Re: License identifiers sufficient to avoid loss of information in DeclaredLicense (was: GPLv2 - Github example)
On Fri, Sep 15, 2017 at 12:01:32PM +, Zavras, Alexios wrote: > Besides the case of GPL version numbers, isn't the issue similar to > when we have cases like where you have a package that simply says > "This program is under the BSD license" This is definitely a similar case. The difference is that the GPL family have internal wording for this case [1], while the BSDs do not. > The author "declared" something, but the SPDX spec is not really > useful, since the value of the field is a license (or a license > expression) and not a free form text. None of the licenses in the > SPDX license list can be used as "PackageLicenseDeclared". Do we put > a list of the 15 or so BSD variants, or disregard the declaration by > stating "NOASSERTION"? I would say NOSSERTION, because I don't think you're discarding much information. If you wanted to represent this case, you'd need a new license expression operator for “or maybe they meant”. That doesn't seem particularly actionable to me, and I'd want to take a closer look at a project if the best-estimate (a trusted conclusion when we have one, and a declared call or unreliable conclusion when we don't) involved such an operator. > Taking it further, suppose that by looking at the actual wording of > the license text in files, you might decide that the author is > talking about BSD-3-Clause-No-Nuclear-License (in the nice case > where all the files use the same text). But isn't this a "Concluded" > rather than a "Declared" field? If there are license terms in the header that match BSD-3-Clause-No-Nuclear-License, then that seems like a pretty clear declaration of BSD-3-Clause-No-Nuclear-License for those files, and that would go in LicenseInfoInFile. I think that could inform your concluded package license, but it should not impact the declared package license. Cheers, Trevor [1]: https://github.com/spdx/license-list-XML/blob/f1522b5cc61bde64d9b38af05204fdb93c02eef8/src/GPL-1.0.xml#L167-L168 -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy signature.asc Description: OpenPGP digital signature ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
RE: License identifiers sufficient to avoid loss of information in DeclaredLicense (was: GPLv2 - Github example)
Besides the case of GPL version numbers, isn't the issue similar to when we have cases like where you have a package that simply says "This program is under the BSD license" The author "declared" something, but the SPDX spec is not really useful, since the value of the field is a license (or a license expression) and not a free form text. None of the licenses in the SPDX license list can be used as "PackageLicenseDeclared". Do we put a list of the 15 or so BSD variants, or disregard the declaration by stating "NOASSERTION"? Taking it further, suppose that by looking at the actual wording of the license text in files, you might decide that the author is talking about BSD-3-Clause-No-Nuclear-License (in the nice case where all the files use the same text). But isn't this a "Concluded" rather than a "Declared" field? -- zvr - -Original Message- From: spdx-legal-boun...@lists.spdx.org [mailto:spdx-legal-boun...@lists.spdx.org] On Behalf Of Gisi, Mark Sent: Friday, 15 September, 2017 13:19 To: Bradley M. Kuhn; SPDX-legal Subject: RE: License identifiers sufficient to avoid loss of information in DeclaredLicense (was: GPLv2 - Github example) Quick clarification: >> I admit that I don't know how exactly to express such as Declarations. >> What is quite clear from this discussion, though, is that the >> Conclusions that people make about such Declarations vary. Mark Gisi >> Concludes most of these examples as NOASSERTION. >> I Conclude most of them are GPLv1-or-later. The examples addressed Conclude License (files and package) but not the Declared License. Furthermore, I only made a comment about Example 4. I agreed with the file Concluded License designations for Examples 1-3. Including Example 3 = GPL-1.0+. And yes, for Example 4 I concluded NOASSERTION for each of the four files that have zero licensing info in them. There are many scenarios where those files could be something other than GPL. For example, one or more source files could have been copied from an Apache project or a commercial code based. I have encountered two cases in as many years where commercial code was copied into a project with a GPL-2.0 file in the top directory. In one case the commercial license notice was retained in the file and in the other the notice was removed. Another situation I encountered ~5 years ago: someone admittedly removed the BSD license notices from several files he copied into his GPL project. He just assumed that they were now under the GPL-2.0 and the BSD notices were confusing and unnecessary! I had to explain he was violating the BSD license. As for Example 4, for me, hope is not a strategy. NOASSERTION. >> >> 3.15 Declared License >> The problem with this field does not lie with the LEL but with the values the "field" will accept. "This field lists the licenses that have been declared by the authors of The package. " It should probably accept a list of LELs. For example if the top level directory had the following license files: COPYING.GPL-2.0 COPYING.LGPL-2.0 Then the declared license field should accept the "list" of LELs: GPL-2.0, LGPL-2.1 This approach is simple and probably handles 95% + cases. - Mark -Original Message- From: spdx-legal-boun...@lists.spdx.org [mailto:spdx-legal-boun...