Re: Is "+" a valid character of a LicenseRef idstring?
On Tue, Nov 3, 2015 at 3:45 AM, Wheeler, David Awrote: > Philippe Ombredanne wrote: [...] >> You say: >> GPL-2.0 ==> implies GPL 2.0 only >> GPL-2.0+ ==> implies GPL 2.0 or later > That's not just what I say. That's what the spec says, and has > clearly stated since circa 2010. > This would have been a useful argument to raise in 2010 (when SPDX was > drafted). But this group doesn't exist to create a new spec where > none has existed. For more than 5 years SPDX has consistently stated > that "GPL-2.0" means ONLY GPL-2.0 and nothing else. This builds on > previous history of Fedora and Debian, who also use "+" this way, > e.g., see: https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing David: I know this as I was part of it and that does not make it more right ... FWIW, I have been around SPDX for quite a while ;). See "A Short History of SPDX": https://spdx.org/about-spdx/what-is-spdx > While I know you're focusing on the GPL, there are many other > licenses, and most licenses do NOT have a "this or later version" > clause; The focus is not only on the GPL: well over 25% of the SPDX licenses DO HAVE a "this or later version" clause. Here are some examples: - Most of the FSF licenses: The GPL and LGPL and all their versions. But also the AGPL, the GFDL, etc. - all the Mozilla-like license: NPLs, MPLs and all the MPL derivatives such as SPL, CPAL, Erlang, RPL, APSL, Gsoap, ZIMBRA, SISL, etc. - most of the Creative Common licenses, - The Eclipse licenses and the CPLs, - the CDDLs, - the PHP license, - OpenLDAP, Latex/LPPL, LPL, Condor, CATOSL, RPSL, CECILL, etc. For all SPDX licenses allowing other versions, the bare identifier means "or later version", except for the L/GPL where this means "only the current version" unless you create an expression with a "+". So the decision procedure to use a plus or not is roughly like this: If licensing allows to use "other license versions": - If and only if GPL or LGPL, add a + to the license identifier. "other license versions" is NOT implied. - Otherwise, if this not GPL or LGPL, do NOT add a +. "other license versions" is implied if the license allows such thing. Do this ONLY for any versions of these two licenses. Do not apply this approach to other FSF licenses such AGPL, GFDL and others. - Except if you are a Linux packager for Debian or Fedora and their derivatives, because then you may use the + for other FSF licenses beyond the L/GPL. The + is already used with GFDL, AGPL, etc. Do not use a plus for non-FSF licenses that have an "or later" clause. If licensing does NOT allow to use "other license versions": - If and only if LGPL or LGPL, use the bare license identifier. "no other license version" is implied by a bare id. - Except if you are a Linux packager because you apply the same approach for other FSF licenses. - If this is another license, then? "other license version" IS implied in a bare id here. SPDX does not help you there, and you could create an exception.This is a rare case anyway. > having the default be what's common in MOST licenses is > actually sensible. This is exactly my point. The common sense and default usage for L/GPL is ". And Linux distros and SPDX have made the default "or later" exceptional and the less common "only" exception the default. So how to resolve this situation? In the grand scheme of things, "only" and "or later" are minute technicalities that the large majority of software users do not care for. The licenses requirements are essentially the same and "later or not later" is not the question. Only a few licensing mavens care about this and they know how to deal with it. But SPDX is likely stuck with this inconsistent legacy and yes this is hard to escape without creating more mess. It does not mean that we cannot try to clarify and improve things. First we need to distinguish two types of licenses allowing "other versions": a. FSF licenses such as the A/L/GPL. These are the only licenses were a plus + convention has been used by Linux distros and SPDX with some consistency. b. Non-FSF licenses. I cannot find cases where the plus + convention has been used in the wild or with SPDX for these. Some ways out could include: Option 1. Do mostly nothing. - Keep the status quo and clarify the current ambiguities: We document the procedure I described above and move on. We accept this is a mess and make it a documented mess. This is an OK option. And requires little or no work. Option 2. Change the meaning of every bare license id that allow "or later" to mean "this version only". FSF or not FSF. No change of license ids is needed, only the SPDX full names and notes need to be updated the same way the full name of the GPL-2.0 is: "GNU General Public License v2.0 only" And we explain that to express the default case of "or later" you always need to create an expression with a +. This would provide a consistent
Re: Is "+" a valid character of a LicenseRef idstring?
On Tue, Nov 3, 2015 at 9:27 AM, Wheeler, David Awrote: > Philippe Ombredanne: > > > But SPDX is likely stuck with this inconsistent legacy and yes this is > hard to escape without creating more mess. It does not mean that we cannot > try to clarify and improve things. > > Sure, but I think "GPL-2.0" MUST continue to mean "GPL version 2.0 and no > other version", because that's the spec that everyone is depending on, this > is a common case, and this is the convention that all other license naming > systems also. Changing a key existing meaning in a standard is a bad thing. > > Perhaps SPDX should add an additional postfix operation like "!" to mean > "exactly this version and no other". Then encourage always using the > postfixes "+" or "!" in license expressions for licenses that have "or any > later version" text. E.G., "GPL-2.0!" might be the preferred way to > express "exactly GPL version 2.0" while "GPL-2.0+" would continue to mean > "GPL version 2.0 or later". Then you can deprecate license expressions > where a license uses "or any later version" text and omits a postfix (e.g., > "GPL-2.0" is a legal name of a license but a deprecated license > expression). You could even allow postfix "?" to mean it's unknown if > later versions are allowed or not, a plausible tool result. This would > mean that SPDX would need to track which licenses have "or later version" > text, to encourage people add the postfix operation, but that's easily done. Adding additional postfix operators is an interesting idea. We do need to keep the existing semantics we've got here in terms of how the licenses are expressed (and other communities like Fedora and Debian) already use them, or as you say, risk major confusion emerging. Improving this situation by adding "!" to be explicit is an elegant way of starting to be explicit - and transitioning to being more precise in the future.I'm not so sure about "?", but its certainly worth further discussion. Kate ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
RE: Is "+" a valid character of a LicenseRef idstring?
Philippe Ombredanne: > The focus is not only on the GPL: well over 25% of the SPDX licenses DO HAVE > a "this or later version" clause > In the grand scheme of things, "only" and "or later" are minute > technicalities that the large majority of software users do not care for. The > licenses requirements are essentially the same and "later or not later" is > not the question. Only a few licensing mavens care about this and they know > how to deal with it. These are not minor technicalities from a legal point of view; versions are important. They control what is allowed and not allowed. It's true that many developers don't care about license versions, but many developers don't care about licensing or if what they're doing is legal. I know we *do* agree that we should work for a higher standard :-). > But SPDX is likely stuck with this inconsistent legacy and yes this is hard > to escape without creating more mess. It does not mean that we cannot try to > clarify and improve things. Sure, but I think "GPL-2.0" MUST continue to mean "GPL version 2.0 and no other version", because that's the spec that everyone is depending on, this is a common case, and this is the convention that all other license naming systems also. Changing a key existing meaning in a standard is a bad thing. Perhaps SPDX should add an additional postfix operation like "!" to mean "exactly this version and no other". Then encourage always using the postfixes "+" or "!" in license expressions for licenses that have "or any later version" text. E.G., "GPL-2.0!" might be the preferred way to express "exactly GPL version 2.0" while "GPL-2.0+" would continue to mean "GPL version 2.0 or later". Then you can deprecate license expressions where a license uses "or any later version" text and omits a postfix (e.g., "GPL-2.0" is a legal name of a license but a deprecated license expression). You could even allow postfix "?" to mean it's unknown if later versions are allowed or not, a plausible tool result. This would mean that SPDX would need to track which licenses have "or later version" text, to encourage people add the postfix operation, but that's easily done. --- David A. Wheeler ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
RE: Is "+" a valid character of a LicenseRef idstring?
Schuberth, Sebastianwrote: > Using a + is a whart. Licenses that allow the use of other versions do so > explicitly in their texts, the GPL being the most prominent but the EPL comes > to mind too. So there is no such thing as GPL-2.0 or another version: these > are the plain default GPL terms. The issue is how the software is licensed, not what the text of the GPL (or anything else) is. The use of "+" to mean "or later" is a long-standing convention preceding SPDX. > Essentially GPL-2.0 and GPL-2.0+ mean exactly the same the thing. No, there's a need to distinguish between "exactly this version" or "this version of later". Some software, such as the Linux kernel, are GPL version 2.0 only. --- David A. Wheeler ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
RE: Is "+" a valid character of a LicenseRef idstring?
Hi Philippe, > -Original Message- > From: spdx-legal-boun...@lists.spdx.org [mailto:spdx-legal- > boun...@lists.spdx.org] On Behalf Of Philippe Ombredanne > Sent: Monday, November 2, 2015 1:57 AM > To: Schuberth, Sebastian; spdx-tech@lists.spdx.org; SPDX-legal > Subject: Re: Is "+" a valid character of a LicenseRef idstring? > > On Wed, Oct 28, 2015 at 10:28 AM, Schuberth, Sebastian > <sebastian.schube...@here.com> wrote: > > > when debugging an issue in the spdx-tools verifier, I noticed the > SPDX > > 2.0 specs seem to be inconsistent on whether "+" is a valid character > > in a LicenseRef's idstring, like in LicenseRef-[idstring]. > > I not see any reason why a + would not be allowed in a reference, and > there is no ambiguity since the + always something attached to an id or > ref string, not some free standing symbol. [Gary] In the 2.0 spec, the + is a unary operator with a specific meaning (see Appendix IV of the 2.0 spec "Simple License Expressions" subsection page 82). If we are to use it as an operator with License Ref's, it would be difficult for a parser to determine when it is part of a reference string and when it is intended as an operator. Gary ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
Re: Is "+" a valid character of a LicenseRef idstring?
>> On Wed, Oct 28, 2015 at 10:28 AM, Schuberth, Sebastian wrote: >>> when debugging an issue in the spdx-tools verifier, I noticed the >>> SPDX 2.0 specs seem to be inconsistent on whether "+" is a >>> valid character in a LicenseRef's idstring, like in LicenseRef-[idstring]. > I wrote: >> I not see any reason why a + would not be allowed in a reference, and >> there is no ambiguity since the + always something attached to an id or >> ref string, not some free standing symbol. On Mon, Nov 2, 2015 at 7:02 PM, Gary O'Neallwrote: > In the 2.0 spec, the + is a unary operator with a specific meaning > (see Appendix IV of the 2.0 spec "Simple License Expressions" subsection > page 82). If we are to use it as an operator with License Ref's, it would > be difficult for a parser to determine when it is part of a reference string > and when it is intended as an operator. This + is a suffix and not a freestanding character, right? So "GPL-2.0+" is valid but "GPL-2.0+" would not be valid? In this case there would be no issue to have a plus as part of a licenseref: there is no possible ambiguity. Then again we would be better off to get rid of the plus entirely! -- Cordially Philippe Ombredanne ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
RE: Is "+" a valid character of a LicenseRef idstring?
I said: > In particular, "GPL-2.0" is a license identifier, and "GPL-2.0+" is *NOT*. Just a few nitpicks on my previous email: * I realize that "GPL-2.0+" is in the list of "deprecated" license identifiers, so in some sense there is a "GPL-2.0+" license identifier. But I think it's clear what the *intent* is; the deprecated entry is only for legacy use. * I only talked about pre-defined license identifiers with short forms. I realize that there can be licenses not in the list, and those are handled differently. --- David A. Wheeler ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
RE: Is "+" a valid character of a LicenseRef idstring?
So we're all on the same page in this discussion: are you are referring to this section of the GPL-2.0 license: == Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. == Tom Incorvia; tom.incor...@microfocus.com; O: (512) 340-1336; M: (215) 500 8838; Shoretel (Internal): X27015 -Original Message- From: spdx-legal-boun...@lists.spdx.org [mailto:spdx-legal-boun...@lists.spdx.org] On Behalf Of Philippe Ombredanne Sent: Monday, November 02, 2015 1:10 PM To: Wheeler, David A <dwhee...@ida.org> Cc: spdx-tech@lists.spdx.org; SPDX-legal <spdx-le...@lists.spdx.org> Subject: Re: Is "+" a valid character of a LicenseRef idstring? On Mon, Nov 2, 2015 at 2:07 PM, Wheeler, David A <dwhee...@ida.org> wrote: >On Mon, Nov 2, 2015 at 10:56 AM, Philippe Ombredanne <pombreda...@nexb.com> >wrote: David: > Schuberth, Sebastian <sebastian.schube...@here.com> wrote: I think you are misquoted my reply for being from Sebastian. > The issue is how the software is licensed, not what the text of the > GPL (or anything else) is. The use of "+" to mean "or later" is a > long-standing convention preceding SPDX. Pardon me, but I think the text(s) of the GPL define how the the software is licensed... As I said initially I agree this is indeed a long standing convention. But this does not mean that this a correct convention and that the status-quo should continue. FWIW, I said essentially the same thing as you about the origin of this + notation: On Mon, Nov 2, 2015 at 10:56 AM, Philippe Ombredanne <pombreda...@nexb.com> wrote: >> So to me it [the +] is an exception to the GPL-2.0 (or 3) to >> disallow the use of other versions. A fairly common exception because >> it is used in the kernel and that likely led to this flawed but >> widely spread approach to be adopted by Linux distros. And later adopted by >> SPDX. On Mon, Nov 2, 2015 at 10:56 AM, Philippe Ombredanne <pombreda...@nexb.com> wrote: >> Essentially GPL-2.0 and GPL-2.0+ mean exactly the same the thing. > No, there's a need to distinguish between "exactly this version" or "this > version of later". > Some software, such as the Linux kernel, are GPL version 2.0 only. My point here is that when I refer to the GPL 2.0 I have by default the rights to use any other version, unless as a special EXCEPTION you are telling me that I can use only this version and no other version. So GPL-2.0 with no-other-version would be capturing better the exceptional nature of the version restriction, than GPL-2.0+ does in forcing a plus in the general case -- Cordially Philippe Ombredanne ___ Spdx-legal mailing list spdx-le...@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
RE: Is "+" a valid character of a LicenseRef idstring?
Good point. What makes this particular syntax more confusing is that pre-2.0 the + was considered part of the license identifier. It was promoted to an operator in the 2.0 spec which does create some backwards compatibility issues (as well as some confusion). Gary > -Original Message- > From: Wheeler, David A [mailto:dwhee...@ida.org] > Sent: Monday, November 2, 2015 12:12 PM > To: Philippe Ombredanne; Gary O'Neall > Cc: spdx-tech@lists.spdx.org; SPDX-legal > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > Philippe Ombredanne: > > This + is a suffix and not a freestanding character, right? > > Then again we would be better off to get rid of the plus entirely! > > You may be confusing a SPDX "license identifier" and a SPDX "license > expression". It's a subtle point. > > The purpose of a "license identifier" is to identify a specific text of > a specific license text, using a short name. In SPDX 2.0 there is no > "+" in a standard license identifier. In particular, "GPL-2.0" is a > license identifier, and "GPL-2.0+" is *NOT*. If all you want to do is > identify a particular license text, use a license identifier. No "+" > exists at the end of a license identifier. > > However, a "license identifier" is often inadequate for describing the > licensing requirements imposed on users and later developers. Many > packages have different subcomponents with different licenses. Many > packages include the text of some license (such as the GPL version > 2.0), but there are often two possible cases: > - You must use this particular version of the license. > - You may use this or any later version of the license. > > Thus, SPDX 2.0 defines a "license expression" for describing how > license texts apply to software packages,. A license expression is > built out of license identifiers but adds ways to describe how the > license texts are used. A "+" appended after the name of a license > identifier means "or any later version may also be used". E.G., the > license expressions "(GPL-2.0+ WITH Classpath-Exception-2.0)" and "(MIT > AND BSD-3-CLAUSE)" express how the license text requirements are > imposed on recipients (users and developers). License expressions use > the long-standing convention is that if software is licensed using > "this or any later version" you add a "+" to the name of the license. > You can argue that the "+" should be the default, but standards > typically work best if they build on pre-existing conventions, and that > was certainly the case here. > > --- David A. Wheeler ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
RE: Is "+" a valid character of a LicenseRef idstring?
Hi Philippe, > This + is a suffix and not a freestanding character, right? > So "GPL-2.0+" is valid but "GPL-2.0+" would not be valid? [Gary] [Gary] My interpretation of the spec "GPL-2.0+" and "GPL-2.0+" are both syntactically valid (as well as MIT+, LicenseRef-21+ and any other listed license ID or licenseRef). This is not any statement on the interpretation, just the license expression syntax (I'll leave the interpretation discussions to a separate thread). In general, I would prefer any operator character(s) to be excluded from the allowed characters for a license reference to keep the parsing clear and easier to implement. Gary ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
Re: Is "+" a valid character of a LicenseRef idstring?
On Mon, Nov 2, 2015 at 9:12 PM, Wheeler, David Awrote: > Philippe Ombredanne: >> This + is a suffix and not a freestanding character, right? >> Then again we would be better off to get rid of the plus entirely! > You may be confusing a SPDX "license identifier" and a SPDX "license > expression". It's a subtle point. I am not confusing these at all. The gist of what I am saying is that the plus is a legacy that should not be there. It does not make sense to add to the large majority of GPL in the wild a + just to deal with a few exceptions that do not allow other versions. Exceptions should be dealt with an exception not with an extra + in an expression. > The purpose of a "license identifier" is to identify a specific text > of a specific license text, using a short name. In SPDX 2.0 there is > no "+" in a standard license identifier. In particular, "GPL-2.0" is > a license identifier, and "GPL-2.0+" is *NOT*. If all you want to do > is identify a particular license text, use a license identifier. No > "+"exists at the end of a license identifier. > > However, a "license identifier" is often inadequate for describing > the licensing requirements imposed on users and later developers. > Many packages have different subcomponents with different licenses. > Many packages include the text of some license (such as the GPL > version 2.0), but there are often two possible cases: > - You must use this particular version of the license. > - You may use this or any later version of the license. > Thus, SPDX 2.0 defines a "license expression" for describing how > license texts apply to software packages,. A license expression is > built out of license identifiers but adds ways to describe how the > license texts are used. A "+" appended after the name of a license > identifier means "or any later version may also be used". E.G., the > license expressions "(GPL-2.0+ WITH Classpath-Exception-2.0)" and > "(MIT AND BSD-3-CLAUSE)" express how the license text requirements > are imposed on recipients (users and developers). License expressions > use the long-standing convention is that if software is licensed > using "this or any later version" you add a "+" to the name of the > license. You can argue that the "+" should be the default, > but standards typically work best if they build on pre-existing > conventions, and that was certainly the case here. David: What you saying in substance is that every time I want state that code is licensed under the GPL 2.0 or any other version (which is the default), you want me to craft a special license expression with a plus. And If do not craft that expression, then the SPDX meaning is that only the current version applies and not any later version. I am saying this instead: Since the default for the GPL is to allow later versions, we should by default state the opposite: The few times that "only the current version" should be used, state this explicitly with an exception. You say: GPL-2.0 ==> implies GPL 2.0 only GPL-2.0+ ==> implies GPL 2.0 or later I say: GPL-2.0 ==> implies GPL 2.0 with its defaults (including later versions) GPL-2.0 with no-other-version ==> implies GPL 2.0 and no other version Explicit is better than implicit. My rationale: Practically the use of a GPL version "only" is much less frequent than the default "or later" and therefore forcing me to add a plus is a source of confusion. The most common use case should be the default and should not require a special addition of a character in an expression. "only" should be an exception and not the default, because it is not the default, nor the prevalent usage of the GPL: it is exceptional. The fact that the + convention has been used by Linux distros package maintainers and neither always strictly nor consistently does not make this right and something that should be endorsed blindly. So to recap: I am NOT arguing about the syntax to express this. I am arguing about the essence of the meaning of the plain GPL-2.0 license key in a simple expression. The mere use of a GPL-2.0 identifier should convey that the license is GPL-2.0 or any other version. We should have an exception to convey the rarer cases when only the stated version applies. The benefits are: 1. no ambiguity about the meaning of widely used licenses such as the GPL. 2. simpler spec 2. simpler expressions in most cases, more verbose and more explicit expressions when needed in some rarer cases. -- Cordially Philippe Ombredanne ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
Re: Is "+" a valid character of a LicenseRef idstring?
On Mon, Nov 2, 2015 at 8:17 PM, Tom Incorviawrote: > So we're all on the same page in this discussion: are you are > referring to this section of the GPL-2.0 license: > > == > Each version is given a distinguishing version number. If the Program > specifies a version number of this License which applies to it and > "any later version", you have the option of following the terms and > conditions either of that version or of any later version published > by the Free Software Foundation. If the Program does not specify a > version number of this License, you may choose any version ever > published by the Free Software Foundation. > == Yes, exactly that, and the related text found in the proposed notice text found at the end of the GPL text: This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. ... which is the default notice I see in most cases (except for the not-so-uncommon case of the Kernel). My take is that the large majority of programmers applying the GPL to their work just take the default notice and only a very few make an exception and restrict this to an exact version. I even have pseudo scientific evidence to support this claim ;) http://www.googlefight.com/free+software+foundation+and+no+other+version-vs-free+software+foundation%3B+either+version+2.php -- Cordially Philippe Ombredanne ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
Re: Is "+" a valid character of a LicenseRef idstring?
On Mon, Nov 2, 2015 at 10:36 PM, Gary O'Neallwrote: >> This + is a suffix and not a freestanding character, right? >> So "GPL-2.0+" is valid but "GPL-2.0+" would not be valid? > My interpretation of the spec "GPL-2.0+" and "GPL-2.0+" are both > syntactically > valid (as well as MIT+, LicenseRef-21+ and any other listed license ID or > licenseRef). This is not any statement on the interpretation, just the > license > expression syntax (I'll leave the interpretation discussions to a separate > thread). > In general, I would prefer any operator character(s) to be excluded from the > allowed characters for a license reference to keep the parsing clear and > easier to implement. Gary, I cannot envision a simpler implementation than splitting on spaces. A plus sign specified as a suffix that is not attached to a license key would no longer be a suffix to me, but something entirely different. My interpretation of the spec is that the + sign must be attached to the license key and all examples provided in the spec support this interpretation. If that part is not clear, let's fix the spec. This is not something frozen. Now that said, I do not like the plus at all and we should remove entirely from the spec. -- Cordially Philippe Ombredanne ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
RE: Is "+" a valid character of a LicenseRef idstring?
Hi Kate, the example of “LicenseRef-LGPL-3.0+” was a bad one. It should have been “LicenseRef-ArbitraryName+”. Writing out “+” as “plus” is one of the options I’m looking at. In any case, will you take care of the inconsistencies in the sepec? Thanks, Sebastian From: Kate Stewart [mailto:kstew...@linuxfoundation.org] Sent: Thursday, October 29, 2015 17:03 To: Gary O'Neall <g...@sourceauditor.com> Cc: Schuberth, Sebastian <sebastian.schube...@here.com>; Bill Schineller <bschinel...@blackducksoftware.com>; spdx-tech@lists.spdx.org Subject: Re: Is "+" a valid character of a LicenseRef idstring? Hi Sebastian, In the case of LicenseRef-LGPL-3.0+, why are you not just using the short form identifier LGPL-3.0+? If you need to preserve the extracted text, possibly look to name it LicenseRef-LGPL-3.0-plus? Thanks, Kate On Thu, Oct 29, 2015 at 10:21 AM, Gary O'Neall <g...@sourceauditor.com<mailto:g...@sourceauditor.com>> wrote: Hi Sebastian, I believe that would be the expected behavior in 2.0. Unfortunately, it is incompatible than the 1.2 spec where the + would have been allowed. I don't recall discussing this specific scenario when developing the 2.0 spec - so others, feel free to comment if you disagree. In the SPDX Tools, we have tried to maintain backwards compatibility for reading the older versions. If the spec version reads < 2.0, I would expect the tool to allow this since it would be acceptable in the 1.2 spec. There is probably a bug in the tool where it treats the LicenseRef's the same for both 2.0 and pre-2.0 versions. We could use the fix you have already written with an additional conditional on the spec version. It would probably make the code a bit messier, but it would better support backwards compatibility. Gary > -Original Message- > From: Schuberth, Sebastian > [mailto:sebastian.schube...@here.com<mailto:sebastian.schube...@here.com>] > Sent: Thursday, October 29, 2015 1:42 AM > To: Gary O'Neall; 'Bill Schineller' > Cc: spdx-tech@lists.spdx.org<mailto:spdx-tech@lists.spdx.org> > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > I can see your point, Gary. > > Let me go one step back and tell you how I came across this issue: I > had the following line in my tag-value file > > LicenseInfoInFile: LicenseRef-LGPL-3.0+ > > As the spec requires to have a non-listed license declared, I also had > > LicenseID: LicenseRef-LGPL-3.0+ > ExtractedText: Some text. > > However, the parser was choking on it as was looking for "LicenseID: > LicenseRef-LGPL-3.0", without the plus. Is that the intended behavior? > > Regards, > Sebastian > > > > -Original Message- > > From: Gary O'Neall > > [mailto:g...@sourceauditor.com<mailto:g...@sourceauditor.com>] > > Sent: Wednesday, October 28, 2015 18:19 > > To: Schuberth, Sebastian > > <sebastian.schube...@here.com<mailto:sebastian.schube...@here.com>>; 'Bill > Schineller' > > <bschinel...@blackducksoftware.com<mailto:bschinel...@blackducksoftware.com>> > > Cc: spdx-tech@lists.spdx.org<mailto:spdx-tech@lists.spdx.org> > > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > > > After looking at the proposed code change, the "+" would not imply an > > or- later operator for non-listed license ID's (a.k.a. license-refs). > > > > I can think of a use case that would not be satisfied if we make this > > change to the parser: > > > > Use Case - SPDX Document containing a non listed license that has > both > > specific version and or later cases Actors - SPDX document creator, > > SPDX document consumer > > Steps: > > - Source code contains code under a non listed license > > - A license-ref is created to represent that code > > - Different code contains a reference to the non listed license with > > an "or later version" clause > > - A license expression is created with the license-ref and a "+" > > operator to represent the or-later > > > > I agree with Bill that the bug is in the spec - when we discussed > > implementing the license expression language, we intended (or at > least > > I > > intended) for the same expressions to be used for listed and > > non-listed licenses. > > > > Gary > > > > > -Original Message- > > > From: > > > spdx-tech-boun...@lists.spdx.org<mailto:spdx-tech-boun...@lists.spdx.org> > > > [mailto:spdx-tech-<mailto:spdx-tech-> > > > boun...@lists.spdx.org<mailto:boun...@lists.spdx.org>] On Behalf Of > > > Schuberth, Sebastian > >
Re: Is "+" a valid character of a LicenseRef idstring?
Hi Sebastian, In the case of LicenseRef-LGPL-3.0+, why are you not just using the short form identifier LGPL-3.0+? If you need to preserve the extracted text, possibly look to name it LicenseRef-LGPL-3.0-plus? Thanks, Kate On Thu, Oct 29, 2015 at 10:21 AM, Gary O'Neall <g...@sourceauditor.com> wrote: > Hi Sebastian, > > I believe that would be the expected behavior in 2.0. Unfortunately, it is > incompatible than the 1.2 spec where the + would have been allowed. I > don't > recall discussing this specific scenario when developing the 2.0 spec - so > others, feel free to comment if you disagree. > In the SPDX Tools, we have tried to maintain backwards compatibility for > reading the older versions. If the spec version reads < 2.0, I would > expect > the tool to allow this since it would be acceptable in the 1.2 spec. There > is probably a bug in the tool where it treats the LicenseRef's the same for > both 2.0 and pre-2.0 versions. We could use the fix you have already > written with an additional conditional on the spec version. It would > probably make the code a bit messier, but it would better support backwards > compatibility. > > Gary > > > -Original Message- > > From: Schuberth, Sebastian [mailto:sebastian.schube...@here.com] > > Sent: Thursday, October 29, 2015 1:42 AM > > To: Gary O'Neall; 'Bill Schineller' > > Cc: spdx-tech@lists.spdx.org > > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > > > I can see your point, Gary. > > > > Let me go one step back and tell you how I came across this issue: I > > had the following line in my tag-value file > > > > LicenseInfoInFile: LicenseRef-LGPL-3.0+ > > > > As the spec requires to have a non-listed license declared, I also had > > > > LicenseID: LicenseRef-LGPL-3.0+ > > ExtractedText: Some text. > > > > However, the parser was choking on it as was looking for "LicenseID: > > LicenseRef-LGPL-3.0", without the plus. Is that the intended behavior? > > > > Regards, > > Sebastian > > > > > > > -Original Message- > > > From: Gary O'Neall [mailto:g...@sourceauditor.com] > > > Sent: Wednesday, October 28, 2015 18:19 > > > To: Schuberth, Sebastian <sebastian.schube...@here.com>; 'Bill > > Schineller' > > > <bschinel...@blackducksoftware.com> > > > Cc: spdx-tech@lists.spdx.org > > > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > > > > > After looking at the proposed code change, the "+" would not imply an > > > or- later operator for non-listed license ID's (a.k.a. license-refs). > > > > > > I can think of a use case that would not be satisfied if we make this > > > change to the parser: > > > > > > Use Case - SPDX Document containing a non listed license that has > > both > > > specific version and or later cases Actors - SPDX document creator, > > > SPDX document consumer > > > Steps: > > > - Source code contains code under a non listed license > > > - A license-ref is created to represent that code > > > - Different code contains a reference to the non listed license with > > > an "or later version" clause > > > - A license expression is created with the license-ref and a "+" > > > operator to represent the or-later > > > > > > I agree with Bill that the bug is in the spec - when we discussed > > > implementing the license expression language, we intended (or at > > least > > > I > > > intended) for the same expressions to be used for listed and > > > non-listed licenses. > > > > > > Gary > > > > > > > -Original Message- > > > > From: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech- > > > > boun...@lists.spdx.org] On Behalf Of Schuberth, Sebastian > > > > Sent: Wednesday, October 28, 2015 4:59 AM > > > > To: Bill Schineller > > > > Cc: spdx-tech@lists.spdx.org > > > > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > > > > > > > I was assuming something like that. However, technically there > > > > shouldn't be a reason to make "+" a reserved operator for > > idstrings. > > > > As idstrings (or license-refs) are no compound-expression as > > defined > > > > in Appendix IV it should be safe to just skip parsing idstrings / > > > > license- refs for "+". > > >
RE: Is "+" a valid character of a LicenseRef idstring?
Hi Sebastian, I believe that would be the expected behavior in 2.0. Unfortunately, it is incompatible than the 1.2 spec where the + would have been allowed. I don't recall discussing this specific scenario when developing the 2.0 spec - so others, feel free to comment if you disagree. In the SPDX Tools, we have tried to maintain backwards compatibility for reading the older versions. If the spec version reads < 2.0, I would expect the tool to allow this since it would be acceptable in the 1.2 spec. There is probably a bug in the tool where it treats the LicenseRef's the same for both 2.0 and pre-2.0 versions. We could use the fix you have already written with an additional conditional on the spec version. It would probably make the code a bit messier, but it would better support backwards compatibility. Gary > -Original Message- > From: Schuberth, Sebastian [mailto:sebastian.schube...@here.com] > Sent: Thursday, October 29, 2015 1:42 AM > To: Gary O'Neall; 'Bill Schineller' > Cc: spdx-tech@lists.spdx.org > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > I can see your point, Gary. > > Let me go one step back and tell you how I came across this issue: I > had the following line in my tag-value file > > LicenseInfoInFile: LicenseRef-LGPL-3.0+ > > As the spec requires to have a non-listed license declared, I also had > > LicenseID: LicenseRef-LGPL-3.0+ > ExtractedText: Some text. > > However, the parser was choking on it as was looking for "LicenseID: > LicenseRef-LGPL-3.0", without the plus. Is that the intended behavior? > > Regards, > Sebastian > > > > -Original Message- > > From: Gary O'Neall [mailto:g...@sourceauditor.com] > > Sent: Wednesday, October 28, 2015 18:19 > > To: Schuberth, Sebastian <sebastian.schube...@here.com>; 'Bill > Schineller' > > <bschinel...@blackducksoftware.com> > > Cc: spdx-tech@lists.spdx.org > > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > > > After looking at the proposed code change, the "+" would not imply an > > or- later operator for non-listed license ID's (a.k.a. license-refs). > > > > I can think of a use case that would not be satisfied if we make this > > change to the parser: > > > > Use Case - SPDX Document containing a non listed license that has > both > > specific version and or later cases Actors - SPDX document creator, > > SPDX document consumer > > Steps: > > - Source code contains code under a non listed license > > - A license-ref is created to represent that code > > - Different code contains a reference to the non listed license with > > an "or later version" clause > > - A license expression is created with the license-ref and a "+" > > operator to represent the or-later > > > > I agree with Bill that the bug is in the spec - when we discussed > > implementing the license expression language, we intended (or at > least > > I > > intended) for the same expressions to be used for listed and > > non-listed licenses. > > > > Gary > > > > > -Original Message- > > > From: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech- > > > boun...@lists.spdx.org] On Behalf Of Schuberth, Sebastian > > > Sent: Wednesday, October 28, 2015 4:59 AM > > > To: Bill Schineller > > > Cc: spdx-tech@lists.spdx.org > > > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > > > > > I was assuming something like that. However, technically there > > > shouldn't be a reason to make "+" a reserved operator for > idstrings. > > > As idstrings (or license-refs) are no compound-expression as > defined > > > in Appendix IV it should be safe to just skip parsing idstrings / > > > license- refs for "+". > > > > > > I've make a proposal how to implement that as part of [1]. > > > > > > [1] https://github.com/spdx/tools/pull/66 > > > > > > Regards, > > > Sebastian > > > > > > > > > > -Original Message- > > > > From: Bill Schineller [mailto:bschinel...@blackducksoftware.com] > > > > Sent: Wednesday, October 28, 2015 12:19 > > > > To: Schuberth, Sebastian <sebastian.schube...@here.com> > > > > Cc: spdx-tech@lists.spdx.org > > > > Subject: Re: Is "+" a valid character of a LicenseRef idstring? > > > > > > > > Methinks the current intention of spec writers is: > > > > > > > &
RE: Is "+" a valid character of a LicenseRef idstring?
I can see your point, Gary. Let me go one step back and tell you how I came across this issue: I had the following line in my tag-value file LicenseInfoInFile: LicenseRef-LGPL-3.0+ As the spec requires to have a non-listed license declared, I also had LicenseID: LicenseRef-LGPL-3.0+ ExtractedText: Some text. However, the parser was choking on it as was looking for "LicenseID: LicenseRef-LGPL-3.0", without the plus. Is that the intended behavior? Regards, Sebastian > -Original Message- > From: Gary O'Neall [mailto:g...@sourceauditor.com] > Sent: Wednesday, October 28, 2015 18:19 > To: Schuberth, Sebastian <sebastian.schube...@here.com>; 'Bill Schineller' > <bschinel...@blackducksoftware.com> > Cc: spdx-tech@lists.spdx.org > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > After looking at the proposed code change, the "+" would not imply an or- > later operator for non-listed license ID's (a.k.a. license-refs). > > I can think of a use case that would not be satisfied if we make this change > to > the parser: > > Use Case - SPDX Document containing a non listed license that has both > specific version and or later cases Actors - SPDX document creator, SPDX > document consumer > Steps: > - Source code contains code under a non listed license > - A license-ref is created to represent that code > - Different code contains a reference to the non listed license with an "or > later version" clause > - A license expression is created with the license-ref and a "+" operator to > represent the or-later > > I agree with Bill that the bug is in the spec - when we discussed implementing > the license expression language, we intended (or at least I > intended) for the same expressions to be used for listed and non-listed > licenses. > > Gary > > > -Original Message- > > From: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech- > > boun...@lists.spdx.org] On Behalf Of Schuberth, Sebastian > > Sent: Wednesday, October 28, 2015 4:59 AM > > To: Bill Schineller > > Cc: spdx-tech@lists.spdx.org > > Subject: RE: Is "+" a valid character of a LicenseRef idstring? > > > > I was assuming something like that. However, technically there > > shouldn't be a reason to make "+" a reserved operator for idstrings. > > As idstrings (or license-refs) are no compound-expression as defined > > in Appendix IV it should be safe to just skip parsing idstrings / > > license- refs for "+". > > > > I've make a proposal how to implement that as part of [1]. > > > > [1] https://github.com/spdx/tools/pull/66 > > > > Regards, > > Sebastian > > > > > > > -Original Message- > > > From: Bill Schineller [mailto:bschinel...@blackducksoftware.com] > > > Sent: Wednesday, October 28, 2015 12:19 > > > To: Schuberth, Sebastian <sebastian.schube...@here.com> > > > Cc: spdx-tech@lists.spdx.org > > > Subject: Re: Is "+" a valid character of a LicenseRef idstring? > > > > > > Methinks the current intention of spec writers is: > > > > > > + is now a reserved operator for the License Expression Syntax > > > > > > So therefore + should be illegal character in license idstring > > > > > > So inconsistency in this regard would seem to be a bug in the spec > > > > > > -Bill > > > > > > > On Oct 28, 2015, at 5:42 AM, Schuberth, Sebastian > > > <sebastian.schube...@here.com> wrote: > > > > > > > > Hi, > > > > > > > > when debugging an issue in the spdx-tools verifier, I noticed the > > > > SPDX 2.0 > > > specs seem to be inconsistent on whether "+" is a valid character in > > a > > > LicenseRef's idstring, like in LicenseRef-[idstring]. > > > > > > > > Sections 3.13.4 and 4.6.4 also refer to LicenseRefs and say > > > > > > > >[idstring] is a unique string containing letters, > > numbers, "." or "-" > > > > > > > > Yet section 5.1.4 explicitly says for the case of LicenseRef > > > > > > > >[idstring] is a unique string containing letters, > > numbers, ".", "-" or "+" > > > > > > > > Is there any consensus? I'd vote for "+" to be valid in order to > > > > have > > > LicenseRefs like "LicenseRef-LGPL-3.0+". > > > > > > > > BTW: There's simi
Re: Is "+" a valid character of a LicenseRef idstring?
Methinks the current intention of spec writers is: + is now a reserved operator for the License Expression Syntax So therefore + should be illegal character in license idstring So inconsistency in this regard would seem to be a bug in the spec -Bill > On Oct 28, 2015, at 5:42 AM, Schuberth, Sebastian >wrote: > > Hi, > > when debugging an issue in the spdx-tools verifier, I noticed the SPDX 2.0 > specs seem to be inconsistent on whether "+" is a valid character in a > LicenseRef's idstring, like in LicenseRef-[idstring]. > > Sections 3.13.4 and 4.6.4 also refer to LicenseRefs and say > >[idstring] is a unique string containing letters, numbers, "." or > "-" > > Yet section 5.1.4 explicitly says for the case of LicenseRef > >[idstring] is a unique string containing letters, numbers, ".", > "-" or "+" > > Is there any consensus? I'd vote for "+" to be valid in order to have > LicenseRefs like "LicenseRef-LGPL-3.0+". > > BTW: There's similar inconsistencies regarding DocumentRef idstrings, see > sections 2.6.4 vs. 3.13.4 / 4.6.4 and other places that refer to an SPDXID. > > Sebastian Schuberth > Lead Engineer > Open Source Governance, Chief Technology Office > Mobile: +49 151 551 551 40 > > HERE Berlin > Invalidenstrasse 116 > 10115 Berlin > 52° 31' 52" N. 13° 23' 5" E > HERE, a Nokia company > > Place of Business: HERE Deutschland GmbH, Invalidenstrasse 116, 10115 Berlin, > Germany - Commercial Register: Amtsgericht Charlottenburg, HRB 106443B - > USt-IdNr.: DE 812 845 193 - Managing Directors: Michael Bültmann, Robertus > A.J. Houben > CONFIDENTIALITY NOTICE > This e-mail and any attachments hereto may contain information that is > privileged or confidential, and is intended for use only by the individual or > entity to which it is addressed. Any disclosure, copying or distribution of > the information by anyone else is strictly prohibited. If you have received > this document in error, please notify us promptly by responding to this > e-mail. Thank you. > > ___ > Spdx-tech mailing list > Spdx-tech@lists.spdx.org > https://lists.spdx.org/mailman/listinfo/spdx-tech ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
RE: Is "+" a valid character of a LicenseRef idstring?
I was assuming something like that. However, technically there shouldn't be a reason to make "+" a reserved operator for idstrings. As idstrings (or license-refs) are no compound-expression as defined in Appendix IV it should be safe to just skip parsing idstrings / license-refs for "+". I've make a proposal how to implement that as part of [1]. [1] https://github.com/spdx/tools/pull/66 Regards, Sebastian > -Original Message- > From: Bill Schineller [mailto:bschinel...@blackducksoftware.com] > Sent: Wednesday, October 28, 2015 12:19 > To: Schuberth, Sebastian <sebastian.schube...@here.com> > Cc: spdx-tech@lists.spdx.org > Subject: Re: Is "+" a valid character of a LicenseRef idstring? > > Methinks the current intention of spec writers is: > > + is now a reserved operator for the License Expression Syntax > > So therefore + should be illegal character in license idstring > > So inconsistency in this regard would seem to be a bug in the spec > > -Bill > > > On Oct 28, 2015, at 5:42 AM, Schuberth, Sebastian > <sebastian.schube...@here.com> wrote: > > > > Hi, > > > > when debugging an issue in the spdx-tools verifier, I noticed the SPDX 2.0 > specs seem to be inconsistent on whether "+" is a valid character in a > LicenseRef's idstring, like in LicenseRef-[idstring]. > > > > Sections 3.13.4 and 4.6.4 also refer to LicenseRefs and say > > > >[idstring] is a unique string containing letters, numbers, "." > > or "-" > > > > Yet section 5.1.4 explicitly says for the case of LicenseRef > > > >[idstring] is a unique string containing letters, numbers, ".", > > "-" or "+" > > > > Is there any consensus? I'd vote for "+" to be valid in order to have > LicenseRefs like "LicenseRef-LGPL-3.0+". > > > > BTW: There's similar inconsistencies regarding DocumentRef idstrings, see > sections 2.6.4 vs. 3.13.4 / 4.6.4 and other places that refer to an SPDXID. > > > > Sebastian Schuberth > > Lead Engineer > > Open Source Governance, Chief Technology Office > > Mobile: +49 151 551 551 40 > > > > HERE Berlin > > Invalidenstrasse 116 > > 10115 Berlin > > 52° 31' 52" N. 13° 23' 5" E > > HERE, a Nokia company > > > > Place of Business: HERE Deutschland GmbH, Invalidenstrasse 116, 10115 > > Berlin, Germany - Commercial Register: Amtsgericht Charlottenburg, HRB > > 106443B - USt-IdNr.: DE 812 845 193 - Managing Directors: Michael > Bültmann, Robertus A.J. Houben CONFIDENTIALITY NOTICE This e-mail and > any attachments hereto may contain information that is privileged or > confidential, and is intended for use only by the individual or entity to > which > it is addressed. Any disclosure, copying or distribution of the information by > anyone else is strictly prohibited. If you have received this document in > error, > please notify us promptly by responding to this e-mail. Thank you. > > > > ___ > > Spdx-tech mailing list > > Spdx-tech@lists.spdx.org > > https://lists.spdx.org/mailman/listinfo/spdx-tech ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
Is "+" a valid character of a LicenseRef idstring?
Hi, when debugging an issue in the spdx-tools verifier, I noticed the SPDX 2.0 specs seem to be inconsistent on whether "+" is a valid character in a LicenseRef's idstring, like in LicenseRef-[idstring]. Sections 3.13.4 and 4.6.4 also refer to LicenseRefs and say [idstring] is a unique string containing letters, numbers, "." or "-" Yet section 5.1.4 explicitly says for the case of LicenseRef [idstring] is a unique string containing letters, numbers, ".", "-" or "+" Is there any consensus? I'd vote for "+" to be valid in order to have LicenseRefs like "LicenseRef-LGPL-3.0+". BTW: There's similar inconsistencies regarding DocumentRef idstrings, see sections 2.6.4 vs. 3.13.4 / 4.6.4 and other places that refer to an SPDXID. Sebastian Schuberth Lead Engineer Open Source Governance, Chief Technology Office Mobile: +49 151 551 551 40 HERE Berlin Invalidenstrasse 116 10115 Berlin 52° 31' 52" N. 13° 23' 5" E HERE, a Nokia company Place of Business: HERE Deutschland GmbH, Invalidenstrasse 116, 10115 Berlin, Germany - Commercial Register: Amtsgericht Charlottenburg, HRB 106443B - USt-IdNr.: DE 812 845 193 - Managing Directors: Michael Bültmann, Robertus A.J. Houben CONFIDENTIALITY NOTICE This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited. If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you. ___ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech