Since the Legal call where we first began discussing what Jilayne has called the "Github examples", I've been thinking about this question regularly.
I do agree wholeheartedly with Richard Fontana's point that SPDX both has stakeholders who use the license identifiers outside of SPDX (and that SPDX as a project lauds such uses). SPDX should indeed think about those users. I'm primarily one of those users to the extent I use SPDX. However, for the purposes of this discussion, I suggest we return to first principles in the SPDX specification. So I asked myself, what job does SPDX expect license identifiers to do? I went to the SPDX spec and looked at this: 3.15 Declared License 3.15.1 Purpose: This field lists the licenses that have been declared by the authors of the package. Any license information that does not originate from the package authors, e.g. license information from a third party repository, should not be included in this field. (URL: https://spdx.org/spdx-specification-21-web-version#h.1hmsyys ) I began to think carefully about this question, what *is* the "Declared License" -- by the package authors -- in the examples at https://wiki.spdx.org/view/Legal_Team/only-operator-proposal#Examples_.2F_Challenges ? I admit that I don't know how exactly to express such as Declarations. What is quite clear from this discussion, though, is that the Conclusions that people make about such Declarations vary. Mark Gisi Concludes most of these examples as NOASSERTION. I Conclude most of them are GPLv1-or-later. In the last week, I've talked to people who Conclude them as GPLvN-only. I've also talked to people who Conclude them as GPLvN-or-later, where N is the version of the GPL that is put in the package directory. In other words, the Conclusions are all over the map for these rather simple Declarations. So, my meta-conclusion is clear: the proposed solution of https://wiki.spdx.org/view/Legal_Team/only-operator-proposal#Proposed_Solution:_add_only_operator probably will work fine [0], but only for the LicenseConcluded field. (In other words, I can't imagine any *Conclusions* that aren't covered by that group.) But, for *Declarations*, SPDX clearly needs some other identifier, which would usually only be used as Declared licenses. Such an identifier would allow SPDX files (a) to better include all the information that was available to best inform those who look at the Declared license, (b) properly inform those making Conclusions, and (c) avoid the current situation that causes Conclusions about GPL licensing to appear in as a Declared license. I don't know what such an identifier should be, but it is *not* GPLvN-or-later; it's not GPLvN-only; it's not GPLvN+. It's something else. [0] As I first said on this list back in October 2013, I still really think "-or-later" is a better operator than "+", but that's admittedly a minor quibble. -- Bradley M. Kuhn _______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal