Re: Is "+" a valid character of a LicenseRef idstring?

2015-11-03 Thread Philippe Ombredanne 
On Tue, Nov 3, 2015 at 3:45 AM, Wheeler, David A  wrote:
> Philippe Ombredanne wrote:
[...]
>> You say:
>> GPL-2.0 ==> implies  GPL 2.0 only
>> GPL-2.0+ ==> implies  GPL 2.0 or later
> That's not just what I say.  That's what the spec says, and has
> clearly stated since circa 2010.
> This would have been a useful argument to raise in 2010 (when SPDX was
> drafted).  But this group doesn't exist to create a new spec where
> none has existed. For more than 5 years SPDX has consistently stated
> that "GPL-2.0" means ONLY GPL-2.0 and nothing else.  This builds on
> previous history of Fedora and Debian, who also use "+" this way,
> e.g., see: https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing

David:
I know this as I was part of it and that does not make it more right ...
FWIW, I have been around SPDX for quite a while ;).
See "A Short History of SPDX":  https://spdx.org/about-spdx/what-is-spdx

> While I know you're focusing on the GPL, there are many other
> licenses, and most licenses do NOT have a "this or later version"
> clause;

The focus is not only on the GPL:
well over 25% of the SPDX licenses DO HAVE a "this or later version"
clause. Here are some examples:

- Most of the FSF licenses: The GPL and LGPL and all their versions.
  But also the AGPL, the GFDL, etc.
- all the Mozilla-like license: NPLs, MPLs and all the MPL derivatives
  such as SPL, CPAL, Erlang, RPL, APSL, Gsoap, ZIMBRA, SISL, etc.
- most of the Creative Common licenses,
- The Eclipse licenses and the CPLs,
- the CDDLs,
- the PHP license,
- OpenLDAP, Latex/LPPL, LPL, Condor, CATOSL, RPSL, CECILL, etc.

For all SPDX licenses allowing other versions, the bare identifier means
"or later version", except for the L/GPL where this means "only the
current version" unless you create an expression with a "+".

So the decision procedure to use a plus or not is roughly like this:

If licensing allows to use "other license versions":
 - If and only if GPL or LGPL, add a + to the license identifier.
   "other license versions" is NOT implied.

 - Otherwise, if this not GPL or LGPL, do NOT add a +.
   "other license versions" is implied if the license allows such thing.
   Do this ONLY for any versions of these two licenses. Do not apply
   this approach to other FSF licenses such AGPL, GFDL and others.

 - Except if you are a Linux packager for Debian or Fedora and their
   derivatives, because then you may use the + for other FSF
   licenses beyond the L/GPL. The + is already used with GFDL,
   AGPL, etc. Do not use a plus for non-FSF licenses that
   have an "or later" clause.

If licensing does NOT allow to use "other license versions":
 - If and only if LGPL or LGPL, use the bare license identifier.
   "no other license version" is implied by a bare id.

 - Except if you are a Linux packager because you apply
   the same approach for other FSF licenses.

 - If this is another license, then?
   "other license version" IS implied in a bare id here.
   SPDX does not help you there, and you could create an
   exception.This is a rare case anyway.

> having the default be what's common in MOST licenses is
> actually sensible.

This is exactly my point. The common sense and default usage for L/GPL
is ". And Linux distros and SPDX have made the default "or later"
exceptional and the less common "only" exception the default.

So how to resolve this situation?

In the grand scheme of things, "only" and "or later" are minute
technicalities that the large majority of software users do not care
for. The licenses requirements are essentially the same and
"later or not later" is not the question.
Only a few licensing mavens care about this and they know how to deal
with it.

But SPDX is likely stuck with this inconsistent legacy and yes this is
hard to escape without creating more mess. It does not mean that we
cannot try to clarify and improve things.

First we need to distinguish two types of licenses allowing
"other versions":

a. FSF licenses such as the A/L/GPL. These are the only licenses were a
plus + convention has been used by Linux distros and SPDX with some
consistency.

b. Non-FSF licenses. I cannot find cases where the plus + convention
has been used in the wild or with SPDX for these.


Some ways out could include:

Option 1. Do mostly nothing.
-
Keep the status quo and clarify the current ambiguities:
We document the procedure I described above and move on.
We accept this is a mess and make it a documented mess.
This is an OK option. And requires little or no work.


Option 2. Change the meaning of every bare license id that allow
"or later" to mean "this version only". FSF or not FSF.

No change of license ids is needed, only the SPDX full names and notes
need to be updated the same way the full name of the GPL-2.0 is:
"GNU General Public License v2.0 only"

And we explain that to express the default case of "or later" you always
need to create an expression with a +. This would provide a consistent

Re: Is "+" a valid character of a LicenseRef idstring?

2015-11-03 Thread Kate Stewart 
On Tue, Nov 3, 2015 at 9:27 AM, Wheeler, David A  wrote:

> Philippe Ombredanne:
>
> > But SPDX is likely stuck with this inconsistent legacy and yes this is
> hard to escape without creating more mess. It does not mean that we cannot
> try to clarify and improve things.
>
> Sure, but I think "GPL-2.0" MUST continue to mean "GPL version 2.0 and no
> other version", because that's the spec that everyone is depending on, this
> is a common case, and this is the convention that all other license naming
> systems also.  Changing a key existing meaning in a standard is a bad thing.
>
> Perhaps SPDX should add an additional postfix operation like "!" to mean
> "exactly this version and no other".  Then encourage always using the
> postfixes "+" or "!" in license expressions for licenses that have "or any
> later version" text.  E.G., "GPL-2.0!" might be the preferred way to
> express "exactly GPL version 2.0" while "GPL-2.0+" would continue to mean
> "GPL version 2.0 or later". Then you can deprecate license expressions
> where a license uses "or any later version" text and omits a postfix (e.g.,
> "GPL-2.0" is a legal name of a license but a deprecated license
> expression).  You could even allow postfix "?" to mean it's unknown if
> later versions are allowed or not, a plausible tool result.  This would
> mean that SPDX would need to track which licenses have "or later version"
> text, to encourage people add the postfix operation, but that's easily done.


Adding additional postfix operators is an interesting idea.  We do need to
keep the existing semantics we've got here in terms of how the licenses are
expressed (and other communities like Fedora and Debian) already use them,
or as you say, risk major confusion emerging.

Improving this situation by adding "!" to be explicit is an elegant way of
starting to be explicit - and transitioning to being more precise in the
future.I'm not so sure about "?",  but its certainly worth further
discussion.

Kate
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

RE: Is "+" a valid character of a LicenseRef idstring?

2015-11-03 Thread Wheeler, David A 
Philippe Ombredanne:
> The focus is not only on the GPL: well over 25% of the SPDX licenses DO HAVE 
> a "this or later version" clause
> In the grand scheme of things, "only" and "or later" are minute 
> technicalities that the large majority of software users do not care for. The 
> licenses requirements are essentially the same and "later or not later" is 
> not the question. Only a few licensing mavens care about this and they know 
> how to deal with it.

These are not minor technicalities from a legal point of view; versions are 
important.  They control what is allowed and not allowed.

It's true that many developers don't care about license versions, but many 
developers don't care about licensing or if what they're doing is legal.  I 
know we *do* agree that we should work for a higher standard :-).

> But SPDX is likely stuck with this inconsistent legacy and yes this is hard 
> to escape without creating more mess. It does not mean that we cannot try to 
> clarify and improve things.

Sure, but I think "GPL-2.0" MUST continue to mean "GPL version 2.0 and no other 
version", because that's the spec that everyone is depending on, this is a 
common case, and this is the convention that all other license naming systems 
also.  Changing a key existing meaning in a standard is a bad thing. 

Perhaps SPDX should add an additional postfix operation like "!" to mean 
"exactly this version and no other".  Then encourage always using the postfixes 
"+" or "!" in license expressions for licenses that have "or any later version" 
text.  E.G., "GPL-2.0!" might be the preferred way to express "exactly GPL 
version 2.0" while "GPL-2.0+" would continue to mean "GPL version 2.0 or 
later". Then you can deprecate license expressions where a license uses "or any 
later version" text and omits a postfix (e.g., "GPL-2.0" is a legal name of a 
license but a deprecated license expression).  You could even allow postfix "?" 
to mean it's unknown if later versions are allowed or not, a plausible tool 
result.  This would mean that SPDX would need to track which licenses have "or 
later version" text, to encourage people add the postfix operation, but that's 
easily done.

--- David A. Wheeler


___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

RE: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Wheeler, David A 
Schuberth, Sebastian  wrote:

> Using a  + is a whart. Licenses that allow the use of other versions do so 
> explicitly in their texts, the GPL being the most prominent but the EPL comes 
> to mind too. So there is no such thing as GPL-2.0 or another version: these 
> are the plain default GPL terms.

The issue is how the software is licensed, not what the text of the GPL (or 
anything else) is.  The use of "+" to mean "or later" is a long-standing 
convention preceding SPDX.

> Essentially GPL-2.0 and GPL-2.0+ mean exactly the same the thing.

No, there's a need to distinguish between "exactly this version" or "this 
version of later".  Some software, such as the Linux kernel, are GPL version 
2.0 only.

--- David A. Wheeler

___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

RE: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Gary O'Neall 
Hi Philippe,


> -Original Message-
> From: spdx-legal-boun...@lists.spdx.org [mailto:spdx-legal-
> boun...@lists.spdx.org] On Behalf Of Philippe Ombredanne
> Sent: Monday, November 2, 2015 1:57 AM
> To: Schuberth, Sebastian; spdx-tech@lists.spdx.org; SPDX-legal
> Subject: Re: Is "+" a valid character of a LicenseRef idstring?
> 
> On Wed, Oct 28, 2015 at 10:28 AM, Schuberth, Sebastian
> <sebastian.schube...@here.com> wrote:
> 
> > when debugging an issue in the spdx-tools verifier, I noticed the
> SPDX
> > 2.0 specs seem to be inconsistent on whether "+" is a valid character
> > in a LicenseRef's idstring, like in LicenseRef-[idstring].
> 
> I not see any reason why a + would not be allowed in a reference, and
> there is no ambiguity since the + always something attached to an id or
> ref string, not some free standing symbol.
[Gary] In the 2.0 spec, the + is a unary operator with a specific meaning
(see Appendix IV of the 2.0 spec "Simple License Expressions" subsection
page 82).  If we are to use it as an operator with License Ref's, it would
be difficult for a parser to determine when it is part of a reference string
and when it is intended as an operator.
Gary

___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

Re: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Philippe Ombredanne 
>> On Wed, Oct 28, 2015 at 10:28 AM, Schuberth, Sebastian wrote:
>>> when debugging an issue in the spdx-tools verifier, I noticed the
>>> SPDX 2.0 specs seem to be inconsistent on whether "+" is a
>>> valid character in a LicenseRef's idstring, like in LicenseRef-[idstring].

> I wrote:
>> I not see any reason why a + would not be allowed in a reference, and
>> there is no ambiguity since the + always something attached to an id or
>> ref string, not some free standing symbol.

On Mon, Nov 2, 2015 at 7:02 PM, Gary O'Neall  wrote:
> In the 2.0 spec, the + is a unary operator with a specific meaning
> (see Appendix IV of the 2.0 spec "Simple License Expressions" subsection
> page 82).  If we are to use it as an operator with License Ref's, it would
> be difficult for a parser to determine when it is part of a reference string
> and when it is intended as an operator.

This + is a suffix and not a freestanding character, right?
So "GPL-2.0+" is valid but "GPL-2.0+" would not be valid?
In this case there would be no issue to have a plus as part of a licenseref:
there is no possible ambiguity.

Then again we would be better off to get rid of the plus entirely!

-- 
Cordially
Philippe Ombredanne
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

RE: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Wheeler, David A 
I said:
> In particular, "GPL-2.0" is a license identifier, and "GPL-2.0+" is *NOT*.

Just a few nitpicks on my previous email:
* I realize that "GPL-2.0+" is in the list of "deprecated" license identifiers, 
so in some sense there is a  "GPL-2.0+" license identifier.  But I think it's 
clear what the *intent* is; the deprecated entry is only for legacy use.
* I only talked about pre-defined license identifiers with short forms.  I 
realize that there can be licenses not in the list, and those are handled 
differently. 

