Re: joint call legal/tech team - Tuesday, Aug 8

2017-08-04 Thread W. Trevor King 
On Fri, Aug 04, 2017 at 04:54:34PM -0600, J Lovejoy wrote:
> There is a summary of the background and issue here:
> https://wiki.spdx.org/view/Legal_Team/or-later-vs-unclear-disambiguation

I've spend some time today using my new wiki account to shuffle things
around there and on [1].  If it's better to push things through a talk
page before doing that sort of thing, feel free to revert my changes
and I'll post something to their talk pages (or this thread?  Or
somewhere else?).

But new (to me and the wiki pages) information from today includes:

* The CDDL family seems to be the only other license (that we've found
  so far) with explicit wording about only vs. or-later [2].  It's
  like the GPL, except the GPL requires explicit grant wording to
  switch from “only” to “or later” [3] while the CDDL requires
  explicit grant wording to switch from “or later” to “only” [2].

  And there is CDDL code in the wild going both ways [4,5].

* The GPL-3.0 and other GNU v3 licenses have explicit wording about
  designating a proxy to approve future versions [6].  But even
  without that wording, we've seen explicit proxy designation in
  license grants [7,8].  We may want formal syntax for recording these
  proxy grants.  Something like:

LGPL-2.1 OR
LGPL-3.0 OR
LGPL-3.0 PROXY "membership of KDE e.V. (or its successor approved by the 
membership of KDE e.V.)"

I'm still trying to figure out where this leaves me on the only/+
front.

Cheers,
Trevor

[1]: https://wiki.spdx.org/view/Legal_Team/later-version-clauses
[2]: 
https://github.com/spdx/license-list-XML/blob/7ecb7363bc82aedd0e293ca8825e348181619e6a/src/CDDL-1.0.xml#L276-L286
[3]: 
https://github.com/spdx/license-list-XML/blob/7ecb7363bc82aedd0e293ca8825e348181619e6a/src/GPL-3.0.xml#L503-L514
[4]: 
https://github.com/freebsd/freebsd/blob/2c31a4b74c2e41b0c7407c9830e22bfd07150af0/uts/common/fs/zfs/abd.c#L2-L5
[5]: 
https://github.com/illumos/illumos-gate/blob/a9bfd41d542f15c474711abb8b0ca66a4cef9918/usr/src/common/acl/acl_common.h#L2-L19
[6]: 
https://github.com/spdx/license-list-XML/blob/7ecb7363bc82aedd0e293ca8825e348181619e6a/src/GPL-3.0.xml#L515-L517
[7]: https://lists.spdx.org/pipermail/spdx/2011-May/000389.html
[8]: 
https://wiki.spdx.org/view/FileNoticeExamples#.28LGPL-2.1_OR_LGPL-3.0_OR_LicenseRef-KDE-Accepted.29

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Jilayne Lovejoy invited you to “SPDX Tech/Legal teams joint call”.

2017-08-04 Thread Jilayne Lovejoy via Spdx-legal 
Jilayne Lovejoy invited you to “SPDX Tech/Legal teams joint call”.

when:
Tuesday, August 8, 2017, 11:00 AM MDT - 12:00 PM MDT


location: https://www.uberconference.com/katestewart

invitees: spdx-t...@lists.spdx.org and you.
See replies - 
https://www.icloud.com/calendar/eventreply/?t=2_GE3TQNZUGQYDCMBRG44DONBUGCPJEKREFYLQE23LOOIEANYYESFQGR5MNWHP7V63N6B5ZQSDVOBYK&p=&cc=US




note: 17:00 UTC ( 10:00AM PDT, 11:00 MDT, 12:00PM CDT, 1:00PM EDT,  18:00 WAT, 
19:00 CEST)

https://www.uberconference.com/katestewart 
 Optional dial in number: 877-297-7470
 Alternate number: 512-910-4433
 No PIN needed

After some discussion on the last legal call about how to better represent 
GPL-2.0 only (and all the other GNU licenses), as well as a bit of clean up 
around other licenses with varying “or later” clauses such that we are being 
consistent across the board - we decided a joint call would be the next best 
step to join-up all the best SPDX minds to come up with a sensible approach.

There is a summary of the background and issue here: 
https://wiki.spdx.org/view/Legal_Team/or-later-vs-unclear-disambiguation




reply:
Accept - 
https://www.icloud.com/calendar/eventreply/?t=2_GE3TQNZUGQYDCMBRG44DONBUGCPJEKREFYLQE23LOOIEANYYESFQGR5MNWHP7V63N6B5ZQSDVOBYK&p=&cc=US#reply=accept
Decline - 
https://www.icloud.com/calendar/eventreply/?t=2_GE3TQNZUGQYDCMBRG44DONBUGCPJEKREFYLQE23LOOIEANYYESFQGR5MNWHP7V63N6B5ZQSDVOBYK&p=&cc=US#reply=decline
Maybe - 
https://www.icloud.com/calendar/eventreply/?t=2_GE3TQNZUGQYDCMBRG44DONBUGCPJEKREFYLQE23LOOIEANYYESFQGR5MNWHP7V63N6B5ZQSDVOBYK&p=&cc=US#reply=tentative

iCloud is a service provided by Apple.
Apple ID: https://appleid.apple.com/choose-your-country/
Support: https://www.apple.com/support/icloud/ww
https://www.apple.com/legal/internet-services/icloud/ww/ 
https://www.apple.com/legal/internet-services/icloud/ww/
Privacy Policy: https://www.apple.com/legal/internet-services/privacy/
Copyright 2017 Apple Inc. 1 Infinite Loop, Cupertino, CA 95014, United States.
All rights reserved.
BEGIN:VCALENDAR
VERSION:2.0
CALSCALE:GREGORIAN
PRODID:-//CALENDARSERVER.ORG//NONSGML Version 1//EN
METHOD:REQUEST
BEGIN:VTIMEZONE
TZID:America/Denver
X-LIC-LOCATION:America/Denver
BEGIN:STANDARD
DTSTART:18831118T120004
RDATE;VALUE=DATE-TIME:18831118T120004
TZNAME:MST
TZOFFSETFROM:-0659
TZOFFSETTO:-0700
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:19180331T02
RRULE:FREQ=YEARLY;UNTIL=19190330T09Z;BYDAY=-1SU;BYMONTH=3
TZNAME:MDT
TZOFFSETFROM:-0700
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:STANDARD
DTSTART:19181027T02
RRULE:FREQ=YEARLY;UNTIL=19191026T08Z;BYDAY=-1SU;BYMONTH=10
TZNAME:MST
TZOFFSETFROM:-0600
TZOFFSETTO:-0700
END:STANDARD
BEGIN:STANDARD
DTSTART:19200101T00
RDATE;VALUE=DATE-TIME:19200101T00
RDATE;VALUE=DATE-TIME:19420101T00
RDATE;VALUE=DATE-TIME:19460101T00
RDATE;VALUE=DATE-TIME:19670101T00
TZNAME:MST
TZOFFSETFROM:-0700
TZOFFSETTO:-0700
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:19200328T02
RRULE:FREQ=YEARLY;UNTIL=19210327T09Z;BYDAY=-1SU;BYMONTH=3
TZNAME:MDT
TZOFFSETFROM:-0700
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:STANDARD
DTSTART:19201031T02
RDATE;VALUE=DATE-TIME:19201031T02
RDATE;VALUE=DATE-TIME:19210522T02
RDATE;VALUE=DATE-TIME:19450930T02
TZNAME:MST
TZOFFSETFROM:-0600
TZOFFSETTO:-0700
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:19420209T02
RDATE;VALUE=DATE-TIME:19420209T02
TZNAME:MWT
TZOFFSETFROM:-0700
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:19450814T17
RDATE;VALUE=DATE-TIME:19450814T17
TZNAME:MPT
TZOFFSETFROM:-0600
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:19650425T02
RRULE:FREQ=YEARLY;UNTIL=19660424T09Z;BYDAY=-1SU;BYMONTH=4
TZNAME:MDT
TZOFFSETFROM:-0700
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:STANDARD
DTSTART:19651031T02
RRULE:FREQ=YEARLY;UNTIL=19661030T08Z;BYDAY=-1SU;BYMONTH=10
TZNAME:MST
TZOFFSETFROM:-0600
TZOFFSETTO:-0700
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:19670430T02
RRULE:FREQ=YEARLY;UNTIL=19730429T09Z;BYDAY=-1SU;BYMONTH=4
TZNAME:MDT
TZOFFSETFROM:-0700
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:STANDARD
DTSTART:19671029T02
RRULE:FREQ=YEARLY;UNTIL=20061029T08Z;BYDAY=-1SU;BYMONTH=10
TZNAME:MST
TZOFFSETFROM:-0600
TZOFFSETTO:-0700
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:19740106T02
RDATE;VALUE=DATE-TIME:19740106T02
RDATE;VALUE=DATE-TIME:19750223T02
TZNAME:MDT
TZOFFSETFROM:-0700
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:19760425T02
RRULE:FREQ=YEARLY;UNTIL=19860427T09Z;BYDAY=-1SU;BYMONTH=4
TZNAME:MDT
TZOFFSETFROM:-0700
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:19870405T02
RRULE:FREQ=YEARLY;UNTIL=20060402T09Z;BYDAY=1SU;BYMONTH=4
TZNAME:MDT
TZOFFSETFROM:-0700
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T02
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:MDT
TZOFFSETFROM:-0700
TZOFFSETTO:-0600
END:DAYLIGHT
BEGIN:STANDARD
DTSTART:20071104T02
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:MST
TZOFFSETFROM:-0600
TZOFFSETTO:-0700
END:STANDARD
END

joint call legal/tech team - Tuesday, Aug 8

2017-08-04 Thread J Lovejoy 
Hi legal and tech teams,

After some discussion on the last legal call about how to better represent 
GPL-2.0 only (and all the other GNU licenses), as well as a bit of clean up 
around other licenses with varying “or later” clauses such that we are being 
consistent across the board - we decided a joint call would be the next best 
step to join-up all the best SPDX minds to come up with a sensible approach.

There is a summary of the background and issue here: 
https://wiki.spdx.org/view/Legal_Team/or-later-vs-unclear-disambiguation 


I will send an invite to both groups shortly, but if for some reason you don’t 
get that, please note your calendars as well.  We will use a different 
Uberconference line to accommodate the bigger group.

Call details:
Tuesday, August 8th

17:00 UTC ( 10:00AM PDT, 11:00 MDT, 12:00PM CDT, 1:00PM EDT,  18:00 WAT, 19:00 
CEST)

https://www.uberconference.com/katestewart 
 Optional dial in number: 877-297-7470
 Alternate number: 512-910-4433
 No PIN needed

Thanks,
Jilayne

SPDX Legal Team co-lead
opensou...@jilayne.com


___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

RE: License checking tool available

2017-08-04 Thread gary 
I went back and looked at the compare code and the equivalence of the
copyright symbol and (C) was missing.  I just added it.  Next time I update
the tool it should be fixed.

Thanks for the analysis!

Gary

> -Original Message-
> From: Richard Fontana [mailto:rfont...@redhat.com]
> Sent: Friday, August 4, 2017 11:53 AM
> To: W. Trevor King
> Cc: g...@sourceauditor.com; 'SPDX-legal'
> Subject: Re: License checking tool available
> 
> On Fri, Aug 04, 2017 at 11:44:45AM -0700, W. Trevor King wrote:
> [...]
> > The only difference that turned up in the license text is:
> >
> >   Copyright [-C-]{+(C)+} 2007 Free Software Foundation, Inc.
> >
> > Our guideline for equating copyright symbols includes (c) but not (C)
> > [2].  Maybe that's what's going on?
> 
> Is that intentional? I hadn't noticed it before but that's a fairly clear
> deficiency in the matching guidelines. "(C)" is probably the most common
> attempt at something like a copyright symbol in copyright/license notices
in
> source files. I think it is much more common than "(c)" (or the real
copyright
> symbol).
> 
> Richard

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread J Lovejoy 
> Given there are bodies such as OSI and SPDX present, with presence on the 
> GitHub community, would the need for such a tool be mitigated if something 
> like the GPL—itself being copy written and arguably difficult to use 
> —be mitigated if each 
> license were given an address in the Blockchain pointing back to the 
> authentic and original license text as to represent the canonical source of a 
> license used.

I don’t think this would help as often the issue is reliably finding or 
identifying the “canonical” source of the license text.  Take the Fedora “good” 
list - the SPDX Legal team did a massive amount of work to add as many licenses 
from that list to SPDX (we added ~80 licenses, if memory recalls) to make it 
easier to use SPDX for Fedora distros or the like.  Many of those licenses we 
could not find any other instance of the license text other than what was 
captured on the Fedora site. In general, we do a fair amount of research at the 
time the license is added, but links change and there is no feasible way to 
keep that kind of information up-to-date. You can only go so far down the 
rabbit hole, license “authors” don’t always respond (if you can find them), 
etc.  

But that’s okay, because that is part of the point of having the SPDX License 
List - the license is captured there and that is a reference.  

As for the OSI - given the goal of SPDX in terms of identifying licenses in a 
reliable way, I can personally tell you it was a huge effort of collaboration 
with members of the OSI no longer actively involved in this mailing list to get 
things aligned in terms of the actual license text, as we uncovered certain 
oddities that no one noticed before and then had to sort out how to handle it. 
This was not always easy!  The most obvious example being: Artistic-1.0 has 
three variations on SPDX License List - two reflect the inclusion or not of 
clause 8, which is also reflected on the OSI site.  The third is the actual 
license that Perl uses, which is different yet again.  OSI always had a note 
about this license being used with Perl, but it wasn’t actually the same 
license.  After much going back and forth about how to solve this (and clarify 
if the actual Perl license was OSI approved) we came up with the solution as 
you see it.  

The point is, these things are not always straight forward, licenses or license 
text are not code and haven’t been treated as such in terms of tracking 
changes. The SPDX License List serves by having a list of license text 
associated with short identifiers that can be used in SPDX documents and 
elsewhere. This purpose has been and will continue to increase being very 
useful and successful.  

Thanks,
Jilayne

SPDX Legal Team co-lead
opensou...@jilayne.com


> On Aug 4, 2017, at 1:53 PM, Josh Habdas  wrote:
> 
> Errata: W3C and WHATWG operate in *a somewhat similar manner*
> 
> On Sat, Aug 5, 2017 at 3:51 AM Josh Habdas  > wrote:
> Given there are bodies such as OSI and SPDX present, with presence on the 
> GitHub community, would the need for such a tool be mitigated if something 
> like the GPL—itself being copy written and arguably difficult to use 
> —be mitigated if each 
> license were given an address in the Blockchain pointing back to the 
> authentic and original license text as to represent the canonical source of a 
> license used.
> 
> The W3C and WHATWG operate in this manner and I perceive this to be strategic 
> way to help simplify the burden of companies attempting to understand what's 
> actually in their products, help prevent accidental long-term license 
> proliferation and simplify application of licenses to FOSS project source 
> code in the wild.
> 
> I'd open to finding time to discuss on this in more detail as I feel it ties 
> in with the crypto licenses I'm attempting to push forward if there is any 
> interest. Sometimes the simple solutions are the best ones.
> 
> Regards,
> Josh
> 
> On Sat, Aug 5, 2017 at 3:05 AM W. Trevor King  > wrote:
> On Fri, Aug 04, 2017 at 02:53:05PM -0400, Richard Fontana wrote:
> > On Fri, Aug 04, 2017 at 11:44:45AM -0700, W. Trevor King wrote:
> > > The only difference that turned up in the license text is:
> > >
> > >   Copyright [-©-]{+(C)+} 2007 Free Software Foundation, Inc.
> > >
> > > Our guideline for equating copyright symbols includes (c) but not (C)
> > > [2].  Maybe that's what's going on?
> >
> > Is that intentional?
> 
> Ah, there is also guideline 4 saying that case is not significant.
> Presumably that also applies to these equivalent replacements.
> 
> Cheers,
> Trevor
> 
> [1]: https://spdx.org/spdx-license-list/matching-guidelines 
> 
> 
> --
> This email may be signed or encrypted with GnuPG (http://www.gnupg.org 
> ).
> For more informatio

Re: License checking tool available

2017-08-04 Thread Josh Habdas 
Errata: W3C and WHATWG operate in *a somewhat similar manner*

On Sat, Aug 5, 2017 at 3:51 AM Josh Habdas  wrote:

> Given there are bodies such as OSI and SPDX present, with presence on the
> GitHub community, would the need for such a tool be mitigated if something
> like the GPL—itself being copy written and arguably difficult to use
> —be mitigated if each
> license were given an address in the Blockchain pointing back to the
> authentic and original license text as to represent the canonical source of
> a license used.
>
> The W3C and WHATWG operate in this manner and I perceive this to be
> strategic way to help simplify the burden of companies attempting to
> understand what's actually in their products, help prevent accidental
> long-term license proliferation and simplify application of licenses to
> FOSS project source code in the wild.
>
> I'd open to finding time to discuss on this in more detail as I feel it
> ties in with the crypto licenses I'm attempting to push forward if there is
> any interest. Sometimes the simple solutions are the best ones.
>
> Regards,
> Josh
>
> On Sat, Aug 5, 2017 at 3:05 AM W. Trevor King  wrote:
>
>> On Fri, Aug 04, 2017 at 02:53:05PM -0400, Richard Fontana wrote:
>> > On Fri, Aug 04, 2017 at 11:44:45AM -0700, W. Trevor King wrote:
>> > > The only difference that turned up in the license text is:
>> > >
>> > >   Copyright [-©-]{+(C)+} 2007 Free Software Foundation, Inc.
>> > >
>> > > Our guideline for equating copyright symbols includes (c) but not (C)
>> > > [2].  Maybe that's what's going on?
>> >
>> > Is that intentional?
>>
>> Ah, there is also guideline 4 saying that case is not significant.
>> Presumably that also applies to these equivalent replacements.
>>
>> Cheers,
>> Trevor
>>
>> [1]: https://spdx.org/spdx-license-list/matching-guidelines
>>
>> --
>> This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
>> For more information, see
>> http://en.wikipedia.org/wiki/Pretty_Good_Privacy
>> ___
>> Spdx-legal mailing list
>> Spdx-legal@lists.spdx.org
>> https://lists.spdx.org/mailman/listinfo/spdx-legal
>>
>
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread Josh Habdas 
Given there are bodies such as OSI and SPDX present, with presence on the
GitHub community, would the need for such a tool be mitigated if something
like the GPL—itself being copy written and arguably difficult to use
—be mitigated if each
license were given an address in the Blockchain pointing back to the
authentic and original license text as to represent the canonical source of
a license used.

The W3C and WHATWG operate in this manner and I perceive this to be
strategic way to help simplify the burden of companies attempting to
understand what's actually in their products, help prevent accidental
long-term license proliferation and simplify application of licenses to
FOSS project source code in the wild.

I'd open to finding time to discuss on this in more detail as I feel it
ties in with the crypto licenses I'm attempting to push forward if there is
any interest. Sometimes the simple solutions are the best ones.

Regards,
Josh

On Sat, Aug 5, 2017 at 3:05 AM W. Trevor King  wrote:

> On Fri, Aug 04, 2017 at 02:53:05PM -0400, Richard Fontana wrote:
> > On Fri, Aug 04, 2017 at 11:44:45AM -0700, W. Trevor King wrote:
> > > The only difference that turned up in the license text is:
> > >
> > >   Copyright [-©-]{+(C)+} 2007 Free Software Foundation, Inc.
> > >
> > > Our guideline for equating copyright symbols includes (c) but not (C)
> > > [2].  Maybe that's what's going on?
> >
> > Is that intentional?
>
> Ah, there is also guideline 4 saying that case is not significant.
> Presumably that also applies to these equivalent replacements.
>
> Cheers,
> Trevor
>
> [1]: https://spdx.org/spdx-license-list/matching-guidelines
>
> --
> This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
> For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
> ___
> Spdx-legal mailing list
> Spdx-legal@lists.spdx.org
> https://lists.spdx.org/mailman/listinfo/spdx-legal
>
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Version the matching guidelines

2017-08-04 Thread W. Trevor King 
The spec currently links to the matching guidelines by guideline
number.  For example, [1]:

  type: indicates whether the text is replaceable or omitable as per
Matching Guideline #2 (“Substantive Text”).

That seems brittle with the guidelines unversioned.  For example, that
reference will go stale if guideline changes move that suggestion to
be guideline 4.  There is currently a “v2.0” in the header of [2], but
the spec does not require that version, and I don't see links to
earlier versions on spdx.org.  Digging around in the Internet Archive
turns up an earlier version on 2013-04-30 [3] (where the “Substantive
Text” section was guideline 1).  Then a new “How These Guidelines Are
Applied” section came in between 2013-05-19 [4] and 2013-12-07 [5].
The v2.0 label landed between 2015-04-25 [6] and 2015-05-25 [7].  And
there don't seem to have been any changes since then.

Is there a reason why these guidelines are not part of the spec
itself?  It seems like a new appendix in [8] would avoid confusion
like “I thought I'd implemented SPDX 2.2, but now the matching
guidelines have changed on me”.

Cheers,
Trevor

[1]: https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe
[2]: https://spdx.org/spdx-license-list/matching-guidelines
[3]: 
http://web.archive.org/web/20130430090750/https://spdx.org/spdx-license-list/matching-guidelines
[4]: 
http://web.archive.org/web/20130519043548/http://spdx.org/spdx-license-list/matching-guidelines
[5]: 
http://web.archive.org/web/20131207063710/http://spdx.org/spdx-license-list/matching-guidelines
[6]: 
http://web.archive.org/web/20150425023643/http://spdx.org/spdx-license-list/matching-guidelines
[7]: 
http://web.archive.org/web/20150525115354/http://spdx.org/spdx-license-list/matching-guidelines
[8]: https://github.com/spdx/spdx-spec

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread W. Trevor King 
On Fri, Aug 04, 2017 at 02:53:05PM -0400, Richard Fontana wrote:
> On Fri, Aug 04, 2017 at 11:44:45AM -0700, W. Trevor King wrote:
> > The only difference that turned up in the license text is:
> > 
> >   Copyright [-©-]{+(C)+} 2007 Free Software Foundation, Inc.
> > 
> > Our guideline for equating copyright symbols includes (c) but not (C)
> > [2].  Maybe that's what's going on?
> 
> Is that intentional?

Ah, there is also guideline 4 saying that case is not significant.
Presumably that also applies to these equivalent replacements.

Cheers,
Trevor

[1]: https://spdx.org/spdx-license-list/matching-guidelines

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

RE: License checking tool available

2017-08-04 Thread gary 
Thanks Trevor - you saved me some time analyzing this.

Although the copyright text is excluded from the matching, the template for
the license does not wrap the copyright text with the optional tags.

It uses the currently published license list at spdx.org/licenses - so it is
not using the new XML format.

This is the same issue for the MIT license not matching.

The good news is some of this will be fixed once we release the license list
based on the XML :)

Gary

> -Original Message-
> From: W. Trevor King [mailto:wk...@tremily.us]
> Sent: Friday, August 4, 2017 11:45 AM
> To: g...@sourceauditor.com
> Cc: 'Michael Dolan'; 'Philippe Ombredanne'; 'SPDX-legal'
> Subject: Re: License checking tool available
> 
> On Fri, Aug 04, 2017 at 11:12:54AM -0700, Gary wrote:
> > I feel we need another tool to compare text to a specific SPDX license
> > and indicate exactly where the 2 licenses do not match.
> 
> Having this be part of the online tool would be great.  But a
quick-and-dirty
> way to accomplish this is to use Git's --word-diff argument.  For example,
> from a local checkout of [1]:
> 
> Strip XML tags, leading space, and trailing space:
> 
>   $ sed -i 's/<[^>]*>//g;s/^[[:space:]]*//;s/[[:space:]]$//'
src/GPL-3.0.xml
> 
> Replace some XML entities:
> 
>   $ sed -i
>
"s/>/>/g;s/ 
> Replace newlines with spaces:
> 
>   $ CONTENT="$(tr '\n' ' '$ echo "${CONTENT}" >src/GPL-3.0.xml
> 
> Stage those changes:
> 
>   $ git add src/GPL-3.0.xml
> 
> Clobber with the GNU text:
> 
>   $ curl -s https://www.gnu.org/licenses/gpl.txt >src/GPL-3.0.xml
> 
> Strip leading/trailing space again:
> 
>   $ sed -i 's/^[[:space:]]*//;s/[[:space:]]$//' src/GPL-3.0.xml
> 
> Replace newlines with spaces again:
> 
>   $ CONTENT="$(tr '\n' ' '$ echo "${CONTENT}" >src/GPL-3.0.xml
> 
> See what's changed vs. the staged version:
> 
>   $ git diff --word-diff
> 
> The only difference that turned up in the license text is:
> 
>   Copyright [-C-]{+(C)+} 2007 Free Software Foundation, Inc.
> 
> Our guideline for equating copyright symbols includes (c) but not (C) [2].
> Maybe that's what's going on?
> 
> Or maybe the SPDX template you're using doesn't match the current license-
> list-XML master.  Or maybe there's some other problem I'm missing because
I'm
> ignoring the XML tags ;).
> 
> Cheers,
> Trevor
> 
> 
> [1]: https://github.com/spdx/license-list-XML
> [2]: https://spdx.org/spdx-license-list/matching-guidelines
> 
> --
> This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
> For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread Richard Fontana 
On Fri, Aug 04, 2017 at 11:44:45AM -0700, W. Trevor King wrote:
[...] 
> The only difference that turned up in the license text is:
> 
>   Copyright [-©-]{+(C)+} 2007 Free Software Foundation, Inc.
> 
> Our guideline for equating copyright symbols includes (c) but not (C)
> [2].  Maybe that's what's going on?

Is that intentional? I hadn't noticed it before but that's a fairly
clear deficiency in the matching guidelines. "(C)" is probably the
most common attempt at something like a copyright symbol in
copyright/license notices in source files. I think it is much more
common than "(c)" (or the real copyright symbol).

Richard

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread W. Trevor King 
On Fri, Aug 04, 2017 at 11:12:54AM -0700, Gary wrote:
> I feel we need another tool to compare text to a specific SPDX
> license and indicate exactly where the 2 licenses do not match.

Having this be part of the online tool would be great.  But a
quick-and-dirty way to accomplish this is to use Git's --word-diff
argument.  For example, from a local checkout of [1]:

Strip XML tags, leading space, and trailing space:

  $ sed -i 's/<[^>]*>//g;s/^[[:space:]]*//;s/[[:space:]]$//' src/GPL-3.0.xml

Replace some XML entities:

  $ sed -i 
"s/>/>/g;s/src/GPL-3.0.xml

Strip leading/trailing space again:

  $ sed -i 's/^[[:space:]]*//;s/[[:space:]]$//' src/GPL-3.0.xml

Replace newlines with spaces again:

  $ CONTENT="$(tr '\n' ' ' src/GPL-3.0.xml

See what's changed vs. the staged version:

  $ git diff --word-diff

The only difference that turned up in the license text is:

  Copyright [-©-]{+(C)+} 2007 Free Software Foundation, Inc.

Our guideline for equating copyright symbols includes (c) but not (C)
[2].  Maybe that's what's going on?

Or maybe the SPDX template you're using doesn't match the current
license-list-XML master.  Or maybe there's some other problem I'm
missing because I'm ignoring the XML tags ;).

Cheers,
Trevor


[1]: https://github.com/spdx/license-list-XML
[2]: https://spdx.org/spdx-license-list/matching-guidelines

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread Brad Edmondson 
Still, as a first effort I really like this.

--
Brad Edmondson, *Esq.*
512-673-8782 | brad.edmond...@gmail.com

On Fri, Aug 4, 2017 at 2:30 PM, Michael Dolan 
wrote:

>
> On Fri, Aug 4, 2017 at 2:12 PM,  wrote:
>
>> When I tested the application, I used the text from the SPDX license list
>> pages themselves which match.
>>
>
> That makes sense then. I also tried a copy/paste from the OSI pages and
> those didn't work either.
>
>
> ___
> Spdx-legal mailing list
> Spdx-legal@lists.spdx.org
> https://lists.spdx.org/mailman/listinfo/spdx-legal
>
>
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread Michael Dolan 
On Fri, Aug 4, 2017 at 2:12 PM,  wrote:

> When I tested the application, I used the text from the SPDX license list
> pages themselves which match.
>

That makes sense then. I also tried a copy/paste from the OSI pages and
those didn't work either.
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

RE: License checking tool available

2017-08-04 Thread gary 
When I tested the application, I used the text from the SPDX license list pages 
themselves which match.

 

You are finding valid issues in comparing them to the canonical versions of the 
license text.

 

I feel we need another tool to compare text to a specific SPDX license and 
indicate exactly where the 2 licenses do not match.  That way we can easily 
find where the template needs to be improved or if there is any bugs in the 
matching algorithm.

 

This will take a bit of work – I’ll add it to the tools issues list.

 

Gary

 

From: Michael Dolan [mailto:mdo...@linuxfoundation.org] 
Sent: Friday, August 4, 2017 10:46 AM
To: Philippe Ombredanne
Cc: Gary O'Neall; SPDX-legal
Subject: Re: License checking tool available

 

 


Gary:
I tried to paste the verbatim text of https://www.gnu.org/licenses/agpl.txt
and its is not matched
Do you think this a code or a matching guidelines issue?
--
Cordially
Philippe Ombredanne

 

I also had tried the GPLv3 and didn't get it to match... 

 

https://www.gnu.org/licenses/gpl.txt

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

RE: License checking tool available

2017-08-04 Thread gary 
Hi Philippe,

I suspect it is a template issue.

I just copied and pasted the license text from the SPDX listed license page: 
https://spdx.org/licenses/AGPL-3.0.html and it matched.  We would need to diff 
the two versions of the text and see what is different.

It is also quite possible there is a bug in the code, but most of the time I 
have found it to be an issue with extraneous text not being marked.

Gary


> -Original Message-
> From: Philippe Ombredanne [mailto:pombreda...@nexb.com]
> Sent: Friday, August 4, 2017 10:38 AM
> To: Gary O'Neall
> Cc: SPDX-legal
> Subject: Re: License checking tool available
> 
> On Fri, Aug 4, 2017 at 6:46 PM,   wrote:
> > An online tool for checking license text against the SPDX license list
> > is now available at https://spdx.org/spdxweb  The URL redirects to a
> > server generously provided by the Openchain project team.
> >
> > The tool basically compares the text to all SPDX listed licenses using
> > the license matching guidelines.  If a license does not completely
> > match per the guidelines, it will not e displayed.  This is quite
> > different from many other tools that report close matches where only a
> > few words may be different.
> >
> > There are a few limitations.  The software uses the templates in the listed
> > license for the currently published version.   In the currently published
> > version, there are several licenses with limited or no template markup (e.g.
> > the MIT license).  For these licenses, the text will only match if all
> > of the text is present.  If you believe text should match the license,
> > take a look at the license list web page for that license and review
> > for red text
> > (replaceable) and blue text (omitable).
> >
> 
> Gary:
> I tried to paste the verbatim text of https://www.gnu.org/licenses/agpl.txt
> and its is not matched
> Do you think this a code or a matching guidelines issue?
> --
> Cordially
> Philippe Ombredanne

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

RE: License checking tool available

2017-08-04 Thread gary 
Hi Alan,

 

The core logic is in the spdx/tools. An overview of the libraries involve
can be found at
https://github.com/spdx/license-list-data/blob/master/accessingLicenses.md#l
ibrary-apis

 

The server code is a simple Java servlet that calls the open source library.
I have it on my todo list to add that code to the SPDX github repository
after a add the proper licenses and clean up the code a bit.

 

I don't have any plans to add the fuzzy matching to the tools, but
contributions are always welcome J

 

Both FOSSology and Scancode now report SPDX license ID's on their matches.
I don't know what their coverage is of the current SPDX license list, but
they can get you close.

 

The reason I added this website is I couldn't find any open source or online
tools which used the license matching guidelines and the legal team had
requested a tool to provide this functionality.

 

In my own work, I use a license scanner that does fuzzy matching and if
there is an SPDX license ID in the match.  I will use the SPDX tools library
to compare using the matching guidelines as a second pass.  You could take
the same approach using FOSSology or Scancode to gather the possible matches
first, then using the online license checking tool to see if the code
matches per the license matching guidelines.

 

Gary

 

 

 

From: Alan Tse [mailto:alan@wdc.com] 
Sent: Friday, August 4, 2017 10:14 AM
To: g...@sourceauditor.com; 'SPDX-legal'
Subject: RE: License checking tool available

 

Awesome to hear.  Is the source also at the github for spdx/tools?  I took a
brief look but didn't see it but admittedly didn't dig through all the
files.

 

Will there be an option to use fuzzy matching showing the differences?
While it'd be nice if licenses exactly matched, the concern would be if we
had something that almost completely matched.  You mentioned other tools
that report close matches, but I wasn't aware of any that did that for the
SPDX license list.

 

Alan D. Tse

Associate General Counsel

Western Digital Corporation

3355 Michelson Dr., Suite 100, Irvine, CA 92612

T:  949-672-7759

F:  949-672-6604

 

From: spdx-legal-boun...@lists.spdx.org
[mailto:spdx-legal-boun...@lists.spdx.org] On Behalf Of
g...@sourceauditor.com
Sent: Friday, August 04, 2017 9:47 AM
To: 'SPDX-legal' 
Subject: License checking tool available

 

An online tool for checking license text against the SPDX license list is
now available at https://spdx.org/spdxweb  The URL redirects to a server
generously provided by the Openchain project team.

 

The tool basically compares the text to all SPDX listed licenses using the
license matching guidelines.  If a license does not completely match per the
guidelines, it will not e displayed.  This is quite different from many
other tools that report close matches where only a few words may be
different.

 

There are a few limitations.  The software uses the templates in the listed
license for the currently published version.   In the currently published
version, there are several licenses with limited or no template markup (e.g.
the MIT   license).  For these licenses,
the text will only match if all of the text is present.  If you believe text
should match the license, take a look at the license list web page for that
license and review for red text (replaceable) and blue text (omitable).  

 

Let me know if you have any questions.

 

If you run into any issues, feel free to add them to the spdx-tools issues
list: https://github.com/spdx/tools/issues

 

Gary

 

 

-

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: g...@sourceauditor.com

 

Western Digital Corporation (and its subsidiaries) E-mail Confidentiality
Notice & Disclaimer:

This e-mail and any files transmitted with it may contain confidential or
legally privileged information of WDC and/or its affiliates, and are
intended solely for the use of the individual or entity to which they are
addressed. If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on it,
is prohibited. If you have received this e-mail in error, please notify the
sender immediately and delete the e-mail in its entirety from your system.

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread Michael Dolan 
>
> Gary:
> I tried to paste the verbatim text of https://www.gnu.org/licenses/
> agpl.txt
> and its is not matched
> Do you think this a code or a matching guidelines issue?
> --
> Cordially
> Philippe Ombredanne
>
>
I also had tried the GPLv3 and didn't get it to match...

https://www.gnu.org/licenses/gpl.txt
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread Philippe Ombredanne 
On Fri, Aug 4, 2017 at 7:14 PM, Alan Tse  wrote:
> Will there be an option to use fuzzy matching showing the differences?
> While it’d be nice if licenses exactly matched, the concern would be if we
> had something that almost completely matched.  You mentioned other tools
> that report close matches, but I wasn’t aware of any that did that for the
> SPDX license list.

The scancode-toolkit reports exact and approximate matches for all SPDX
licenses  (and a few more licenses). It also can collects the matched texts
and report the scans either as SPDX or JSON.
See https://github.com/nexB/scancode-toolkit

Note: I am its maintainer.

-- 
Cordially
Philippe Ombredanne
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: License checking tool available

2017-08-04 Thread Philippe Ombredanne 
On Fri, Aug 4, 2017 at 6:46 PM,   wrote:
> An online tool for checking license text against the SPDX license list is
> now available at https://spdx.org/spdxweb  The URL redirects to a server
> generously provided by the Openchain project team.
>
> The tool basically compares the text to all SPDX listed licenses using the
> license matching guidelines.  If a license does not completely match per the
> guidelines, it will not e displayed.  This is quite different from many
> other tools that report close matches where only a few words may be
> different.
>
> There are a few limitations.  The software uses the templates in the listed
> license for the currently published version.   In the currently published
> version, there are several licenses with limited or no template markup (e.g.
> the MIT license).  For these licenses, the text will only match if all of
> the text is present.  If you believe text should match the license, take a
> look at the license list web page for that license and review for red text
> (replaceable) and blue text (omitable).
>

Gary:
I tried to paste the verbatim text of https://www.gnu.org/licenses/agpl.txt
and its is not matched
Do you think this a code or a matching guidelines issue?
-- 
Cordially
Philippe Ombredanne
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

RE: License checking tool available

2017-08-04 Thread Alan Tse 
Awesome to hear.  Is the source also at the github for spdx/tools?  I took a 
brief look but didn't see it but admittedly didn't dig through all the files.

Will there be an option to use fuzzy matching showing the differences?  While 
it'd be nice if licenses exactly matched, the concern would be if we had 
something that almost completely matched.  You mentioned other tools that 
report close matches, but I wasn't aware of any that did that for the SPDX 
license list.

Alan D. Tse
Associate General Counsel
Western Digital Corporation
3355 Michelson Dr., Suite 100, Irvine, CA 92612
T:  949-672-7759
F:  949-672-6604

From: spdx-legal-boun...@lists.spdx.org 
[mailto:spdx-legal-boun...@lists.spdx.org] On Behalf Of g...@sourceauditor.com
Sent: Friday, August 04, 2017 9:47 AM
To: 'SPDX-legal' 
Subject: License checking tool available

An online tool for checking license text against the SPDX license list is now 
available at https://spdx.org/spdxweb  The URL redirects to a server generously 
provided by the Openchain project team.

The tool basically compares the text to all SPDX listed licenses using the 
license matching guidelines.  If a license does not completely match per the 
guidelines, it will not e displayed.  This is quite different from many other 
tools that report close matches where only a few words may be different.

There are a few limitations.  The software uses the templates in the listed 
license for the currently published version.   In the currently published 
version, there are several licenses with limited or no template markup (e.g. 
the MIT license).  For these licenses, the 
text will only match if all of the text is present.  If you believe text should 
match the license, take a look at the license list web page for that license 
and review for red text (replaceable) and blue text (omitable).

Let me know if you have any questions.

If you run into any issues, feel free to add them to the spdx-tools issues 
list: https://github.com/spdx/tools/issues

Gary


-
Gary O'Neall
Principal Consultant
Source Auditor Inc.
Mobile: 408.805.0586
Email: g...@sourceauditor.com

Western Digital Corporation (and its subsidiaries) E-mail Confidentiality 
Notice & Disclaimer:

This e-mail and any files transmitted with it may contain confidential or 
legally privileged information of WDC and/or its affiliates, and are intended 
solely for the use of the individual or entity to which they are addressed. If 
you are not the intended recipient, any disclosure, copying, distribution or 
any action taken or omitted to be taken in reliance on it, is prohibited. If 
you have received this e-mail in error, please notify the sender immediately 
and delete the e-mail in its entirety from your system.
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

License checking tool available

2017-08-04 Thread gary 
An online tool for checking license text against the SPDX license list is
now available at https://spdx.org/spdxweb  The URL redirects to a server
generously provided by the Openchain project team.

 

The tool basically compares the text to all SPDX listed licenses using the
license matching guidelines.  If a license does not completely match per the
guidelines, it will not e displayed.  This is quite different from many
other tools that report close matches where only a few words may be
different.

 

There are a few limitations.  The software uses the templates in the listed
license for the currently published version.   In the currently published
version, there are several licenses with limited or no template markup (e.g.
the MIT   license).  For these licenses,
the text will only match if all of the text is present.  If you believe text
should match the license, take a look at the license list web page for that
license and review for red text (replaceable) and blue text (omitable).  

 

Let me know if you have any questions.

 

If you run into any issues, feel free to add them to the spdx-tools issues
list: https://github.com/spdx/tools/issues

 

Gary

 

 

-

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:   g...@sourceauditor.com

 

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal