Re: New License/Exception Request: ANY-PATENT-ASSERTION-TERMINATES-2.0 as a new exception

[W. Trevor King]

On Wed, Aug 09, 2017 at 06:22:37PM -0400, Wheeler, David A wrote:
> As far as I can tell SPDX currently has no way to report this
> information.

There's some previous discussion in [1,2].  The current recommendation
is to define a custom ID for the patent rider and use that [3], for
example:

  BSD-3-Clause AND FB-Patents-2.0

> Since this rider could be applied to many different kinds of
> licenses, and seems to normally be included as a separate file, I
> think this should be listed as an exception.

There's been recent discussion about what counts as an “exception”
[4,5].  The currently favored wording limits exceptions to things that
grant *additional* permissions.  It's not clear to me if the
Facebook/React patent rider meets that condition.  I'm personally in
favor of a less-opinionated operator for attaching riders, but this is
probably not the right thread to re-open that discussion.

> Then React's license would be "BSD-3-Clause WITH
> ANY-PATENT-ASSERTION-TERMINATES-2.0", which I think is fairly clear.
>
> I made up the name.  As far as I know this was created by Facebook,
> but there's no reason to believe that it could only be used by
> Facebook, so I thought it'd be better to focus on its effect.

And the BSD licenses were originally by Berkeley, but folks commonly
refer to them as BSD licenses, not “A-Short-Lax-Permissive-License”
;).  Ideally the name would be compact, intuitive, and easily
distinguished from other identifiers.  Facebook-Patent-2.0 is compact
and easily distinguished.  Your proposal is more intuitive, but
potentially less easily distinguished as the number of patent-related
riders grows.  And obviously folks can always pull up the full text if
they have questions.

Cheers,
Trevor

[1]: https://bugs.linuxfoundation.org/show_bug.cgi?id=1292
 https://lists.spdx.org/pipermail/spdx-tech/2015-June/002717.html
 Subject: [Bug 1292] New: What is the correct license expression
   for a project with an additional patent license?
 Date: Mon Jun 15 03:58:53 UTC 2015
[2]: https://lists.spdx.org/pipermail/spdx-legal/2017-June/002008.html
 Subject: New OSI approved license
 Date: Sun Jun 4 03:47:02 UTC 2017
[3]: https://bugs.linuxfoundation.org/show_bug.cgi?id=1292#c2
[4]: https://lists.spdx.org/pipermail/spdx-legal/2017-July/002036.html
 Subject: revised wording for top of exceptions page
 Date: Thu, 6 Jul 2017 23:35:40 +0100
 Message-Id: <5f1d2c18-6d14-4ccd-80d3-6008588bb...@jilayne.com>
[5]: https://lists.spdx.org/pipermail/spdx-legal/2017-July/002078.html
 Subject: revised text for top of exceptions page
 Date: Thu, 27 Jul 2017 22:34:12 -0600
 Message-Id: 

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

New License/Exception Request: ANY-PATENT-ASSERTION-TERMINATES-2.0 as a new exception

[Wheeler, David A]

INTRODUCTION:
Many Facebook projects, including the widely-used React.js, have a different 
license approach than others: They use a stock OSS license *with* a special 
patent-related rider (in the case of React.js, this is in a file named 
PATENTS).  This patent rider is asymmetric, which has led to the Apache 
Software Foundation requiring that *all* of the Apache projects stop 
incorporating any project with this rider, and it appears that other companies 
also have this policy.  Thus, for some organizations it is vital that they be 
able to *detect* this rider.

As far as I can tell SPDX currently has no way to report this information.  
That needs to change.  If SPDX *can* report it, please let me know - maybe I 
missed it!

McCoy Smith has noted that there’s an additional source of confusion:
➢ Adding to the confusion is that FB frequently refers to their React.js 
license as "BSD+Patents" (plural), although that nomenclature appears somewhat 
recent (and, I think, post-dates the submission of the "BSD+Patent" -- singular 
-- license to OSI in early 2016).

This rider is on a number of popular OSS projects, so I think it meets the 
conditions for inclusion.  Also, I think SPDX needs to add this information 
*soon* to eliminate the confusion.  I proposed the name 
“ANY-PATENT-ASSERTION-TERMINATES”.

This license is *NOT* already listed on the “licenses and exceptions under 
consideration”: 
https://docs.google.com/spreadsheets/d/11AKxLBoN_VXM32OmDTk2hKeYExKzsnPjAVM7rLstQ8s/edit?pli=1#gid=695212681
Again, note that this is NOT the same as BSD-2-Clause-Patent.

Since this rider could be applied to many different kinds of licenses, and 
seems to normally be included as a separate file, I think this should be listed 
as an exception.  Then React's license would be "BSD-3-Clause WITH 
ANY-PATENT-ASSERTION-TERMINATES-2.0", which I think is fairly clear.

I made up the name.  As far as I know this was created by Facebook, but there's 
no reason to believe that it could only be used by Facebook, so I thought it'd 
be better to focus on its effect.  The React text says it's version 2, so I 
think that should be in the name.  I'm sure better names are possible, but I 
think it should be clear that it involves patent assertions leading to 
termination.  What's more, it's not just an assertion related to the software 
being distributed - even a patent assertion *unrelated* to the released 
software will terminate the license (which is why I said "ANY").

=




1. Provide a proposed Full Name for the license or exception: Additional Grant 
of Patent Rights where patent assertion terminates Version 2
2. Provide a proposed Short Identifier: WITH ANY-PATENT-ASSERTION-TERMINATES-2.0
3. Provide a functioning url reference to the license or exception text, either 
from the author or a community recognized source:  
https://github.com/facebook/react/blob/master/PATENTS
4. Create and attach a text file with the license or exception text from the 
url provided in #3. Please proofread the text file to ensure that: 
a. Information has not been lost or modified.
b. Formatting is clean and consistent with the license or exception URL.
5. Indicate whether the license is OSI-approved (see: 
http://www.opensource.org/licenses/alphabetical) or whether it has been 
submitted for approval to the OSI and is currently under review: Not OSI 
approved
6. Provide a short explanation regarding the need for this license or exception 
to be included on the SPDX License List, including identifying at least one 
program that uses this license: See above.  It's in wide use, but organizations 
such as the Apache Software Foundation forbid including software licensed with 
this exception, so it's important to report its presence.

I'm attaching the text by copying it below from 
; users might replace 
"Facebook"/"Facebook, Inc." with someone else.

--- David A. Wheeler


=== LICENSE EXCEPTION TEXT ===

Additional Grant of Patent Rights Version 2

"Software" means the React software distributed by Facebook, Inc.

Facebook, Inc. ("Facebook") hereby grants to each recipient of the Software
("you") a perpetual, worldwide, royalty-free, non-exclusive, irrevocable
(subject to the termination provision below) license under any Necessary
Claims, to make, have made, use, sell, offer to sell, import, and otherwise
transfer the Software. For avoidance of doubt, no license is granted under
Facebook's rights in any patent claims that are infringed by (i) modifications
to the Software made by you or any third party or (ii) the Software in
combination with any software or other technology.

The license granted hereunder will terminate, automatically and without notice,
if you (or any of your subsidiaries, corporate affiliates or agents) initiate
directly or indirectly, or take a direct financial interest in, any Patent
Assertion: (i) against Facebook or any of its subsidiaries or