Since the Legal call where we first began discussing what Jilayne has called
the "Github examples", I've been thinking about this question regularly.
I do agree wholeheartedly with Richard Fontana's point that SPDX both has
stakeholders who use the license identifiers outside of SPDX (and that SPDX
as a project lauds such uses). SPDX should indeed think about those users.
I'm primarily one of those users to the extent I use SPDX.
However, for the purposes of this discussion, I suggest we return to first
principles in the SPDX specification. So I asked myself, what job does SPDX
expect license identifiers to do? I went to the SPDX spec and looked at
this:
3.15 Declared License
3.15.1 Purpose: This field lists the licenses that have been declared by
the
authors of the package. Any license information that
does not originate from the package authors,
e.g. license information from a third party repository,
should not be included in this field.
(URL: https://spdx.org/spdx-specification-21-web-version#h.1hmsyys )
I began to think carefully about this question, what *is* the "Declared
License" -- by the package authors -- in the examples at
https://wiki.spdx.org/view/Legal_Team/only-operator-proposal#Examples_.2F_Challenges
?
I admit that I don't know how exactly to express such as Declarations. What
is quite clear from this discussion, though, is that the Conclusions that
people make about such Declarations vary. Mark Gisi Concludes most of these
examples as NOASSERTION. I Conclude most of them are GPLv1-or-later. In
the last week, I've talked to people who Conclude them as GPLvN-only. I've
also talked to people who Conclude them as GPLvN-or-later, where N is the
version of the GPL that is put in the package directory. In other words,
the Conclusions are all over the map for these rather simple Declarations.
So, my meta-conclusion is clear: the proposed solution of
https://wiki.spdx.org/view/Legal_Team/only-operator-proposal#Proposed_Solution:_add_only_operator
probably will work fine [0], but only for the LicenseConcluded field. (In
other words, I can't imagine any *Conclusions* that aren't covered by that
group.)
But, for *Declarations*, SPDX clearly needs some other identifier, which
would usually only be used as Declared licenses. Such an identifier would
allow SPDX files (a) to better include all the information that was
available to best inform those who look at the Declared license, (b)
properly inform those making Conclusions, and (c) avoid the current
situation that causes Conclusions about GPL licensing to appear in as a
Declared license.
I don't know what such an identifier should be, but it is *not*
GPLvN-or-later; it's not GPLvN-only; it's not GPLvN+. It's something else.
[0] As I first said on this list back in October 2013, I still really think
"-or-later" is a better operator than "+", but that's admittedly a minor
quibble.
--
Bradley M. Kuhn
_______________________________________________
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal
