Re: [spdx-tech] A proposal for SPDX Private License Identifiers. Example: .com.amazon.-.ASL-2.0
On Tue, Feb 5, 2019 at 2:45 PM Schuberth, Sebastian < sebastian.schube...@here.com> wrote: > > In text use: SPDX-License-ID: LicenseRef-.com.amazon.-.ASL-2.0 > > > > Then if someone shipping a SBOM with the information in it > > and wanted to record the license contents as well, they could cut/paste > > into the document. > > > > LicenseID: LicenseRef-.com.amazon.-.ASL-2.0 > > LicenseName: Amazon Software License version 2.0 > > ExtractedText: > > insert here info > > > > > > and still be able to represent the known state of the source code without > > relying completely on the web sites to stay stable over time. > > > > Thoughts? > > Well, my immediate thought was that this combination of dots and dashes > looks *very* awkward. Why not just "LicenseRef-com.amazon-ASL-2.0"? That > would also go nicely with Philippe's approach to use a "scancode" namespace > for ScanCode-specific license findings that have no SPDX identifier: In > this case the namespace would be "com.amazon", i.e. the reverse domain just > like in a Maven group name, to denote an Amazon-specific license. > Hi Sebastian, That's pretty much where we ended up on the call. LicenseRef-- We also ended up discussing where SPDX documents with these LicenseRef's could be defined, so others could access without depending on ad hoc vendor web sites. Preliminary discussion ideas is to have SPDX doc of LicenseRef's logged at github.com/spdx/namespaces/namespace in addition to other options that vendors may want to provide. Since this is of interest to legal as well as technical, thinking is to talk about this on the general call on Thursday, if time permits. Kate -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3654): https://lists.spdx.org/g/Spdx-tech/message/3654 Mute This Topic: https://lists.spdx.org/mt/29560818/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [spdx-tech] A proposal for SPDX Private License Identifiers. Example: .com.amazon.-.ASL-2.0
> In text use: SPDX-License-ID: LicenseRef-.com.amazon.-.ASL-2.0 > > Then if someone shipping a SBOM with the information in it > and wanted to record the license contents as well, they could cut/paste > into the document. > > LicenseID: LicenseRef-.com.amazon.-.ASL-2.0 > LicenseName: Amazon Software License version 2.0 > ExtractedText: > insert here info > > > and still be able to represent the known state of the source code without > relying completely on the web sites to stay stable over time. > > Thoughts? Well, my immediate thought was that this combination of dots and dashes looks *very* awkward. Why not just "LicenseRef-com.amazon-ASL-2.0"? That would also go nicely with Philippe's approach to use a "scancode" namespace for ScanCode-specific license findings that have no SPDX identifier: In this case the namespace would be "com.amazon", i.e. the reverse domain just like in a Maven group name, to denote an Amazon-specific license. Regards, Sebastian -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3653): https://lists.spdx.org/g/Spdx-tech/message/3653 Mute This Topic: https://lists.spdx.org/mt/29560818/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [spdx-tech] A proposal for SPDX Private License Identifiers. Example: .com.amazon.-.ASL-2.0
Hi Philippe, > > SPDX-License-Identifier: .com.amazon.-.ASL-2.0 > > https://aws.amazon.com/doc/ASL-2.0 > [...] > > In a SPDX-License-identifier declaration, a Private License Identifier > > can optionally be followed by a URI pointing to the canonical license text. > > This URI should be under the control of the entity that controls the > > DNS namespace of the Private License Identifier. > > SPDX-License-Identifier is not declaring an id, but instead using ids in an > expression so I think this would break the license expression syntax may be? > Otherwise how would express something such as: > my-private-license1 AND my-private-license2 > [G.O.] Good point on the license expressions. Including the URI expression in the license expression would make it difficult to parse. I suggest we separate this into 2 proposals. One for a standard mechanism for defining a namespace within the licenseRef ID syntax and a separate standard way of describing the URI for either a license-XML definition and/or canonical license text. For referencing the URI for the license XML or license text, we could extend the license expression syntax with additional operator(s). For example: License-ref1 DEFINEDBY https://some.uri/with/licensexml If we take this approach, we would need to do some additional work to define the operator precedence and think through the compatibility issues. I can foresee a few issues with the above proposed approach but I thought I would put it out there for consideration. Gary -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3652): https://lists.spdx.org/g/Spdx-tech/message/3652 Mute This Topic: https://lists.spdx.org/mt/29560818/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [spdx-tech] A proposal for SPDX Private License Identifiers. Example: .com.amazon.-.ASL-2.0
Hi Mark: On Mon, Feb 4, 2019 at 9:57 PM Mark Atwood wrote: > Just following up, does anyone have any comments or suggestions for my > proposal for SPDX Private License Identifiers? We surely could use a way to have namespaces of sorts for extra, non SPDX-listed license identifiers. This is something that I could use alright for ScanCode where we track roughly an extra 1000 licenses and exceptions more than in the SPDX list (ScanCode has 1456 licenses and exceptions and there are 415 in the SPDX list) ScanCode handles this today by returning a well defined LicenseRef-xxx in SPDX documents for non SPDX-listed licenses . And a recent contribution by Tobias Furuholm created a "namespace"-like convention to use this for ids for such licenses: License-Ref-scancode- The project guarantees the to be stable overtime (e.g. they can be deprecated if needed but never deleted) . See https://github.com/nexB/scancode-toolkit/issues/532 for some discussions > SPDX-License-Identifier: .com.amazon.-.ASL-2.0 > https://aws.amazon.com/doc/ASL-2.0 [...] > In a SPDX-License-identifier declaration, a Private License Identifier can > optionally be followed by a URI pointing to the canonical license text. > This URI should be under the control of the entity that controls the DNS > namespace of the Private License Identifier. SPDX-License-Identifier is not declaring an id, but instead using ids in an expression so I think this would break the license expression syntax may be? Otherwise how would express something such as: my-private-license1 AND my-private-license2 As a recap I think that: 1. having some kind of namespacing is a great idea 2. I find reverse DNS and dots hard to read and I would likely make many typos when writing/typing these down. 3. an SPDX-License-identifier is a whole expression so changes should not break license expressions. 4. it might be clearer to distinguish naming (giving an id) and documenting that id separately (providing extra information about this id such as at a URL to a text or other data) and not try to put them all in one place. 5. LicenseRef (and possibly some specified or conventional way to structure them) may be a way to consider -- Cordially Philippe -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3651): https://lists.spdx.org/g/Spdx-tech/message/3651 Mute This Topic: https://lists.spdx.org/mt/29560818/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-