@lists.spdx.org] On Behalf Of Bradley M. Kuhn Sent: Wednesday, September 13, 2017 11:47 AM To: SPDX-legal Subject: License identifiers sufficient to avoid loss of information in DeclaredLicense (was: GPLv2 - Github example) Since the Legal call where we first began discussing what Jilayne has called the "Github examples", I've been thinking about this question regularly. I do agree wholeheartedly with Richard Fontana's point that SPDX both has stakeholders who use the license identifiers outside of SPDX (and that SPDX as a project lauds such uses). SPDX should indeed think about those users. I'm primarily one of those users to the extent I use SPDX. However, for the purposes of this discussion, I suggest we return to first principles in the SPDX specification. So I asked myself, what job does SPDX expect license identifiers to do? I went to the SPDX spec and looked at this: 3.15 Declared License 3.15.1 Purpose: This field lists the licenses that have been declared by the authors of the package. Any license information that does not originate from the package authors, e.g. license information from a third party repository, should not be included in this field. (URL: https://spdx.org/spdx-specification-21-web-version#h.1hmsyys ) I began to think carefully about this question, what *is* the "Declared License" -- by the package authors -- in the examples at https://wiki.spdx.org/view/Legal_Team/only-operator-proposal#Examples_.2F_Challenges ? I admit that I don't know how exactly to
Re: License identifiers sufficient to avoid loss of information in DeclaredLicense (was: GPLv2 - Github example)
On Thu, Sep 14, 2017 at 09:44:21AM -0700, Bradley M. Kuhn wrote: > W. Trevor King wrote: > > I don't think any of the examples there have a declared package > > license. > > I believe putting a copy of GPL in a repository is declaring a > package license. You may be able to make that argument in some cases, but that cannot be true in all cases. For example, Gentoo's package tree is clearly not under all of these licenses [1] nor are these packages under all of the licenses they include [2,3]. > > > But, for *Declarations*, SPDX clearly needs some other > > > identifier, which would usually only be used as Declared > > > licenses. > > > > This is not clear to me. Can you elaborate? > > License theorist apparently disagree about what the concluded > license is when I just put a copy of GPL in a directory in a > package. License theorists apparently disagree what when I say > "this is GPL'd". If there are disagreements, it seems me the SPDX > spec is suggesting that SPDX should store the declaration somehow, > and have the information available to those who must make > conclusions. Right, which is why there are separate SPDX fields to distinguish: * Package declared/concluded: PackageLicenseDeclared [4] / PackageLicenseConcluded [5] * File declared/concluded: LicenseInfoInFile [6] / LicenseConcluded [7] * Snippet declared/concluded: LicenseInfoInSnippet [8] / SnippetLicenseConcluded [9] But the *values* for all of those fields are license expressions. So whether or not we get an ‘only’ operator in license expressions seems orthogonal to “who decided this was the license?” which is what declared/concluded is about. Tools like npm that give the package author one slot for a package license [10] are collecting the declared package license. Our own SPDX-License-Identifier suggestion [11] is collecting the declared file license. Tools like licensee are taking a guess at a concluded package license [12], and automated package-license conclusions deserve all the caveats GitHub gives for them [13]. > > That means we *recommend* authors use SPDX License Expressions to > > declare the license which applies to that file. Do you feel that > > is inadequate? If so, how? > > This goes back to changing the outcome by observing it. Some people > chose to declare GPL using all the varied means that are > contemplated in the text of the GPL about not specifying version > numbers, etc. SPDX should be flexible enough to allow such > declarations that already exist in the wild, both at file and > package level. And doesn't it? Your point that folks disagree about whether dropping a copy of the GPL-2.0 into a repository counts as “declaring a project license” or even “declaring a license for the other files in the directory and its descendents” is fine. I don't really care about ambiguous author declarations. What I care about is *unambiguous* author declarations (e.g. including the recommended blurb at the top of a file [14], or pointing out the package license in the docs [15] or metadata file [16]). I also care about the concluded license from concluders I trust, because it resolves any ambiguity based on ambiguous or incorrect declarations to my satisfaction. If your policy is to count the presence of a local license as a package license declaration, I'd expect you to mention that possibly-contentious choice in PackageLicenseComments [17] (although the docs for that field do not currently speak to ambiguities in determining PackageLicenseDeclared). And the weight that your PackageLicenseDeclared and other calls have on others depends on how much they trust your decisions. So what information are you trying to express that doesn't already have a home in the SPDX file? Cheers, Trevor [1]: https://gitweb.gentoo.org/repo/gentoo.git/tree/licenses?id=c8d9adf62818774ab04531fb4f411c353891a54e [2]: https://github.com/spdx/license-list-XML/tree/e0dc5826985ee29fbb103c1da607b4a62ac5ceb0/src [3]: https://github.com/spdx/license-list/tree/3ac00adbaf162ba88f208ccee321fea4c8b7c643 [4]: https://spdx.org/spdx-specification-21-web-version#h.1hmsyys [5]: https://spdx.org/spdx-specification-21-web-version#h.ihv636 [6]: https://spdx.org/spdx-specification-21-web-version#h.111kx3o [7]: https://spdx.org/spdx-specification-21-web-version#h.2lwamvv [8]: https://spdx.org/spdx-specification-21-web-version#h.26o1yg500oc5 [9]: https://spdx.org/spdx-specification-21-web-version#h.4e2e263bk6wh [10]: https://docs.npmjs.com/files/package.json#license [11]: https://spdx.org/spdx-specification-21-web-version#h.twlc0ztnng3b [12]: https://github.com/benbalter/licensee/blob/v9.2.1/docs/what-we-look-at.md [13]: https://developer.github.com/v3/licenses/ [14]: https://github.com/angular/angular.js/blob/07849779ba365f371a8caa3b58e23f677cfdc5ad/docs/app/assets/js/angular-bootstrap/dropdown-toggle.js#L3-L23 [15]: https://github.com/angular/angular.js/blob/v1.6.6/docs/content/misc/faq.ngdoc#L194-L196 [16]:
Re: License identifiers sufficient to avoid loss of information in DeclaredLicense (was: GPLv2 - Github example)
W. Trevor King wrote: > I don't think any of the examples there have a declared package license. I believe putting a copy of GPL in a repository is declaring a package license. Also, note that given that GPL is a strong copyleft, the file licensing data both matters less, and also can impact the package license in ways that don't happen in the permissive-MIT license example you gave. > Declaring a package license looks like this FAQ entry [1]: > > But, for *Declarations*, SPDX clearly needs some other identifier, which > > would usually only be used as Declared licenses. > This is not clear to me. Can you elaborate? License theorist apparently disagree about what the concluded license is when I just put a copy of GPL in a directory in a package. License theorists apparently disagree what when I say "this is GPL'd". If there are disagreements, it seems me the SPDX spec is suggesting that SPDX should store the declaration somehow, and have the information available to those who must make conclusions. > That means we *recommend* authors use SPDX License Expressions to declare > the license which applies to that file. Do you feel that is inadequate? > If so, how? This goes back to changing the outcome by observing it. Some people chose to declare GPL using all the varied means that are contemplated in the text of the GPL about not specifying version numbers, etc. SPDX should be flexible enough to allow such declarations that already exist in the wild, both at file and package level. -- Bradley M. Kuhn ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
Re: License identifiers sufficient to avoid loss of information in DeclaredLicense (was: GPLv2 - Github example)
On Wed, Sep 13, 2017 at 11:47:25AM -0700, Bradley M. Kuhn wrote: > I began to think carefully about this question, what *is* the "Declared > License" -- by the package authors -- in the examples at > https://wiki.spdx.org/view/Legal_Team/only-operator-proposal#Examples_.2F_Challenges I don't think any of the examples there have a declared package license. Declaring a package license looks like this FAQ entry [1]: ### How is AngularJS licensed? The [MIT License](https://github.com/angular/angular.js/blob/master/LICENSE). or this package.json entry [2]: "license": "MIT", where the package maintainers are making an explicit claim about the license for the whole package. However, the files listed in the wiki examples which have the GPL standard headers have a declared file license. And the license-text-of-the-GPL-2.0 has the same sort of declaration [3]. > But, for *Declarations*, SPDX clearly needs some other identifier, > which would usually only be used as Declared licenses. This is not clear to me. Can you elaborate? > Such an identifier would allow SPDX files (a) to better include all > the information that was available to best inform those who look at > the Declared license, (b) properly inform those making Conclusions, > and (c) avoid the current situation that causes Conclusions about > GPL licensing to appear in as a Declared license. > > I don't know what such an identifier should be, but it is *not* > GPLvN-or-later; it's not GPLvN-only; it's not GPLvN+. It's > something else. Since 2.1, the spec has had an appendix about SPDX-License-Identifier comments in file headers with SPDX License Expression values [4]. That means we *recommend* authors use SPDX License Expressions to declare the license which applies to that file. Do you feel that is inadequate? If so, how? Or are you on board with using SPDX License Expressions to express both declared and concluded licenses, but have only have quibbles about whether an ‘only’ operator is part of those expressions? That would be a much more narrowly scoped issue. If this is what's going on, can you explain why a header using the GPL-2.0's stock wording: Copyright (C) name of author This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Also add information on how to contact you by electronic and paper mail. would not be clearly declaring GPL-2.0+? And can you also explain why a header that said: Copyright (C) name of author SPDX-License-Identifier: GPL-2.0+ would not be clearly declaring GPL-2.0+? Cheers, Trevor [1]: https://github.com/angular/angular.js/blob/v1.6.6/docs/content/misc/faq.ngdoc#L194-L196 [2]: https://github.com/angular/angular.js/blob/v1.6.6/package.json#L3 [3]: https://github.com/spdx/license-list-XML/blob/f3dc56f2424e8e93732f655637e0542c5557588c/src/GPL-2.0.xml#L26-L30 [4]: https://spdx.org/spdx-specification-21-web-version#h.twlc0ztnng3b -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy signature.asc Description: OpenPGP digital signature ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal