On Tue, Nov 07, 2017 at 10:19:31AM +0100, Philippe Ombredanne wrote: > I think that whatever is done on the SPDX side to be > precise vs. being accurate-enough and good-enough will unlikely ever > be adopted as the magnitude of the education and changes required > would be immense…
Backwards compat is certainly important, and the plan with a new ONLY operator would be to have tooling warn, but not error, on ambiguous declarations like ‘GPL-2.0’ for the next few years [1]. Then when SPDX cuts a 3.0, we'd start erroring on ‘GPL-2.0’ and only support ‘GPL-2.0+’ or ‘GPL-2.0 ONLY’. And depending on how the rest of this works out, ‘GPL-2.0 AMBIGUOUS’ or ‘GPL-2.0 OR-MAYBE GPL-2.0+’. Being able to warn/error on ambiguously versioned declarations is why I want to compatibleWith… metadata. And to keep supporting folks who will never update their declarations, we just need to version the license-expression-consuming fields. For example, we could explicitly make ‘SPDX-License-Identifier’ [2] mean “a 2.x SPDX license expression” and create a new field (SPDX-License-Identifier-3?) for “a 3.x SPDX license expression”. External consumers could do the same thing. For example, npm's package.json is already explicitly an SPDX 2.0 license expression [3]. That means they only have access to the 2.0 license list (2015-04 [4]), not SPDX 2.1's 2.5 license list (2016-07 [5]). Which means they cannot use 0BSD or other identifiers which were added between list 2.0 and list 2.5. If/when the npm community wants to explicitly support those newer expressions, they can bump their supported SPDX version. And it will be up to them whether they decide to do that with a new field or whether they'd rather change the semantics of their existing field. [3] discusses a previous ‘licenses’ which had different semantics, so they've used the new-field approach in the past. > … for minuscule benefits… I think the FSF has a reasonable point that ‘GPL-2.0’ by itself isn't immediately obvious to folks who don't bother to look it up in the spec. If they do look it up, they can see that we intend it to be ‘GPL-2.0 ONLY’. But in 2015, you guessed it to be ‘GPL-2.0+’ [6]. Suggesting (and, in a few years and/or with SPDX 3.0, requiring) an explicit versioning operator will make the semantics much more clear to casual readers. I think that's a more-than-miniscule benefit. > … and hyper confusion. Can you go into more details about the confusion you expect? There will certainly be a maintenance *cost*, as current ‘GPL-2.0’ users update their strings to use the new ONLY operator (or another versioning operator, if they hadn't realized that ‘GPL-2.0’ meant ‘GPL-2.0 ONLY’). But I don't see a new source of confusion. Cheers, Trevor [1]: https://wiki.spdx.org/view/Technical_Team/Minutes/2017-08-07 [2]: https://spdx.org/spdx-specification-21-web-version#h.twlc0ztnng3b [3]: https://docs.npmjs.com/files/package.json#license [4]: https://spdx.org/sites/cpstandard/files/pages/files/spdx-2.0.pdf#page=64 [5]: https://spdx.org/spdx-specification-21-web-version#h.1jlao46 [6]: https://lists.spdx.org/pipermail/spdx-legal/2015-November/001537.html Subject: Is "+" a valid character of a LicenseRef idstring? Date: Mon Nov 2 09:56:47 UTC 2015 -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