--- David A. Wheeler
 
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

RE: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Tom Incorvia 
So we're all on the same page in this discussion:  are you are referring to 
this section of the GPL-2.0 license:

==
Each version is given a distinguishing version number. If the Program specifies 
a version number of this License which applies to it and "any later version", 
you have the option of following the terms and conditions either of that 
version or of any later version published by the Free Software Foundation. If 
the Program does not specify a version number of this License, you may choose 
any version ever published by the Free Software Foundation.
==

Tom Incorvia; tom.incor...@microfocus.com; O: (512) 340-1336; M: (215) 500 
8838; Shoretel (Internal): X27015


-Original Message-
From: spdx-legal-boun...@lists.spdx.org 
[mailto:spdx-legal-boun...@lists.spdx.org] On Behalf Of Philippe Ombredanne
Sent: Monday, November 02, 2015 1:10 PM
To: Wheeler, David A <dwhee...@ida.org>
Cc: spdx-tech@lists.spdx.org; SPDX-legal <spdx-le...@lists.spdx.org>
Subject: Re: Is "+" a valid character of a LicenseRef idstring?

On Mon, Nov 2, 2015 at 2:07 PM, Wheeler, David A <dwhee...@ida.org> wrote:
>On Mon, Nov 2, 2015 at 10:56 AM, Philippe Ombredanne <pombreda...@nexb.com> 
>wrote:

David:
> Schuberth, Sebastian <sebastian.schube...@here.com> wrote:
I think you are misquoted my reply for being from Sebastian.

> The issue is how the software is licensed, not what the text of the 
> GPL (or anything else) is.  The use of "+" to mean "or later" is a 
> long-standing convention preceding SPDX.

Pardon me, but I think the text(s) of the GPL define how the the software is 
licensed...
As I said initially I agree this is indeed a long standing convention.
But this does not mean that this a correct convention and that the status-quo 
should continue.

FWIW, I said essentially the same thing as you about the origin of this + 
notation:

On Mon, Nov 2, 2015 at 10:56 AM, Philippe Ombredanne <pombreda...@nexb.com> 
wrote:
>> So to me it [the +] is  an exception to the GPL-2.0 (or 3) to 
>> disallow the use of other versions. A fairly common exception because 
>> it is used in the kernel and that likely led to this flawed but 
>> widely spread approach to be adopted by Linux distros. And later adopted by 
>> SPDX.


On Mon, Nov 2, 2015 at 10:56 AM, Philippe Ombredanne <pombreda...@nexb.com> 
wrote:
>> Essentially GPL-2.0 and GPL-2.0+ mean exactly the same the thing.
> No, there's a need to distinguish between "exactly this version" or "this 
> version of later".
> Some software, such as the Linux kernel, are GPL version 2.0 only.

My point here is that when I refer to the GPL 2.0 I have by default the rights 
to use any other version, unless  as a special EXCEPTION you are telling me 
that I can use only this version and no other version.
So GPL-2.0 with no-other-version would be capturing better the exceptional 
nature of the version restriction, than GPL-2.0+ does in forcing a plus in the 
general case

--
Cordially
Philippe Ombredanne
___
Spdx-legal mailing list
spdx-le...@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

RE: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Gary O'Neall 
Good point.

What makes this particular syntax more confusing is that pre-2.0 the + was
considered part of the license identifier.  It was promoted to an operator
in the 2.0 spec which does create some backwards compatibility issues (as
well as some confusion).

Gary
> -Original Message-
> From: Wheeler, David A [mailto:dwhee...@ida.org]
> Sent: Monday, November 2, 2015 12:12 PM
> To: Philippe Ombredanne; Gary O'Neall
> Cc: spdx-tech@lists.spdx.org; SPDX-legal
> Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> 
> Philippe Ombredanne:
> > This + is a suffix and not a freestanding character, right?
> > Then again we would be better off to get rid of the plus entirely!
> 
> You may be confusing a SPDX "license identifier" and a SPDX "license
> expression".  It's a subtle point.
> 
> The purpose of a "license identifier" is to identify a specific text of
> a specific license text, using a short name.  In SPDX 2.0 there is no
> "+" in a standard license identifier.  In particular, "GPL-2.0" is a
> license identifier, and "GPL-2.0+" is *NOT*.  If all you want to do is
> identify a particular license text, use a license identifier.  No "+"
> exists at the end of a license identifier.
> 
> However, a "license identifier" is often inadequate for describing the
> licensing requirements imposed on users and later developers.  Many
> packages have different subcomponents with different licenses.  Many
> packages include the text of some license (such as the GPL version
> 2.0), but there are often two possible cases:
> - You must use this particular version of the license.
> - You may use this or any later version of the license.
> 
> Thus, SPDX 2.0 defines a "license expression" for describing how
> license texts apply to software packages,.  A license expression is
> built out of license identifiers but adds ways to describe how the
> license texts are used. A "+" appended after the name of a license
> identifier means "or any later version may also be used".  E.G., the
> license expressions "(GPL-2.0+ WITH Classpath-Exception-2.0)" and "(MIT
> AND BSD-3-CLAUSE)" express how the license text requirements are
> imposed on recipients (users and developers).  License expressions use
> the long-standing convention is that if software is licensed using
> "this or any later version" you add a "+" to the name of the license.
> You can argue that the "+" should be the default, but standards
> typically work best if they build on pre-existing conventions, and that
> was certainly the case here.
> 
> --- David A. Wheeler

___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

RE: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Gary O'Neall 
Hi Philippe,

> This + is a suffix and not a freestanding character, right?
> So "GPL-2.0+" is valid but "GPL-2.0+" would not be valid?
[Gary] 
[Gary] My interpretation of the spec "GPL-2.0+" and "GPL-2.0+" are both 
syntactically valid (as well as MIT+, LicenseRef-21+ and any other listed 
license ID or licenseRef).  This is not any statement on the interpretation, 
just the license expression syntax (I'll leave the interpretation discussions 
to a separate thread).

In general, I would prefer any operator character(s) to be excluded from the 
allowed characters for a license reference to keep the parsing clear and easier 
to implement.

Gary


___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

Re: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Philippe Ombredanne 
On Mon, Nov 2, 2015 at 9:12 PM, Wheeler, David A  wrote:
> Philippe Ombredanne:
>> This + is a suffix and not a freestanding character, right?
>> Then again we would be better off to get rid of the plus entirely!

> You may be confusing a SPDX "license identifier" and a SPDX "license
> expression".  It's a subtle point.

I am not confusing these at all. The gist of what I am saying is that
the plus is a legacy that should not be there. It does not make sense to
add to the large majority of GPL in the wild a + just to deal with a few
exceptions that do not allow other versions. Exceptions should be dealt
with an exception not with an extra + in an expression.

> The purpose of a "license identifier" is to identify a specific text
> of a specific license text, using a short name. In SPDX 2.0 there is
> no "+" in a standard license identifier.  In particular, "GPL-2.0" is
> a license identifier, and "GPL-2.0+" is *NOT*.  If all you want to do
> is identify a particular license text, use a license identifier. No
> "+"exists at the end of a license identifier.
>
> However, a "license identifier" is often inadequate for describing
> the licensing requirements imposed on users and later developers.
> Many packages have different subcomponents with different licenses.
> Many packages include the text of some license (such as the GPL
> version 2.0), but there are often two possible cases:
> - You must use this particular version of the license.
> - You may use this or any later version of the license.
> Thus, SPDX 2.0 defines a "license expression" for describing how
> license texts apply to software packages,.  A license expression is
> built out of license identifiers but adds ways to describe how the
> license texts are used. A "+" appended after the name of a license
> identifier means "or any later version may also be used".  E.G., the
> license expressions "(GPL-2.0+ WITH Classpath-Exception-2.0)" and
> "(MIT AND BSD-3-CLAUSE)" express how the license text requirements
> are imposed on recipients (users and developers).  License expressions
> use the long-standing convention is that if software is licensed
> using "this or any later version" you add a "+" to the name of the
> license. You can argue that the "+" should be the default,
> but standards typically work best if they build on pre-existing
> conventions, and that was certainly the case here.

David:
What you saying in substance is that every time I want state
that code is licensed under the GPL 2.0 or any other version
(which is the default), you want me to craft a special license
expression with a plus. And If do not craft that expression,
then the SPDX meaning is that only the current version applies
and not any later version.

I am saying this instead: Since the default for the GPL is to allow
later versions, we should by default state the opposite:
The few times that "only the current version" should be used, state
this explicitly with an exception.


You say:
GPL-2.0 ==> implies  GPL 2.0 only
GPL-2.0+ ==> implies  GPL 2.0 or later

I say:
GPL-2.0 ==> implies  GPL 2.0 with its defaults (including later versions)
GPL-2.0 with no-other-version  ==> implies GPL 2.0 and no other version

Explicit is better than implicit.


My rationale:
Practically the use of a GPL version "only" is much less frequent
than the default "or later" and therefore forcing me to add a plus
is a source of confusion.

The most common use case should be the default and should not
require a special addition of a character in an expression.

"only" should be an exception and not the default, because it is
not the default, nor the prevalent usage of the GPL: it is exceptional.

The fact that the + convention has been used by Linux distros
package maintainers and neither always strictly nor consistently
does not make this right and something that should be endorsed blindly.

So to recap:
I am NOT arguing about the syntax to express this.

I am arguing about the essence of the meaning of the plain GPL-2.0
license key in a simple expression.

The mere use of a GPL-2.0 identifier should convey that the license
is GPL-2.0 or any other version.

We should have an exception to convey the rarer cases when only
the stated version applies.

The benefits are:
1. no ambiguity about the meaning of widely used licenses such as
the GPL.
2. simpler spec
2. simpler expressions in most cases, more verbose and more explicit
expressions when needed in some rarer cases.

-- 
Cordially
Philippe Ombredanne
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

Re: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Philippe Ombredanne 
On Mon, Nov 2, 2015 at 8:17 PM, Tom Incorvia
 wrote:

> So we're all on the same page in this discussion: are you are
> referring to this section of the GPL-2.0 license:
>
> ==
> Each version is given a distinguishing version number. If the Program
> specifies a version number of this License which applies to it and
> "any later version", you have the option of following the terms and
> conditions either of that version or of any later version published
> by the Free Software Foundation. If the Program does not specify a
> version number of this License, you may choose any version ever
> published by the Free Software Foundation.
> ==

Yes, exactly that, and the related text found in the proposed
notice text found at the end of the GPL text:


This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published
by the Free Software Foundation; either version 2 of the License,
or (at your option) any later version.


... which is the default notice I see in most cases (except for
the not-so-uncommon case of the Kernel).

My take is that the large majority of programmers applying the
GPL to their work just take the default notice and only a very
few make an exception and restrict this to an exact version.

I even have pseudo scientific evidence to support this claim ;)
http://www.googlefight.com/free+software+foundation+and+no+other+version-vs-free+software+foundation%3B+either+version+2.php

-- 
Cordially
Philippe Ombredanne
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

Re: Is "+" a valid character of a LicenseRef idstring?

2015-11-02 Thread Philippe Ombredanne 
On Mon, Nov 2, 2015 at 10:36 PM, Gary O'Neall  wrote:
>> This + is a suffix and not a freestanding character, right?
>> So "GPL-2.0+" is valid but "GPL-2.0+" would not be valid?

> My interpretation of the spec "GPL-2.0+" and "GPL-2.0+" are both 
> syntactically
> valid (as well as MIT+, LicenseRef-21+ and any other listed license ID or
> licenseRef).  This is not any statement on the interpretation, just the 
> license
> expression syntax (I'll leave the interpretation discussions to a separate 
> thread).
> In general, I would prefer any operator character(s) to be excluded from the
> allowed characters for a license reference to keep the parsing clear and
> easier to implement.

Gary, I cannot envision a simpler implementation than splitting on spaces.

A plus sign specified as a suffix that is not attached to a license key would
no longer be a suffix to me, but something entirely different.

My interpretation of the spec is that the + sign must be attached to the license
key and all examples provided in the spec support this interpretation.
If that part is not clear, let's fix the spec. This is not something frozen.

Now that said, I do not like the plus at all and we should remove entirely from
the spec.

-- 
Cordially
Philippe Ombredanne
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

RE: Is "+" a valid character of a LicenseRef idstring?

2015-10-30 Thread Schuberth, Sebastian 
Hi Kate,

the example of “LicenseRef-LGPL-3.0+” was a bad one. It should have been 
“LicenseRef-ArbitraryName+”. Writing out “+” as “plus” is one of the options 
I’m looking at.

In any case, will you take care of the inconsistencies in the sepec?

Thanks,
Sebastian


From: Kate Stewart [mailto:kstew...@linuxfoundation.org]
Sent: Thursday, October 29, 2015 17:03
To: Gary O'Neall <g...@sourceauditor.com>
Cc: Schuberth, Sebastian <sebastian.schube...@here.com>; Bill Schineller 
<bschinel...@blackducksoftware.com>; spdx-tech@lists.spdx.org
Subject: Re: Is "+" a valid character of a LicenseRef idstring?

Hi Sebastian,
 In the case of LicenseRef-LGPL-3.0+,  why are you not just using the short 
form identifier LGPL-3.0+?
If you need to preserve the extracted text, possibly look to name it 
LicenseRef-LGPL-3.0-plus?

Thanks, Kate


On Thu, Oct 29, 2015 at 10:21 AM, Gary O'Neall 
<g...@sourceauditor.com<mailto:g...@sourceauditor.com>> wrote:
Hi Sebastian,

I believe that would be the expected behavior in 2.0.  Unfortunately, it is
incompatible than the 1.2 spec where the + would have been allowed.  I don't
recall discussing this specific scenario when developing the 2.0 spec - so
others, feel free to comment if you disagree.

In the SPDX Tools, we have tried to maintain backwards compatibility for
reading the older versions.  If the spec version reads < 2.0, I would expect
the tool to allow this since it would be acceptable in the 1.2 spec. There
is probably a bug in the tool where it treats the LicenseRef's the same for
both 2.0 and pre-2.0 versions.  We could use the fix you have already
written with an additional conditional on the spec version.  It would
probably make the code a bit messier, but it would better support backwards
compatibility.

Gary

> -Original Message-
> From: Schuberth, Sebastian 
> [mailto:sebastian.schube...@here.com<mailto:sebastian.schube...@here.com>]
> Sent: Thursday, October 29, 2015 1:42 AM
> To: Gary O'Neall; 'Bill Schineller'
> Cc: spdx-tech@lists.spdx.org<mailto:spdx-tech@lists.spdx.org>
> Subject: RE: Is "+" a valid character of a LicenseRef idstring?
>
> I can see your point, Gary.
>
> Let me go one step back and tell you how I came across this issue: I
> had the following line in my tag-value file
>
> LicenseInfoInFile: LicenseRef-LGPL-3.0+
>
> As the spec requires to have a non-listed license declared, I also had
>
> LicenseID: LicenseRef-LGPL-3.0+
> ExtractedText: Some text.
>
> However, the parser was choking on it as was looking for "LicenseID:
> LicenseRef-LGPL-3.0", without the plus. Is that the intended behavior?
>
> Regards,
> Sebastian
>
>
> > -Original Message-
> > From: Gary O'Neall 
> > [mailto:g...@sourceauditor.com<mailto:g...@sourceauditor.com>]
> > Sent: Wednesday, October 28, 2015 18:19
> > To: Schuberth, Sebastian 
> > <sebastian.schube...@here.com<mailto:sebastian.schube...@here.com>>; 'Bill
> Schineller'
> > <bschinel...@blackducksoftware.com<mailto:bschinel...@blackducksoftware.com>>
> > Cc: spdx-tech@lists.spdx.org<mailto:spdx-tech@lists.spdx.org>
> > Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> >
> > After looking at the proposed code change, the "+" would not imply an
> > or- later operator for non-listed license ID's (a.k.a. license-refs).
> >
> > I can think of a use case that would not be satisfied if we make this
> > change to the parser:
> >
> > Use Case - SPDX Document containing a non listed license that has
> both
> > specific version and or later cases Actors - SPDX document creator,
> > SPDX document consumer
> > Steps:
> > - Source code contains code under a non listed license
> > - A license-ref is created to represent that code
> > - Different code contains a reference to the non listed license with
> > an "or later version" clause
> > - A license expression is created with the license-ref and a "+"
> > operator to represent the or-later
> >
> > I agree with Bill that the bug is in the spec - when we discussed
> > implementing the license expression language, we intended (or at
> least
> > I
> > intended) for the same expressions to be used for listed and
> > non-listed licenses.
> >
> > Gary
> >
> > > -Original Message-
> > > From: 
> > > spdx-tech-boun...@lists.spdx.org<mailto:spdx-tech-boun...@lists.spdx.org> 
> > > [mailto:spdx-tech-<mailto:spdx-tech->
> > > boun...@lists.spdx.org<mailto:boun...@lists.spdx.org>] On Behalf Of 
> > > Schuberth, Sebastian
> >

Re: Is "+" a valid character of a LicenseRef idstring?

2015-10-29 Thread Kate Stewart 
Hi Sebastian,
 In the case of LicenseRef-LGPL-3.0+,  why are you not just using the
short form identifier LGPL-3.0+?
If you need to preserve the extracted text, possibly look to name it
LicenseRef-LGPL-3.0-plus?

Thanks, Kate


On Thu, Oct 29, 2015 at 10:21 AM, Gary O'Neall <g...@sourceauditor.com>
wrote:

> Hi Sebastian,
>
> I believe that would be the expected behavior in 2.0.  Unfortunately, it is
> incompatible than the 1.2 spec where the + would have been allowed.  I
> don't
> recall discussing this specific scenario when developing the 2.0 spec - so
> others, feel free to comment if you disagree.


> In the SPDX Tools, we have tried to maintain backwards compatibility for
> reading the older versions.  If the spec version reads < 2.0, I would
> expect
> the tool to allow this since it would be acceptable in the 1.2 spec. There
> is probably a bug in the tool where it treats the LicenseRef's the same for
> both 2.0 and pre-2.0 versions.  We could use the fix you have already
> written with an additional conditional on the spec version.  It would
> probably make the code a bit messier, but it would better support backwards
> compatibility.
>
> Gary
>
> > -Original Message-
> > From: Schuberth, Sebastian [mailto:sebastian.schube...@here.com]
> > Sent: Thursday, October 29, 2015 1:42 AM
> > To: Gary O'Neall; 'Bill Schineller'
> > Cc: spdx-tech@lists.spdx.org
> > Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> >
> > I can see your point, Gary.
> >
> > Let me go one step back and tell you how I came across this issue: I
> > had the following line in my tag-value file
> >
> > LicenseInfoInFile: LicenseRef-LGPL-3.0+
> >
> > As the spec requires to have a non-listed license declared, I also had
> >
> > LicenseID: LicenseRef-LGPL-3.0+
> > ExtractedText: Some text.
> >
> > However, the parser was choking on it as was looking for "LicenseID:
> > LicenseRef-LGPL-3.0", without the plus. Is that the intended behavior?
> >
> > Regards,
> > Sebastian
> >
> >
> > > -Original Message-
> > > From: Gary O'Neall [mailto:g...@sourceauditor.com]
> > > Sent: Wednesday, October 28, 2015 18:19
> > > To: Schuberth, Sebastian <sebastian.schube...@here.com>; 'Bill
> > Schineller'
> > > <bschinel...@blackducksoftware.com>
> > > Cc: spdx-tech@lists.spdx.org
> > > Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> > >
> > > After looking at the proposed code change, the "+" would not imply an
> > > or- later operator for non-listed license ID's (a.k.a. license-refs).
> > >
> > > I can think of a use case that would not be satisfied if we make this
> > > change to the parser:
> > >
> > > Use Case - SPDX Document containing a non listed license that has
> > both
> > > specific version and or later cases Actors - SPDX document creator,
> > > SPDX document consumer
> > > Steps:
> > > - Source code contains code under a non listed license
> > > - A license-ref is created to represent that code
> > > - Different code contains a reference to the non listed license with
> > > an "or later version" clause
> > > - A license expression is created with the license-ref and a "+"
> > > operator to represent the or-later
> > >
> > > I agree with Bill that the bug is in the spec - when we discussed
> > > implementing the license expression language, we intended (or at
> > least
> > > I
> > > intended) for the same expressions to be used for listed and
> > > non-listed licenses.
> > >
> > > Gary
> > >
> > > > -Original Message-
> > > > From: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech-
> > > > boun...@lists.spdx.org] On Behalf Of Schuberth, Sebastian
> > > > Sent: Wednesday, October 28, 2015 4:59 AM
> > > > To: Bill Schineller
> > > > Cc: spdx-tech@lists.spdx.org
> > > > Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> > > >
> > > > I was assuming something like that. However, technically there
> > > > shouldn't be a reason to make "+" a reserved operator for
> > idstrings.
> > > > As idstrings (or license-refs) are no compound-expression as
> > defined
> > > > in Appendix IV it should be safe to just skip parsing idstrings /
> > > > license- refs for "+".
> > >

RE: Is "+" a valid character of a LicenseRef idstring?

2015-10-29 Thread Gary O'Neall 
Hi Sebastian,

I believe that would be the expected behavior in 2.0.  Unfortunately, it is
incompatible than the 1.2 spec where the + would have been allowed.  I don't
recall discussing this specific scenario when developing the 2.0 spec - so
others, feel free to comment if you disagree.

In the SPDX Tools, we have tried to maintain backwards compatibility for
reading the older versions.  If the spec version reads < 2.0, I would expect
the tool to allow this since it would be acceptable in the 1.2 spec. There
is probably a bug in the tool where it treats the LicenseRef's the same for
both 2.0 and pre-2.0 versions.  We could use the fix you have already
written with an additional conditional on the spec version.  It would
probably make the code a bit messier, but it would better support backwards
compatibility.

Gary

> -Original Message-
> From: Schuberth, Sebastian [mailto:sebastian.schube...@here.com]
> Sent: Thursday, October 29, 2015 1:42 AM
> To: Gary O'Neall; 'Bill Schineller'
> Cc: spdx-tech@lists.spdx.org
> Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> 
> I can see your point, Gary.
> 
> Let me go one step back and tell you how I came across this issue: I
> had the following line in my tag-value file
> 
> LicenseInfoInFile: LicenseRef-LGPL-3.0+
> 
> As the spec requires to have a non-listed license declared, I also had
> 
> LicenseID: LicenseRef-LGPL-3.0+
> ExtractedText: Some text.
> 
> However, the parser was choking on it as was looking for "LicenseID:
> LicenseRef-LGPL-3.0", without the plus. Is that the intended behavior?
> 
> Regards,
> Sebastian
> 
> 
> > -Original Message-
> > From: Gary O'Neall [mailto:g...@sourceauditor.com]
> > Sent: Wednesday, October 28, 2015 18:19
> > To: Schuberth, Sebastian <sebastian.schube...@here.com>; 'Bill
> Schineller'
> > <bschinel...@blackducksoftware.com>
> > Cc: spdx-tech@lists.spdx.org
> > Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> >
> > After looking at the proposed code change, the "+" would not imply an
> > or- later operator for non-listed license ID's (a.k.a. license-refs).
> >
> > I can think of a use case that would not be satisfied if we make this
> > change to the parser:
> >
> > Use Case - SPDX Document containing a non listed license that has
> both
> > specific version and or later cases Actors - SPDX document creator,
> > SPDX document consumer
> > Steps:
> > - Source code contains code under a non listed license
> > - A license-ref is created to represent that code
> > - Different code contains a reference to the non listed license with
> > an "or later version" clause
> > - A license expression is created with the license-ref and a "+"
> > operator to represent the or-later
> >
> > I agree with Bill that the bug is in the spec - when we discussed
> > implementing the license expression language, we intended (or at
> least
> > I
> > intended) for the same expressions to be used for listed and
> > non-listed licenses.
> >
> > Gary
> >
> > > -Original Message-
> > > From: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech-
> > > boun...@lists.spdx.org] On Behalf Of Schuberth, Sebastian
> > > Sent: Wednesday, October 28, 2015 4:59 AM
> > > To: Bill Schineller
> > > Cc: spdx-tech@lists.spdx.org
> > > Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> > >
> > > I was assuming something like that. However, technically there
> > > shouldn't be a reason to make "+" a reserved operator for
> idstrings.
> > > As idstrings (or license-refs) are no compound-expression as
> defined
> > > in Appendix IV it should be safe to just skip parsing idstrings /
> > > license- refs for "+".
> > >
> > > I've make a proposal how to implement that as part of [1].
> > >
> > > [1] https://github.com/spdx/tools/pull/66
> > >
> > > Regards,
> > > Sebastian
> > >
> > >
> > > > -Original Message-
> > > > From: Bill Schineller [mailto:bschinel...@blackducksoftware.com]
> > > > Sent: Wednesday, October 28, 2015 12:19
> > > > To: Schuberth, Sebastian <sebastian.schube...@here.com>
> > > > Cc: spdx-tech@lists.spdx.org
> > > > Subject: Re: Is "+" a valid character of a LicenseRef idstring?
> > > >
> > > > Methinks the current intention of spec writers is:
> > > >
> > > &

RE: Is "+" a valid character of a LicenseRef idstring?

2015-10-29 Thread Schuberth, Sebastian 
I can see your point, Gary.

Let me go one step back and tell you how I came across this issue: I had the 
following line in my tag-value file

LicenseInfoInFile: LicenseRef-LGPL-3.0+

As the spec requires to have a non-listed license declared, I also had

LicenseID: LicenseRef-LGPL-3.0+
ExtractedText: Some text.

However, the parser was choking on it as was looking for "LicenseID: 
LicenseRef-LGPL-3.0", without the plus. Is that the intended behavior?

Regards,
Sebastian


> -Original Message-
> From: Gary O'Neall [mailto:g...@sourceauditor.com]
> Sent: Wednesday, October 28, 2015 18:19
> To: Schuberth, Sebastian <sebastian.schube...@here.com>; 'Bill Schineller'
> <bschinel...@blackducksoftware.com>
> Cc: spdx-tech@lists.spdx.org
> Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> 
> After looking at the proposed code change, the "+" would not imply an or-
> later operator for non-listed license ID's (a.k.a. license-refs).
> 
> I can think of a use case that would not be satisfied if we make this change 
> to
> the parser:
> 
> Use Case - SPDX Document containing a non listed license that has both
> specific version and or later cases Actors - SPDX document creator, SPDX
> document consumer
> Steps:
> - Source code contains code under a non listed license
> - A license-ref is created to represent that code
> - Different code contains a reference to the non listed license with an "or
> later version" clause
> - A license expression is created with the license-ref and a "+" operator to
> represent the or-later
> 
> I agree with Bill that the bug is in the spec - when we discussed implementing
> the license expression language, we intended (or at least I
> intended) for the same expressions to be used for listed and non-listed
> licenses.
> 
> Gary
> 
> > -Original Message-
> > From: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech-
> > boun...@lists.spdx.org] On Behalf Of Schuberth, Sebastian
> > Sent: Wednesday, October 28, 2015 4:59 AM
> > To: Bill Schineller
> > Cc: spdx-tech@lists.spdx.org
> > Subject: RE: Is "+" a valid character of a LicenseRef idstring?
> >
> > I was assuming something like that. However, technically there
> > shouldn't be a reason to make "+" a reserved operator for idstrings.
> > As idstrings (or license-refs) are no compound-expression as defined
> > in Appendix IV it should be safe to just skip parsing idstrings /
> > license- refs for "+".
> >
> > I've make a proposal how to implement that as part of [1].
> >
> > [1] https://github.com/spdx/tools/pull/66
> >
> > Regards,
> > Sebastian
> >
> >
> > > -Original Message-
> > > From: Bill Schineller [mailto:bschinel...@blackducksoftware.com]
> > > Sent: Wednesday, October 28, 2015 12:19
> > > To: Schuberth, Sebastian <sebastian.schube...@here.com>
> > > Cc: spdx-tech@lists.spdx.org
> > > Subject: Re: Is "+" a valid character of a LicenseRef idstring?
> > >
> > > Methinks the current intention of spec writers is:
> > >
> > > + is now a reserved operator for the License Expression Syntax
> > >
> > > So therefore + should be illegal character in license idstring
> > >
> > > So inconsistency in this regard would seem to be a bug in the spec
> > >
> > > -Bill
> > >
> > > > On Oct 28, 2015, at 5:42 AM, Schuberth, Sebastian
> > > <sebastian.schube...@here.com> wrote:
> > > >
> > > > Hi,
> > > >
> > > > when debugging an issue in the spdx-tools verifier, I noticed the
> > > > SPDX 2.0
> > > specs seem to be inconsistent on whether "+" is a valid character in
> > a
> > > LicenseRef's idstring, like in LicenseRef-[idstring].
> > > >
> > > > Sections 3.13.4 and 4.6.4 also refer to LicenseRefs and say
> > > >
> > > >[idstring]  is  a  unique  string  containing  letters,
> > numbers,  "."  or  "-"
> > > >
> > > > Yet section 5.1.4 explicitly says for the case of LicenseRef
> > > >
> > > >[idstring]  is  a  unique  string  containing  letters,
> > numbers,  ".",  "-"  or  "+"
> > > >
> > > > Is there any consensus? I'd vote for "+" to be valid in order to
> > > > have
> > > LicenseRefs like "LicenseRef-LGPL-3.0+".
> > > >
> > > > BTW: There's simi

Re: Is "+" a valid character of a LicenseRef idstring?

2015-10-28 Thread Bill Schineller 
Methinks the current intention of spec writers is:

+ is now a reserved operator for the License Expression Syntax

So therefore + should be illegal character in license idstring

So inconsistency in this regard would seem to be a bug in the spec

-Bill

> On Oct 28, 2015, at 5:42 AM, Schuberth, Sebastian 
>  wrote:
> 
> Hi,
> 
> when debugging an issue in the spdx-tools verifier, I noticed the SPDX 2.0 
> specs seem to be inconsistent on whether "+" is a valid character in a 
> LicenseRef's idstring, like in LicenseRef-[idstring].
> 
> Sections 3.13.4 and 4.6.4 also refer to LicenseRefs and say
> 
>[idstring]  is  a  unique  string  containing  letters,  numbers,  "."  or 
>  "-"
> 
> Yet section 5.1.4 explicitly says for the case of LicenseRef
> 
>[idstring]  is  a  unique  string  containing  letters,  numbers,  ".",  
> "-"  or  "+"
> 
> Is there any consensus? I'd vote for "+" to be valid in order to have 
> LicenseRefs like "LicenseRef-LGPL-3.0+".
> 
> BTW: There's similar inconsistencies regarding DocumentRef idstrings, see 
> sections 2.6.4 vs. 3.13.4 / 4.6.4 and other places that refer to an SPDXID.
> 
> Sebastian Schuberth
> Lead Engineer
> Open Source Governance, Chief Technology Office
> Mobile: +49 151 551 551 40
> 
> HERE Berlin
> Invalidenstrasse 116
> 10115 Berlin 
> 52° 31' 52" N. 13° 23' 5" E
> HERE, a Nokia company
> 
> Place of Business: HERE Deutschland GmbH, Invalidenstrasse 116, 10115 Berlin, 
> Germany - Commercial Register: Amtsgericht Charlottenburg, HRB 106443B - 
> USt-IdNr.: DE 812 845 193 - Managing Directors: Michael Bültmann, Robertus 
> A.J. Houben
> CONFIDENTIALITY NOTICE 
> This e-mail and any attachments hereto may contain information that is 
> privileged or confidential, and is intended for use only by the individual or 
> entity to which it is addressed. Any disclosure, copying or distribution of 
> the information by anyone else is strictly prohibited. If you have received 
> this document in error, please notify us promptly by responding to this 
> e-mail. Thank you.
> 
> ___
> Spdx-tech mailing list
> Spdx-tech@lists.spdx.org
> https://lists.spdx.org/mailman/listinfo/spdx-tech
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

RE: Is "+" a valid character of a LicenseRef idstring?

2015-10-28 Thread Schuberth, Sebastian 
I was assuming something like that. However, technically there shouldn't be a 
reason to make "+" a reserved operator for idstrings. As idstrings (or 
license-refs) are no compound-expression as defined in Appendix IV it should be 
safe to just skip parsing idstrings / license-refs for "+".

I've make a proposal how to implement that as part of [1].

[1] https://github.com/spdx/tools/pull/66

Regards,
Sebastian


> -Original Message-
> From: Bill Schineller [mailto:bschinel...@blackducksoftware.com]
> Sent: Wednesday, October 28, 2015 12:19
> To: Schuberth, Sebastian <sebastian.schube...@here.com>
> Cc: spdx-tech@lists.spdx.org
> Subject: Re: Is "+" a valid character of a LicenseRef idstring?
> 
> Methinks the current intention of spec writers is:
> 
> + is now a reserved operator for the License Expression Syntax
> 
> So therefore + should be illegal character in license idstring
> 
> So inconsistency in this regard would seem to be a bug in the spec
> 
> -Bill
> 
> > On Oct 28, 2015, at 5:42 AM, Schuberth, Sebastian
> <sebastian.schube...@here.com> wrote:
> >
> > Hi,
> >
> > when debugging an issue in the spdx-tools verifier, I noticed the SPDX 2.0
> specs seem to be inconsistent on whether "+" is a valid character in a
> LicenseRef's idstring, like in LicenseRef-[idstring].
> >
> > Sections 3.13.4 and 4.6.4 also refer to LicenseRefs and say
> >
> >[idstring]  is  a  unique  string  containing  letters,  numbers,  "."  
> > or  "-"
> >
> > Yet section 5.1.4 explicitly says for the case of LicenseRef
> >
> >[idstring]  is  a  unique  string  containing  letters,  numbers,  ".",  
> > "-"  or  "+"
> >
> > Is there any consensus? I'd vote for "+" to be valid in order to have
> LicenseRefs like "LicenseRef-LGPL-3.0+".
> >
> > BTW: There's similar inconsistencies regarding DocumentRef idstrings, see
> sections 2.6.4 vs. 3.13.4 / 4.6.4 and other places that refer to an SPDXID.
> >
> > Sebastian Schuberth
> > Lead Engineer
> > Open Source Governance, Chief Technology Office
> > Mobile: +49 151 551 551 40
> >
> > HERE Berlin
> > Invalidenstrasse 116
> > 10115 Berlin
> > 52° 31' 52" N. 13° 23' 5" E
> > HERE, a Nokia company
> >
> > Place of Business: HERE Deutschland GmbH, Invalidenstrasse 116, 10115
> > Berlin, Germany - Commercial Register: Amtsgericht Charlottenburg, HRB
> > 106443B - USt-IdNr.: DE 812 845 193 - Managing Directors: Michael
> Bültmann, Robertus A.J. Houben CONFIDENTIALITY NOTICE This e-mail and
> any attachments hereto may contain information that is privileged or
> confidential, and is intended for use only by the individual or entity to 
> which
> it is addressed. Any disclosure, copying or distribution of the information by
> anyone else is strictly prohibited. If you have received this document in 
> error,
> please notify us promptly by responding to this e-mail. Thank you.
> >
> > ___
> > Spdx-tech mailing list
> > Spdx-tech@lists.spdx.org
> > https://lists.spdx.org/mailman/listinfo/spdx-tech
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

Is "+" a valid character of a LicenseRef idstring?

2015-10-28 Thread Schuberth, Sebastian 
Hi,

when debugging an issue in the spdx-tools verifier, I noticed the SPDX 2.0 
specs seem to be inconsistent on whether "+" is a valid character in a 
LicenseRef's idstring, like in LicenseRef-[idstring].

Sections 3.13.4 and 4.6.4 also refer to LicenseRefs and say

[idstring]  is  a  unique  string  containing  letters,  numbers,  "."  or  
"-"

Yet section 5.1.4 explicitly says for the case of LicenseRef

[idstring]  is  a  unique  string  containing  letters,  numbers,  ".",  
"-"  or  "+"

Is there any consensus? I'd vote for "+" to be valid in order to have 
LicenseRefs like "LicenseRef-LGPL-3.0+".

BTW: There's similar inconsistencies regarding DocumentRef idstrings, see 
sections 2.6.4 vs. 3.13.4 / 4.6.4 and other places that refer to an SPDXID.

Sebastian Schuberth
Lead Engineer
Open Source Governance, Chief Technology Office
Mobile: +49 151 551 551 40

HERE Berlin
Invalidenstrasse 116
10115 Berlin 
52° 31' 52" N. 13° 23' 5" E
HERE, a Nokia company

Place of Business: HERE Deutschland GmbH, Invalidenstrasse 116, 10115 Berlin, 
Germany - Commercial Register: Amtsgericht Charlottenburg, HRB 106443B - 
USt-IdNr.: DE 812 845 193 - Managing Directors: Michael Bültmann, Robertus A.J. 
Houben
CONFIDENTIALITY NOTICE 
This e-mail and any attachments hereto may contain information that is 
privileged or confidential, and is intended for use only by the individual or 
entity to which it is addressed. Any disclosure, copying or distribution of the 
information by anyone else is strictly prohibited. If you have received this 
document in error, please notify us promptly by responding to this e-mail. 
Thank you.

___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech