Hi, Sam, Thanks for your reply - I think this covers the use case.
About the validity of license combinations: The safest way is to have a whitelist with allowed licenses, listing also the kind of linkage and product. (That's how we're handling it at our company, although not yet fully automated.) As a side note, the OSADL community tries to create machine readable interpretations of OSS licenses: https://www.osadl.org/Open-Source-License-Checklists.oss-compliance-lists.0.html However, I'm not sure how far they got yet. Best regards Markus Schaber CODESYS® a trademark of 3S-Smart Software Solutions GmbH Inspiring Automation Solutions 3S-Smart Software Solutions GmbH Dipl.-Inf. Markus Schaber | Product Development Core Technology Memminger Str. 151 | 87439 Kempten | Germany Tel. +49-831-54031-979 | Fax +49-831-54031-50 E-Mail: m.scha...@codesys.com | Web: http://www.codesys.com | CODESYS store: http://store.codesys.com CODESYS forum: http://forum.codesys.com Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915 This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -----Ursprüngliche Nachricht----- Von: Sam Ellis <sam.el...@arm.com> Gesendet: Donnerstag, 9. August 2018 12:14 An: Markus Schaber <m.scha...@codesys.com>; 'spdx-legal@lists.spdx.org' <spdx-legal@lists.spdx.org> Betreff: RE: Proposal for alternative licenses Hi Markus, Referring to Appendix IV: SPDX License Expressions in https://spdx.org/sites/cpstandard/files/pages/files/spdxversion2.1.pdf, then SPDX allows for custom licenses to be named in the format LicenseRef-XXX where XXX is whatever you want to call your license. You could use this to refer to any type of legal text or conditions, whether free, open source or proprietary. Using this you can write a valid SPDX expression such as: AGPL-3.0-only OR LicenseRef-CustomAlternateLicensing Appendix V: Using SPDX short identifiers in Source Files describes how you can use these expressions in a source file, for example: SPDXLicenseIdentifier: AGPL-3.0-only OR LicenseRef-CustomAlternateLicensing I'd say this is sufficient to alert a tool to the presence of a custom license, though as there is no defined mechanism to link that LicenseRef to some license text in this context then a tool probably won’t be able to locate that license text automatically. Listing the custom license adjacent to this line or in a separate file alongside is probably the best you can do. I wonder whether this existing mechanism adequately covers your case? As to your final point about invalid license combinations, SPDX deliberately doesn't make any determination of license compatibility, and somebody will need to read the licenses and draw their own conclusions about that. -----Original Message----- From: Spdx-legal@lists.spdx.org <Spdx-legal@lists.spdx.org> On Behalf Of Markus Schaber Sent: 09 August 2018 10:24 To: 'spdx-legal@lists.spdx.org' <spdx-legal@lists.spdx.org> Subject: Proposal for alternative licenses Hi, this idea was inspired by https://github.com/NuGet/Home/issues/4628#issuecomment-411503940 It is a common situation that some project allows for multiple alternative licenses, some of them are "free" and expressible via SPDX, while others of them are proprietary. Currently, this cannot be expressed well with SPDX license expressions. As the free licenses are always a legitimate choice for the users and redistributors of those packages, I propose that to this express via a special (reserved) identifier "CustomAlternateLicensing". This identifier would just codify the fact that there exist more alternative licenses (which cannot be covered via SPDX), but not make any assumptions about the intent and nature of those licenses (proprietary, or exotic "free" licenses, or whatever). For example: - AGPL-3.0-only OR CustomAlternateLicensing - MPL-2.0 OR LGPL-2.0 OR CustomAlternateLicensing - (GPL-2.0 WITH Classpath-exception-2.0) OR CustomAlternateLicensing We might allow CustomAlternateLicensing on its own for a package which only has proprietary / unknown licenses, just to express the fact that it's an unknown license. However, I tend to forbid cases like the following, because there's no alternative which contains only well-known licenses, so they cannot be automatically evaluated whether they're allowed or not in a given context: - GPL-3.0 AND CustomAlternateLicensing - Apache-2.0 WITH CustomAlternateLicensing Thanks & Best regards Markus Schaber CODESYS(r) a trademark of 3S-Smart Software Solutions GmbH Inspiring Automation Solutions 3S-Smart Software Solutions GmbH Dipl.-Inf. Markus Schaber | Product Development Core Technology Memminger Str. 151 | 87439 Kempten | Germany Tel. +49-831-54031-979 | Fax +49-831-54031-50 E-Mail: m.scha...@codesys.com | Web: http://www.codesys.com | CODESYS store: http://store.codesys.com CODESYS forum: http://forum.codesys.com Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915 This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2361): https://lists.spdx.org/g/Spdx-legal/message/2361 Mute This Topic: https://lists.spdx.org/mt/24237732/21656 Group Owner: spdx-legal+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-legal/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
