Re: [spdx-tech] An example of a super simple SPDX licenses registry, for discussion

2019-03-11 Thread Philippe Ombredanne 
Hi Jilayne:
On Sat, Mar 9, 2019 at 6:40 PM J Lovejoy  wrote:
> Hi Philippe,
> I’m a bit lost on what the goal of this is. Can you provide a bit more 
> context.
>
> I looked at a couple entries and noticed, for example, this one:
> https://github.com/nexB/spdx-license-namespaces-registry/blob/master/scancode/licenseref-scancode-bsd-innosys.spdx
>
> which then points to this: 
> https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/bsd-innosys.yml
>
> which notes that this is common in the Linux kernel.
>
> Weren’t we going to add to the SPDX License List some of the other common 
> licenses you all were finding in the kernel?
>
> > and https://github.com/nexB/spdx-license-namespaces-registry/pull/1
> >

I sent it quickly during the legal team call on Thursday and sorry for
not providing much background then.
Here it is:

There has been a recent discussion initiated by Mark Atwood to create
stable, yet private SDPX identifiers.
And there is a similar need for ScanCode licenses too (See
https://github.com/nexB/scancode-toolkit/issues/532 and has been
requested by several users too.

Through the discussions, Kate and Gary suggested that we could reuse
LicenseRef and create an SPDX document for each license.  The example
repository and example pull request that I linked above are to provide
an example of what this would look like if we were to have such a
system where there could be two level of registrations: simple
namespace and namespace + licenses ... all using LicenseRef
The benefit is that there would be no change to the spec required at
all and could be used today.
Now, the actual content of the repo I linked is based on a completely
random subset of non-SPDX-listed licenses that exists in ScanCode, so
their actual content is not relevant here.

I reckon that I still owe you to submit all the licenses that we found
in the kernel that are not yet in SPDX I am terribly late on that
part.

The two are not directly related... yet I could see the submission of
namespaced licenses as being a funnel for actual additions to the SPDX
list proper. Some may be worthy of that addition while some may not
make the cut.

--
Cordially
Philippe Ombredanne

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3666): https://lists.spdx.org/g/Spdx-tech/message/3666
Mute This Topic: https://lists.spdx.org/mt/30299820/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] An example of a super simple SPDX licenses registry, for discussion

2019-03-11 Thread Richard Fontana 
This sounds appealing to me (if I'm understanding it correctly). From
Red Hat's perspective one of the great impracticalities of SPDX has
been that, after many years of SPDX's existence, its adopted
identifiers still represent only a small portion of the licenses
encountered in much of the the software we encounter in our product
and project development. I think there are a few problematic reasons
for this aside from the fact that curating the SPDX license list is a
lot of work. Use of "LicenseRef" (not to mention something like
NOASSERTION) is a nonstarter for the use cases we are most interested
in. What we've actually done in some cases is use the nonstandard
identifiers created by nexB.

Indeed I recently complained about the use of NOASSERTION in
ClearlyDefined:
https://github.com/clearlydefined/clearlydefined/issues/99. The issue
that partly inspired this was one involving the former Facebook React
license which is still widely encountered (
https://github.com/clearlydefined/curated-data/pull/1107 ).

Richard



On Sun, Mar 10, 2019 at 12:44 PM via Lists.Spdx.Org
 wrote:
>
> I love the idea of being able to easily represent arbitrary licenses with 
> SPDX identifiers. We use a number of SPDX based license expression tools and 
> all of them require that the leaf nodes in an expression be valid 
> identifiers. Using LicenseRef is cool but essentially defers the identity 
> problem. Namespacing is a common approach to distributing the problem and 
> enabling different communities to evolve at their own pace. This happens very 
> often for us when we encounter novel licenses in some of the many 000s of 
> components we use. Today we have to either say NOASSERTION or spoof up a 
> LicenseRef.
>
> The downside with namespacing is that two namespaces can easily end up with 
> different identifiers for the same license. We'd be incrementally better off 
> but still faced with a logic problem (e.g., are LicenseRef-ns1-Foo and 
> LicenseRef-ns2-Bar the same or different). Since we often use multiple tools, 
> each having its own namespace, make it quite hard to reason about results.
>
> Theoretically there could be a central registry where interested parties 
> could instantly discover names for license texts and register new license 
> texts and give them names. Then a new tool vendor/user, encountering a "new" 
> license would first consult the registry to see if that text has already been 
> allocated a name. Still some gaps but perhaps incrementally better.
>
> IMO the "ideal" here is that there is some automated way of "fingerprinting" 
> license texts such that two parties, given more or less the same text, can 
> independently come up with the same id. At that point you would not need a 
> registry, just a shared algorithm. When/if eventually SPDX does recognize a 
> given license and gives it a formal id, there could be a relatively simple 
> aliasing step where SPDX id "SomeCoolLicense-1.0" is AKA "LicenseRef-43bdf298"
>
> Finally, if the SPDX license list was a) less opinionated as to what can be 
> identified and b) very fast at adding new entries, the bulk of the issue we 
> see would go away.
>
> Jeff
>
>
> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of 
> Philippe Ombredanne via Lists.Spdx.Org
> Sent: Thursday, March 7, 2019 9:44 AM
> To: SPDX-legal 
> Cc: Spdx-tech@lists.spdx.org
> Subject: [spdx-tech] An example of a super simple SPDX licenses registry, for 
> discussion
>
> See 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FnexB%2Fspdx-license-namespaces-registry%2Fdata=02%7C01%7CJeff.McAffer%40microsoft.com%7Cd58f7f9edbbe4e4ee95d08d6a3249aba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636875774948859901sdata=Gcu7ZaKsKtp%2BfMyorZpkfTKDQpm0zDg%2BxdkjOYD4bag%3Dreserved=0
> and 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FnexB%2Fspdx-license-namespaces-registry%2Fpull%2F1data=02%7C01%7CJeff.McAffer%40microsoft.com%7Cd58f7f9edbbe4e4ee95d08d6a3249aba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636875774948859901sdata=GXODPG2zqT2uiVCI1Z84ZNQG85QpfEjcvvsA9oZQp5U%3Dreserved=0
>
> --
> Cordially
> Philippe Ombredanne
>
> +1 650 799 0949 | pombreda...@nexb.com
> DejaCode - What's in your code?! - 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dejacode.comdata=02%7C01%7CJeff.McAffer%40microsoft.com%7Cd58f7f9edbbe4e4ee95d08d6a3249aba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636875774948859901sdata=iEQcHYltCN0uba4t1KwF5WvfGmPRB0RSZxGEjQH%2FYd4%3Dreserved=0
> AboutCode - Open source for open source - 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.aboutcode.orgdata=02%7C01%7CJeff.McAffer%40microsoft.com%7Cd58f7f9edbbe4e4ee95d08d6a3249aba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636875774948859901sdata=dBq66UPR0wShGDO0SNmM06x0geoU5pABTj1Gjus0%2FsY%3Dreserved=0
> nexB Inc. - 
>