Hi Marc, Great analysis, and I will echo Jilayne's call for you not to feel like you have to return to lurking. This is open-source, and to get to the best solution, we need everyone with thoughtful analyses and arguments to come forward.
With respect to the copyright in the text of a license (the "Verbatim" question), I don't think this is an issue SPDX needs to worry about or to spec out how to describe in SPDX expressions. It's my understanding that there are varying opinions on the question of the copyrightability of a license text (or any legal contract). I tend to think no license text is protectable under copyright, but even assuming *arguendo* that it is protectable, recall that copyright protection is "thin" (as opposed to "thick" protection in patent or, less so, trade secret) and doesn't bar *all* copying/distributing/etc. SPDX arguably has an implied license for every open-source license, excepting perhaps those that are limited to a specific project or company. But more than that, SPDX's license database is almost certainly a fair use of the license text under copyright law. You can go through the four factors and all their sub-factors if you want to, but I think because SPDX is a meta-project to help identify the licenses in question, SPDX itself is non-profit, and there is not "market" (in the copyright sense) for original open-source license texts, I'd say the fair use case is pretty slam-dunk. TL;DR: I don't think we need to add licenses or change the spec to represent any potential copyright in license text, as I rate the risk to be minimal and we have a big enough challenge as it is with our primary goals of identifying licenses and describing licensed files & packages. Best, Brad -- Brad Edmondson, *Esq.* 512-673-8782 | brad.edmond...@gmail.com On Fri, Sep 8, 2017 at 5:28 AM, Marc Jones <m...@joneslaw.io> wrote: > Sporadic lurker, first time poster. > > Many licenses require you to include an exact copy of the license in the code > base as a condition of the license. So if for example a code base is license > under 3-Clause BSD then you have to "must retain the above copyright notice, > this list of conditions and the following disclaimer." Similarly in GPLv2 if > you are redistributing an exact copy of the code base you must "give any > other recipients of the Program a copy of *this* License along with the > Program." > > It is not clear to me that it makes sense to say a code base is both GPLv2 > and verbatim, simply because the text of the license is copyrighted and you > do not have permission to modify the license text. I don't actually think it > is much different from the 3-Clause BSD license regardless of if the 3-clause > BSD license is in the public domain. It seems to me that even if the 3-Clause > license is in the public domain, you still do not have permission to modify > it in a code base licensed under the 3-clause BSD license. Doing so would > violate a condition of the license to the code base. In which case the > simplest and most accurate thing to do would be to simple say that the code > base is 3-clause BSD. It both accurately states the license of the code and > your permissions to modify the 3-clause BSD file in that code base (i.e. you > aren't allowed to.) Similar argument could be made for GPL licensed programs > as well. > > >For license where we do not feel comfortable concluding a license, we > > >probably want to stop distributing local copies until we figure out>what > >license applies to them (or whether we think they are not>copyrighted, or if > >our complete copy of their text falls under fair>use, or whatever). > > The problem with not including local copies of licenses is that including a > local copy of licenses is actually a condition of a lot of licenses. So > essentially one would have to say that unless the copyright status of the > license text is clear, we can not use SPDX with that license. Which seems to > be entirely self defeating. And also I think taking the concern over a lack > of an explicit license on the license text itself too seriously. I think > there is a solid argument for implied license for all open source licenses to > at least copy them verbatim in a code base under that license. Certainly a > strong case for any license that has been approved by OSI. > > >>* In any case, I’m not sure we need to worry so much about identifying > *>>* the license of the license. > *>Why not? They're generally copyrightable content that we copy > and>distribute, just like code. > > If the point of SPDX is to accurately record the the license of the codebase, > then this just seems like a definitional issue: Is the license text of the > code base part of the code base that SPDX is describing? Personally I never > had any confusion about the fact that the license text was not subject to > same license of the source code. Rather when talking about the license of a > code base I have always assumed that we were talking about the license of > "the work" (in the legal sense) or in GPL parlance "the Program." I always > assumed the SPDX tag has always been used to describe the license of the work > and that the text of the license is not part of that work, which is why I > would assume Jilayne is not worried about identifying the license of the > license. But you know what happens when you "assume" ... . > > > >>* We want scanners to be able to identify the exact license text where > *>>* it exists for what it actually is - that is the key piece of > *>>* information for determining the license for the code. If we start to > *>>* boil down to the license of the license, we seem to be missing the > *>>* key goal? > *>I don't think so. If I get a tarball for a package, I want to know>the > licensing information for the contents of that tarball. If some>of the > content in that tarball is GPL-2.0+ (e.g. main.c), I want to>know that. If > some of the content in that tarball is Verbatim>(e.g. COPYING), I want to > know that too. > > What value is added if we simply end up tacking onto every SPDX license code > "+Verbatim." Yes, I am aware that some licenses do actually give a generous > license to modify the license as long as you change the name. [1] But do we > then have to have a special license code for the license of each license. I > just do not see what value is being added. At best we convince everyone to > just ignore the +Verbatim, which will only cause confusion when it matters > because the +Verbatim was referring to some other portion of the actual > work/Program (i.e. not the license text.) At worst, we just confuse everyone > and now SPDX has become meaningless because we highlighting a "problem" were > we agree the solution is to literally change nothing about how we understand > we should treat our code bases already. But as I said before, by saying a > package is GPL-2.0, you know you aren't allowed to modify the text of the GPL > license included. If you did you would violate the license on the package. > > > Also to chime in on the question of if only a copy of the GPLv2 text is > include in a code base: > > First I just want to offer my apologies for coming late to the party. I know > from the meeting notes everyone involved has been working very hard and > thoughtfully on this issue for months. My compliments to all of your hard > word and appreciation for whoever is responsible for keeping such detailed > meeting notes up to date. My comments are only meant to add to the > conversation, not distract from it. > > I agree with the conclusions of examples 1, 2 and 3. > (https://wiki.spdx.org/index.php?title=Legal_Team/only-operator-proposal). > > To address example 4. I think the solution is probably not intuitive (at > least it was not to me,) but if you only include the text of the GPLv2 with > no other licensing statements the plain meaning of the license text would > require concluding that the code base is GPLv2 only. I can imagine buying > into a theory where you get to any version of the GPL, and but at the moment > I do not see how to get to "GPLv2 or any later version." > > The GPLv2 says "If the Program does not specify a version number of this > License, you may choose any version ever published by the Free Software > Foundation." Not trying to be pedantic but the text of the GPLv2 clear refers > to GPLv2. Being something seems to be the best way to specify that thing. If > the only licensing information in a code base is the exact text of GPLv2 I > have three questions: 1) does the mere presence of the GPLv2 text imply that > the author intended the accompanying code to be licensed under the GPLv2? 2) > Since the only licensing statement for the code base is implied by the full > text of the GPLv2, is there anyway to argue that the version wasn't > specified? And 3) is there anyway to argue that "or any later version" was > specified? > > Q1: The answer to the first question is not obvious to me. To me the mere > presence of the license text in a file does not an explicit license make. I > think you need to rely on practice of the trade to get there, or at least an > implied license. Dropping the text of a license into a file called LICENSE or > even more specific to our industry COPYLEFT would not be obvious in all > situations that that is the intended license. It could just be a random file > with some other purpose that the copyright holder never noticed or intended > to give that kind of effect to. I know that flies in the face of a lot of > assumptions of the industry, but I think you would get a lot of mileage in > front of a judge who was not FOSS developer with that argument. The best > argument that it is a explicit license is that the name of the file 'LICENSE' > is the explicit license, but that leaves those folks using COPYLEFT out to > dry. At best including the text of a license is an implied license and is > supported by the practice of the trade so it is reasonable to rely on it. > > Q2: To address the second question, I think you need to at the very least > accept that the license include in the LICENSE file is the license of the > code base. But then it seems contradictory to me to look at the full text of > GPLv2 and conclude that means GPL but it doesn't specify which version of the > GPL. At best I would think the implied license created by including the text > of a license in a LICENSE file is "the license of this code base is as > specified in the LICENSE file." And that license file clearly specifies the > GPLv2, so by the terms of the GPLv2 it would not have left the version > unspecified allowing you to choose any version of the GPL. > > If you do not buy the argument that the text of the license by its nature > specifies the version of the license, then I will argue that Section 0 of > GPLv2 states that "*This* License applies to any program or other work which > contains a notice placed by the copyright holder saying it may be distributed > under the terms of this General Public License." So the text of the license > says the "License" is "this license," which of course is GPLv2. And under > GPLv3 it gets more specific where "This License" is defined as "version 3 of > the GNU General Public License." It seems pretty clear that the version of > the license is specified when you include the full text of the license. > > I would also think that people who dropped in a copy of GPLv3 and did not put > in any other licensing notice would be surprised to learn that people are > taking the license under GPLv2 because they failed to specify what version of > the GPL they meant. I think they would be particularly surprised if Tivo said > "great, you did not specify a version when you included the text of the GPLv3 > in your code base, so we will just use it under GPLv2." > > Q3: I think the answer to the third question is similar to the reasoning of > the answer to Q2. According to GPLv2 the only time you can choose any any > later version of the license is when the copyright holder specifies "any > later version." Since that phrase only occurs in the license text in the > conditional statement granting this additional permission, I do not see how > you ever conclude the copyright holder meant GPLv2.0+ by the mere inclusion > of the license text in a code base. It seems like a separate explicit > licensing statement somewhere outside of the text of the license is > necessarily required to trigger that conditional clause. > > I present this hypothetical as an example: You copy a code base that includes > a copy of the GPLv2 in a LICENSE file. There are no other licensing > statements in the code base. You contact the copyright holder to clarify the > license. > > 1) They send you a hostile email telling you the license is specified in the > LICENSE file. Do you acknowledge their response and say you will be taking > the the code under GPLv3? > > 2) They send you a hostile email telling you the license is GPLv2 as > specified in the LICENSE file. Do you acknowledge their response and say you > will be taking the the code under GPLv3? > > 3) Your email to them expecility asks if the license is "GPLv2 or any later > version." They send you a polite email telling you the license is "GPLv2" as > specified in the LICENSE file. Do you thank them for their response and say > you will be taking the the code under GPLv3? > > I feel like notifying them that you will be taking the code under GPLv3 under > all three scenarios seems risky. But even if you would not take the code > under even one of those circumstances it seems like you should not assume the > bare presence of the text of GPLv2 means GPLv2 or later. > > How this is implemented in the SPDX codes might be problematic, but seems > like you folks are on the right track. > > I will attempt to return to my lurking now. My apologies for the uninvited > opining. > > Warm regards, > > -Marc > > P.S. This was not legal advice, these view represent my own and not the views > of my company. My opinion may change depending on the context in which > similar questions arise, my mood, or what I ate for lunch that day, blah, > blah, .... > > [1] http://www.apache.org/foundation/license-faq.html#mod-license > > > > _______________________________________________ > Spdx-legal mailing list > Spdx-legal@lists.spdx.org > https://lists.spdx.org/mailman/listinfo/spdx-legal > >
_______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
