On Fri, Sep 15, 2017 at 11:19:04AM +0000, Gisi, Mark wrote: > >> 3.15 Declared License > > The problem with this field does not lie with the LEL but with the values the > "field" will accept. > > "This field lists the licenses that have been declared by the > authors of The package. " > > It should probably accept a list of LELs. For example if the top > level directory had the following license files: > > COPYING.GPL-2.0 > COPYING.LGPL-2.0 > > Then the declared license field should accept the "list" of LELs: > GPL-2.0, LGPL-2.1
I don't consider the presence of a license file to be a declaration of package license [1]. A package which includes those files might declare (in a README, or package.json, etc.) that it is: LGPL-2.0 Or it might contain a LGPL-2.0 library and a GPL-2.0 tool which consumes that libary, and declare somewhere else that it is: LGPL-2.0 AND GPL-2.0 Or maybe they've decided to allow downstream consumers to choose to fork off more-viral projects and dual licensed: LGPL-2.0 OR GPL-2.0 Without an explicit package license declaration (in a README, package.json, etc.) the declared package license is NOASSERTION. If you can tell consumers “The author wasn't clear, but I've concluded that this package is ‘LGPL-2.0 AND GPL-2.0’”, that's useful information. If you can tell consumers “I haven't checked, but the package author claims this is ‘LGPL-2.0 AND GPL-2.0’” that's useful information. If all you can tell consumers is “I found text for the LGPL-2.0 and GPL-2.0 licenses but haven't concluded anything” that is less useful. Licensee, which only looks for stand-alone license files [2], at least attempts to avoid concluding a license when it finds multiple licence files [3] although it has a special case for the LGPL family, since that license is usually split over two files [4]. And that sort of heuristic is fine for calculating the concluded licenses, especially when the results come with big as-is caveat [5]. They're not saying that the presence of the license files constitutes a license *declaration*. Cheers, Trevor [1]: https://lists.spdx.org/pipermail/spdx-legal/2017-September/002205.html Subject: Re: License identifiers sufficient to avoid loss of information in DeclaredLicense (was: GPLv2 - Github example) Date: Thu, 14 Sep 2017 13:10:36 -0700 Message-ID: <[email protected]> [2]: https://github.com/benbalter/licensee/blob/v9.2.1/docs/what-we-look-at.md [3]: https://github.com/benbalter/licensee/issues/114 [4]: https://github.com/benbalter/licensee/pull/203 [5]: https://developer.github.com/v3/licenses/ -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Spdx-legal mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-legal
