,
> in making decisions about license identifiers.
>
> One problem I have seen around the *GPL identifiers is that license
> scanning tools attempting to use SPDX identifiers seem to commonly identify
> *GPL license files themselves as inherently signifying the "-only" variant,
> when of course this is generally incorrect. The license text is ambiguous
> as to later versions by design. Perhaps scanning tools should continue to
> use the deprecated base identifier in such cases; maybe SPDX could
> recommend this.
>
> I believe there is a consequence occurring here that the FSF probably
> didn't intend: a tendency (in the community of people surrounding the use
> of SPDX identifiers) to err on the side of assuming the "-only" version of
> the license applies, even in the face of textual evidence or background
> cultural practice that "-or-later" is likely the correct license. Of
> course, one can question whether any of this really matters most of the
> time.
>
> Richard
>
>
>
> On Fri, Oct 20, 2023 at 9:46 AM Patrice-Emmanuel Schmitz <
> pe.schm...@googlemail.com> wrote:
>
>> David,
>> It was SPDX's decision to accept those identifiers. This is done
>> apparently after long debates and I'm not going to question it again.
>> However, it will be our decision to use it or not, for example as long
>> the identifier GPL-3.0 exists, we may decide to use it and not use the
>> legally equivalent GPL-3.0-only.
>> But once again, our decision is not fixed yet. It will be debated inside
>> the EU Office of Publication, SEMIC, JOINUP and other EC projects.
>> Kind regards,
>> P-E
>>
>>
>>
>> Le ven. 20 oct. 2023 à 15:02, David Edelsohn  a
>> écrit :
>>
>>> Patrice,
>>>
>>>
>>>
>>> “-only” or “-or-later” are not new identifiers for all SPDX
>>> identifiers.  The license steward for the GPL class of license has
>>> specified, and SPDX has agreed, that the identifiers are “GPL-3.0-only” and
>>> “GPL-3.0-or-later”, etc.  Those are the officially recognized and approved
>>> SPDX identifiers.
>>>
>>>
>>>
>>> Thanks, David
>>>
>>>
>>>
>>> --
>>>
>>> David Edelsohn, Ph.D.
>>>
>>> STSM, IBM Open Ecosystem, CTO GNU Toolchain
>>>
>>> IBM T.J. Watson Research Center
>>>
>>> +1 914 945 4364
>>>
>>>
>>>
>>> *From: * on behalf of "Patrice-Emmanuel SCHMITZ
>>> via lists.spdx.org" 
>>> *Reply-To: *"spdx@lists.spdx.org" 
>>> *Date: *Friday, October 20, 2023 at 08:46
>>> *To: *Gary O'Neall 
>>> *Cc: *Richard Fontana , "spdx@lists.spdx.org" <
>>> spdx@lists.spdx.org>
>>> *Subject: *[EXTERNAL] Re: [spdx] SPDX identifiers for "or-later" or "+"
>>> mentions
>>>
>>>
>>>
>>> Hi Gary, Thanks a lot for this clarification on the reasons why those
>>> new SPDX identifiers "-only" and "-or-later" have been created. It was very
>>> useful. SPDX is a great initiative and unique identifiers should be
>>> considered
>>>
>>> ZjQcmQRYFpfptBannerStart
>>>
>>> *This Message Is From an External Sender *
>>>
>>> This message came from outside your organization.
>>>
>>>   *  Report Suspicious  *
>>> <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!12-vrJA_wvVWsG2VuMnohcnrTvfc__HoS6cS066Li4aPB7zcjVcW6EV4IXnLdyuJVoFlPkdR_LZELJ-PEIgkeq5

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread Richard Fontana

I am not really familiar with the reasons given by the FSF for persuading
SPDX to adopt the `-only` and `-or-later` identifiers. I am not sure if
those reasons were publicized. I generally believe SPDX should not be
overly influenced by license stewards, or particular project maintainers,
in making decisions about license identifiers.

One problem I have seen around the *GPL identifiers is that license
scanning tools attempting to use SPDX identifiers seem to commonly identify
*GPL license files themselves as inherently signifying the "-only" variant,
when of course this is generally incorrect. The license text is ambiguous
as to later versions by design. Perhaps scanning tools should continue to
use the deprecated base identifier in such cases; maybe SPDX could
recommend this.

I believe there is a consequence occurring here that the FSF probably
didn't intend: a tendency (in the community of people surrounding the use
of SPDX identifiers) to err on the side of assuming the "-only" version of
the license applies, even in the face of textual evidence or background
cultural practice that "-or-later" is likely the correct license. Of
course, one can question whether any of this really matters most of the
time.

Richard



On Fri, Oct 20, 2023 at 9:46 AM Patrice-Emmanuel Schmitz <
pe.schm...@googlemail.com> wrote:

> David,
> It was SPDX's decision to accept those identifiers. This is done
> apparently after long debates and I'm not going to question it again.
> However, it will be our decision to use it or not, for example as long the
> identifier GPL-3.0 exists, we may decide to use it and not use the legally
> equivalent GPL-3.0-only.
> But once again, our decision is not fixed yet. It will be debated inside
> the EU Office of Publication, SEMIC, JOINUP and other EC projects.
> Kind regards,
> P-E
>
>
>
> Le ven. 20 oct. 2023 à 15:02, David Edelsohn  a
> écrit :
>
>> Patrice,
>>
>>
>>
>> “-only” or “-or-later” are not new identifiers for all SPDX identifiers.
>> The license steward for the GPL class of license has specified, and SPDX
>> has agreed, that the identifiers are “GPL-3.0-only” and “GPL-3.0-or-later”,
>> etc.  Those are the officially recognized and approved SPDX identifiers.
>>
>>
>>
>> Thanks, David
>>
>>
>>
>> --
>>
>> David Edelsohn, Ph.D.
>>
>> STSM, IBM Open Ecosystem, CTO GNU Toolchain
>>
>> IBM T.J. Watson Research Center
>>
>> +1 914 945 4364
>>
>>
>>
>> *From: * on behalf of "Patrice-Emmanuel SCHMITZ via
>> lists.spdx.org" 
>> *Reply-To: *"spdx@lists.spdx.org" 
>> *Date: *Friday, October 20, 2023 at 08:46
>> *To: *Gary O'Neall 
>> *Cc: *Richard Fontana , "spdx@lists.spdx.org" <
>> spdx@lists.spdx.org>
>> *Subject: *[EXTERNAL] Re: [spdx] SPDX identifiers for "or-later" or "+"
>> mentions
>>
>>
>>
>> Hi Gary, Thanks a lot for this clarification on the reasons why those new
>> SPDX identifiers "-only" and "-or-later" have been created. It was very
>> useful. SPDX is a great initiative and unique identifiers should be
>> considered
>>
>> ZjQcmQRYFpfptBannerStart
>>
>> *This Message Is From an External Sender *
>>
>> This message came from outside your organization.
>>
>>   *  Report Suspicious  *
>> <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!12-vrJA_wvVWsG2VuMnohcnrTvfc__HoS6cS066Li4aPB7zcjVcW6EV4IXnLdyuJVoFlPkdR_LZELJ-PEIgkeq5dWKGsWZcs2xYJ7_VwvdNkqVqE4HXqYncpVP8$>
>>   ‌
>>
>>
>> ZjQcmQRYFpfptBannerEnd
>>
>> Hi Gary,
>>
>> Thanks a lot for this clarification on the reasons why those new SPDX
>> identifiers "-only" and "-or-later" have been created.
>>
>> It was very useful.
>>
>> SPDX is a great initiative and unique identifiers should be considered as
>> a strong standard.
>>
>> We will definitely try to align all EU projects and datasets on it, but
>> depending on the project officers decision we may perhaps ignore those
>> "-only" and "-or-later" rather confusing identifiers and withdraw them from
>> tools (like the Joinup Licensing Assistant) that currently uses them. No
>> decision is currently taken; it will be discussed soon with relevant POs.
>>
>> Best regards,
>>
>> Patrice-Emmanuel
>>
>> .
>>
>>
>>
>>
>>
>>
>>
>> Le ven. 20 oct. 2023 à 00:44, Gary O'Neall  a
>> écrit :
>>
>> Hi Patrice-Emmanuel,
>>
>>
>>
>> Respon

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread Max Mehl

Dear Patrice-Emmanuel,

It was SPDX's decision to accept those identifiers. This is done apparently 
after long debates and I'm not going to question it again.
However, it will be our decision to use it or not, for example as long the 
identifier GPL-3.0 exists, we may decide to use it and not use the legally 
equivalent GPL-3.0-only.
But once again, our decision is not fixed yet. It will be debated inside the EU 
Office of Publication, SEMIC, JOINUP and other EC projects.

I personally think it would be a bad sign if an EU body would not follow an 
internationally recognized ISO standard but knowingly decide to use its 
deprecated version.

After all, the EU is emphasizing the harmonization of standards and the 
principle of subsidiarity. I hope this argument will be considered in the 
decision-making process.

Best,
Max

--
Max Mehl
Open Source Strategy & Governance
Enterprise-Team Chief Technology Office (CTO), T.IP E-T-378

DB Systel GmbH
Bahnhofplatz 1b, 76137 Karlsruhe




Pflichtangaben anzeigen

N?here Informationen zur Datenverarbeitung im DB-Konzern finden Sie hier: 
https://www.deutschebahn.com/de/konzern/datenschutz


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1785): https://lists.spdx.org/g/spdx/message/1785
Mute This Topic: https://lists.spdx.org/mt/102069167/21656
Group Owner: spdx+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread Patrice-Emmanuel SCHMITZ via lists.spdx.org

David,
It was SPDX's decision to accept those identifiers. This is done apparently
after long debates and I'm not going to question it again.
However, it will be our decision to use it or not, for example as long the
identifier GPL-3.0 exists, we may decide to use it and not use the legally
equivalent GPL-3.0-only.
But once again, our decision is not fixed yet. It will be debated inside
the EU Office of Publication, SEMIC, JOINUP and other EC projects.
Kind regards,
P-E



Le ven. 20 oct. 2023 à 15:02, David Edelsohn  a écrit :

> Patrice,
>
>
>
> “-only” or “-or-later” are not new identifiers for all SPDX identifiers.
> The license steward for the GPL class of license has specified, and SPDX
> has agreed, that the identifiers are “GPL-3.0-only” and “GPL-3.0-or-later”,
> etc.  Those are the officially recognized and approved SPDX identifiers.
>
>
>
> Thanks, David
>
>
>
> --
>
> David Edelsohn, Ph.D.
>
> STSM, IBM Open Ecosystem, CTO GNU Toolchain
>
> IBM T.J. Watson Research Center
>
> +1 914 945 4364
>
>
>
> *From: * on behalf of "Patrice-Emmanuel SCHMITZ via
> lists.spdx.org" 
> *Reply-To: *"spdx@lists.spdx.org" 
> *Date: *Friday, October 20, 2023 at 08:46
> *To: *Gary O'Neall 
> *Cc: *Richard Fontana , "spdx@lists.spdx.org" <
> spdx@lists.spdx.org>
> *Subject: *[EXTERNAL] Re: [spdx] SPDX identifiers for "or-later" or "+"
> mentions
>
>
>
> Hi Gary, Thanks a lot for this clarification on the reasons why those new
> SPDX identifiers "-only" and "-or-later" have been created. It was very
> useful. SPDX is a great initiative and unique identifiers should be
> considered
>
> ZjQcmQRYFpfptBannerStart
>
> *This Message Is From an External Sender *
>
> This message came from outside your organization.
>
>   *  Report Suspicious  *
> <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!12-vrJA_wvVWsG2VuMnohcnrTvfc__HoS6cS066Li4aPB7zcjVcW6EV4IXnLdyuJVoFlPkdR_LZELJ-PEIgkeq5dWKGsWZcs2xYJ7_VwvdNkqVqE4HXqYncpVP8$>
>   ‌
>
>
> ZjQcmQRYFpfptBannerEnd
>
> Hi Gary,
>
> Thanks a lot for this clarification on the reasons why those new SPDX
> identifiers "-only" and "-or-later" have been created.
>
> It was very useful.
>
> SPDX is a great initiative and unique identifiers should be considered as
> a strong standard.
>
> We will definitely try to align all EU projects and datasets on it, but
> depending on the project officers decision we may perhaps ignore those
> "-only" and "-or-later" rather confusing identifiers and withdraw them from
> tools (like the Joinup Licensing Assistant) that currently uses them. No
> decision is currently taken; it will be discussed soon with relevant POs.
>
> Best regards,
>
> Patrice-Emmanuel
>
> .
>
>
>
>
>
>
>
> Le ven. 20 oct. 2023 à 00:44, Gary O'Neall  a
> écrit :
>
> Hi Patrice-Emmanuel,
>
>
>
> Responses inline below.
>
>
> Gary
>
>
>
> *From:* Patrice-Emmanuel Schmitz 
> *Sent:* Thursday, October 19, 2023 2:02 PM
> *To:* Richard Fontana ; Gary O'Neall <
> g...@sourceauditor.com>
> *Cc:* spdx@lists.spdx.org
> *Subject:* SPDX identifiers for "or-later" or "+" mentions
>
>
>
> Hi Richard & Gary,
>
> At a time I am requested to align various projects and the EC publication
> office license lists (data sets) I am still uncertain about the SPDX policy
> of creating "actual" SPDX identifiers for "future" or "later" licenses.  I
> shared concerns with Jilayne but be sure that this is not done for creating
> some controversy, just to check that the SPDX policy is well understood.
>
>- Adding "or-later" (and much more rarely "-only") is indeed a
>frequent licensor practice because recommended by some license steward. For
>example if you search Google for "Licensed under the EUPL-1.2-or-later" you
>will find references. But don’t you think that this mention should be
>considered as a future intention, commitment or guarantee provided by the
>licensor and that it should not merit a specific “actual” SPDX ID, because
>no later text exists at this time?
>
> *[G.O.] Within SPDX we define a license expression syntax that has a
> number of operators or modifiers on a given license (e.g., ‘AND’, ‘OR’).
> For “or later” we defined the “+” operator which can be applied to any
> license.  We do not currently have an operator that defines “only”.  In
> rare cases, we have separate license ID’s to denote only and or-later (see
> below), but these are not defined in the

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread David Edelsohn

Patrice,

“-only” or “-or-later” are not new identifiers for all SPDX identifiers.  The 
license steward for the GPL class of license has specified, and SPDX has 
agreed, that the identifiers are “GPL-3.0-only” and “GPL-3.0-or-later”, etc.  
Those are the officially recognized and approved SPDX identifiers.

Thanks, David

--
David Edelsohn, Ph.D.
STSM, IBM Open Ecosystem, CTO GNU Toolchain
IBM T.J. Watson Research Center
+1 914 945 4364

From:  on behalf of "Patrice-Emmanuel SCHMITZ via 
lists.spdx.org" 
Reply-To: "spdx@lists.spdx.org" 
Date: Friday, October 20, 2023 at 08:46
To: Gary O'Neall 
Cc: Richard Fontana , "spdx@lists.spdx.org" 

Subject: [EXTERNAL] Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Hi Gary, Thanks a lot for this clarification on the reasons why those new SPDX 
identifiers "-only" and "-or-later" have been created. It was very useful. SPDX 
is a great initiative and unique identifiers should be considered
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
Report Suspicious  
<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!12-vrJA_wvVWsG2VuMnohcnrTvfc__HoS6cS066Li4aPB7zcjVcW6EV4IXnLdyuJVoFlPkdR_LZELJ-PEIgkeq5dWKGsWZcs2xYJ7_VwvdNkqVqE4HXqYncpVP8$>
   ‌
ZjQcmQRYFpfptBannerEnd
Hi Gary,
Thanks a lot for this clarification on the reasons why those new SPDX 
identifiers "-only" and "-or-later" have been created.
It was very useful.
SPDX is a great initiative and unique identifiers should be considered as a 
strong standard.
We will definitely try to align all EU projects and datasets on it, but 
depending on the project officers decision we may perhaps ignore those "-only" 
and "-or-later" rather confusing identifiers and withdraw them from tools (like 
the Joinup Licensing Assistant) that currently uses them. No decision is 
currently taken; it will be discussed soon with relevant POs.
Best regards,
Patrice-Emmanuel
.



Le ven. 20 oct. 2023 à 00:44, Gary O'Neall 
mailto:g...@sourceauditor.com>> a écrit :
Hi Patrice-Emmanuel,

Responses inline below.

Gary

From: Patrice-Emmanuel Schmitz 
mailto:pe.schm...@googlemail.com>>
Sent: Thursday, October 19, 2023 2:02 PM
To: Richard Fontana mailto:rfont...@redhat.com>>; Gary 
O'Neall mailto:g...@sourceauditor.com>>
Cc: spdx@lists.spdx.org<mailto:spdx@lists.spdx.org>
Subject: SPDX identifiers for "or-later" or "+" mentions

Hi Richard & Gary,

At a time I am requested to align various projects and the EC publication 
office license lists (data sets) I am still uncertain about the SPDX policy of 
creating "actual" SPDX identifiers for "future" or "later" licenses.  I shared 
concerns with Jilayne but be sure that this is not done for creating some 
controversy, just to check that the SPDX policy is well understood.

  *   Adding "or-later" (and much more rarely "-only") is indeed a frequent 
licensor practice because recommended by some license steward. For example if 
you search Google for "Licensed under the EUPL-1.2-or-later" you will find 
references. But don’t you think that this mention should be considered as a 
future intention, commitment or guarantee provided by the licensor and that it 
should not merit a specific “actual” SPDX ID, because no later text exists at 
this time?
[G.O.] Within SPDX we define a license expression syntax that has a number of 
operators or modifiers on a given license (e.g., ‘AND’, ‘OR’).  For “or later” 
we defined the “+” operator which can be applied to any license.  We do not 
currently have an operator that defines “only”.  In rare cases, we have 
separate license ID’s to denote only and or-later (see below), but these are 
not defined in the syntax for the license expressions.  Although there is a 
convention to add “or-later” to some licenses, we did not adopt that syntax for 
our expressions.

  *   It seems that this addition is done for the GNU licenses (where the 
licence steward is the FSF – Free Software Foundation) and not for all the 
others.Is this a special treatment for GNU licenses or is SPDX policy to allow 
or apply it for all licenses, i.e. depending on the license steward request?
[G.O.] Due to strong insistence from the license stewards for GNU licenses, we 
created separate license ID’s for the “only” and “or-later”.  These are not 
part of the expression syntax and therefore not processed by any of the machine 
readable SPDX license expression parsers – one would have to read the license 
notes to understand the semantics.  In other words, the “only” and “or-later” 
is a convention used by GNU that we carried forward in the license ID’s – not 
something intended to be standardized in the SPDX license syntax.

  *   Has SPDX assessed the risk that this practice would mult

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-20 Thread Patrice-Emmanuel SCHMITZ via lists.spdx.org

Hi Gary,
Thanks a lot for this clarification on the reasons why those new SPDX
identifiers "-only" and "-or-later" have been created.
It was very useful.
SPDX is a great initiative and unique identifiers should be considered as a
strong standard.
We will definitely try to align all EU projects and datasets on it, but
depending on the project officers decision we may perhaps ignore those
"-only" and "-or-later" rather confusing identifiers and withdraw them from
tools (like the Joinup Licensing Assistant) that currently uses them. No
decision is currently taken; it will be discussed soon with relevant POs.
Best regards,
Patrice-Emmanuel
.



Le ven. 20 oct. 2023 à 00:44, Gary O'Neall  a
écrit :

> Hi Patrice-Emmanuel,
>
>
>
> Responses inline below.
>
>
> Gary
>
>
>
> *From:* Patrice-Emmanuel Schmitz 
> *Sent:* Thursday, October 19, 2023 2:02 PM
> *To:* Richard Fontana ; Gary O'Neall <
> g...@sourceauditor.com>
> *Cc:* spdx@lists.spdx.org
> *Subject:* SPDX identifiers for "or-later" or "+" mentions
>
>
>
> Hi Richard & Gary,
>
> At a time I am requested to align various projects and the EC publication
> office license lists (data sets) I am still uncertain about the SPDX policy
> of creating "actual" SPDX identifiers for "future" or "later" licenses.  I
> shared concerns with Jilayne but be sure that this is not done for creating
> some controversy, just to check that the SPDX policy is well understood.
>
>- Adding "or-later" (and much more rarely "-only") is indeed a
>frequent licensor practice because recommended by some license steward. For
>example if you search Google for "Licensed under the EUPL-1.2-or-later" you
>will find references. But don’t you think that this mention should be
>considered as a future intention, commitment or guarantee provided by the
>licensor and that it should not merit a specific “actual” SPDX ID, because
>no later text exists at this time?
>
> *[G.O.] Within SPDX we define a license expression syntax that has a
> number of operators or modifiers on a given license (e.g., ‘AND’, ‘OR’).
> For “or later” we defined the “+” operator which can be applied to any
> license.  We do not currently have an operator that defines “only”.  In
> rare cases, we have separate license ID’s to denote only and or-later (see
> below), but these are not defined in the syntax for the license
> expressions.  Although there is a convention to add “or-later” to some
> licenses, we did not adopt that syntax for our expressions.*
>
>- It seems that this addition is done for the GNU licenses (where the
>licence steward is the FSF – Free Software Foundation) and not for all the
>others.Is this a special treatment for GNU licenses or is SPDX policy to
>allow or apply it for all licenses, i.e. depending on the license steward
>request?
>
> *[G.O.] Due to strong insistence from the license stewards for GNU
> licenses, we created separate license ID’s for the “only” and “or-later”.
> These are not part of the expression syntax and therefore not processed by
> any of the machine readable SPDX license expression parsers – one would
> have to read the license notes to understand the semantics.  In other
> words, the “only” and “or-later” is a convention used by GNU that we
> carried forward in the license ID’s – not something intended to be
> standardized in the SPDX license syntax.*
>
>- Has SPDX assessed the risk that this practice would multiply the
>number of identifiers with uncertain use and possibly add some confusion?
>
> *[G.O.] In the case of the GNU licenses, the license ID’s are associated
> with the license text plus the notes.  It was highly debated and the risk
> of confusion was taken into account.  In the case of the or-later operator,
> there is a risk that the “+” operator would be applied to a license that
> does not have any subsequent license versions, but we decided that was a
> reasonable risk compared to the benefit of having a machine readable
> “or-later” operator.*
>
>- SPDX now considers GPL-3.0, AGPL-3.0, LGPL-3.0 etc. as "deprecated".
>Did SPDX assess the impact – which could appear as nonsense for most users?
>
> *[G.O.] Again – highly debated at the time, and yes.  We don’t like to
> deprecate the license ID’s as it does cause issues in our community – but
> the license steward was extremely insistent.*
>
>- Until a subsequent version, for example some GPL-4.0, exists, is it
>consistent to associate the text of the current GPL-3.0 with a specific
>SPDX identifier "GPL-3.0-or-later"?
>
> *[G.O.] From what I recall, the reason the license steward insisted on
> this approach was to force the documenter of the license information to
> make a decision as to whether it was “only” or “or-later”.  I think you
> would have to defer to the license steward to answer this question. *
>
>- ·Is it still possible for SPDX to backtrack on this subject or is it
>a definitive policy?
>
> *[G.O.] Since the

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

2023-10-19 Thread Gary O'Neall

Hi Patrice-Emmanuel,

 

Responses inline below.


Gary

 

From: Patrice-Emmanuel Schmitz  
Sent: Thursday, October 19, 2023 2:02 PM
To: Richard Fontana ; Gary O'Neall 
Cc: spdx@lists.spdx.org
Subject: SPDX identifiers for "or-later" or "+" mentions

 

Hi Richard & Gary,

At a time I am requested to align various projects and the EC publication 
office license lists (data sets) I am still uncertain about the SPDX policy of 
creating "actual" SPDX identifiers for "future" or "later" licenses.  I shared 
concerns with Jilayne but be sure that this is not done for creating some 
controversy, just to check that the SPDX policy is well understood.

*   Adding "or-later" (and much more rarely "-only") is indeed a frequent 
licensor practice because recommended by some license steward. For example if 
you search Google for "Licensed under the EUPL-1.2-or-later" you will find 
references. But don’t you think that this mention should be considered as a 
future intention, commitment or guarantee provided by the licensor and that it 
should not merit a specific “actual” SPDX ID, because no later text exists at 
this time?

[G.O.] Within SPDX we define a license expression syntax that has a number of 
operators or modifiers on a given license (e.g., ‘AND’, ‘OR’).  For “or later” 
we defined the “+” operator which can be applied to any license.  We do not 
currently have an operator that defines “only”.  In rare cases, we have 
separate license ID’s to denote only and or-later (see below), but these are 
not defined in the syntax for the license expressions.  Although there is a 
convention to add “or-later” to some licenses, we did not adopt that syntax for 
our expressions.

*   It seems that this addition is done for the GNU licenses (where the 
licence steward is the FSF – Free Software Foundation) and not for all the 
others.Is this a special treatment for GNU licenses or is SPDX policy to allow 
or apply it for all licenses, i.e. depending on the license steward request?

[G.O.] Due to strong insistence from the license stewards for GNU licenses, we 
created separate license ID’s for the “only” and “or-later”.  These are not 
part of the expression syntax and therefore not processed by any of the machine 
readable SPDX license expression parsers – one would have to read the license 
notes to understand the semantics.  In other words, the “only” and “or-later” 
is a convention used by GNU that we carried forward in the license ID’s – not 
something intended to be standardized in the SPDX license syntax.

*   Has SPDX assessed the risk that this practice would multiply the number 
of identifiers with uncertain use and possibly add some confusion?

[G.O.] In the case of the GNU licenses, the license ID’s are associated with 
the license text plus the notes.  It was highly debated and the risk of 
confusion was taken into account.  In the case of the or-later operator, there 
is a risk that the “+” operator would be applied to a license that does not 
have any subsequent license versions, but we decided that was a reasonable risk 
compared to the benefit of having a machine readable “or-later” operator.

*   SPDX now considers GPL-3.0, AGPL-3.0, LGPL-3.0 etc. as "deprecated". 
Did SPDX assess the impact – which could appear as nonsense for most users?

[G.O.] Again – highly debated at the time, and yes.  We don’t like to deprecate 
the license ID’s as it does cause issues in our community – but the license 
steward was extremely insistent.

*   Until a subsequent version, for example some GPL-4.0, exists, is it 
consistent to associate the text of the current GPL-3.0 with a specific SPDX 
identifier "GPL-3.0-or-later"?

[G.O.] From what I recall, the reason the license steward insisted on this 
approach was to force the documenter of the license information to make a 
decision as to whether it was “only” or “or-later”.  I think you would have to 
defer to the license steward to answer this question. 

*   ·Is it still possible for SPDX to backtrack on this subject or is it a 
definitive policy?

[G.O.] Since the decision to deprecate the previous GPL identifiers consumed 
significant time and was highly debated, there would likely be considerable 
resistance to re-opening this issue unless the license steward changed their 
mind.  The pattern of questions seems to indicate you may not agree with the 
license steward for GPL on many of these topics – perhaps opening a dialog with 
the license steward could provide you more information.

-- 

Patrice-Emmanuel Schmitz
pe.schm...@gmail.com  
tel. + 32 478 50 40 65



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1781): https://lists.spdx.org/g/spdx/message/1781
Mute This Topic: https://lists.spdx.org/mt/102069167/21656
Group Owner: spdx+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[arch...@mail-archive.com]

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

Re: [spdx] SPDX identifiers for "or-later" or "+" mentions

11 matches

Site Navigation

Mail list logo

Footer information