Hi,
Would it be possible to transfer the information from the SDPX file to
the package. Meaning that those files will receive (or better to say:
these files will be modified with) the Strings:
LicenseInfoInFile: NONE
License concluded: SPDX Identifier of the "concluded" license of the
package
I subscribe to this concept from Wolfgang and Oliver. For original files
inside non-public projects I often find no licenses mentioned on the
header because the source code file will be licensed under different
terms. In-house libraries get reused and licensed differently. Difficult
(as copyright owner) to express "this is my original source code file,
I'd like its license to be the same as the license declared as default
for the package".
-- NOASSERTION is used but applies equally to original and third party
files without explicit license. The tooling workaround is to identify
the copyright holder field when going through thousands of files.
Problematic point are files from external companies with their own
copyright names either due to a merger or external contract work.
Especially complicated with files that passed through many different
hands before. As an auditor, I'd like to say: "these files had no
license but their package declared ABC as applicable".
-- LicenseRef-# is then a possible route but Murphy's law hints that the
number chosen as reference will change across different documents, teams
and years to convey the same fact. Makes difficult for our tooling to
process or requires everyone to agree on using LicenseRef-99 to
represent implicit license terms. Still, external auditors will need to
go through this over and over again.
Both approaches are doable with the current standard. They just don't
provide a specific way for expressing which how files should inherit the
license from the package when this is not declared. I'd find this
feature very useful feature when considering so much legacy code that
will not be modified.
So, I'd be happy to see something like:
FileName: ./Config.src
FileType: SOURCE
FileChecksum: SHA1: 53f410f780bf5659aa100aa0161c2d5229944d2b
LicenseInfoInFile: NONE
LicenseConcluded: DEFAULT
Where "DEFAULT" means the license declared by default to the whole
package (or IMPLICIT on INHERIT).
Looking forward to your thoughts on the matter.
With kind regards,
Nuno Brito
---
email: [email protected]
phone: +49 615 146 03187
twitter: @triplechecked
On 2013-12-10 13:00, [email protected] wrote:
Send Spdx-tech mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.spdx.org/mailman/listinfo/spdx-tech
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Spdx-tech digest..."
Today's Topics:
1. SPDX meta-tag for implicit license terms (Wolfgang Denk)
2. AW: SPDX meta-tag for implicit license terms (Fendt, Oliver)
----------------------------------------------------------------------
Message: 1
Date: Tue, 10 Dec 2013 11:09:48 +0100
From: Wolfgang Denk <[email protected]>
To: [email protected], [email protected]
Subject: SPDX meta-tag for implicit license terms
Message-ID: <[email protected]>
Content-Type: text/plain; charset=UTF-8
Hello,
after converting the U-Boot project to use SPDX meta-tags, we now
started working on another Open Source project; here we face a
somewhat different situation: a large number of the individual source
files do not contain any per-file license header at all. Instead,
they rerely on the fact that they inherit the global, project-wide
license as defined in the top level README and COPYING files.
My understanding is that this is technically and legally clean as is.
However, I see a handling problem here: the conversion of the project
to use SPDX meta-tags will probably be an incremental process, and
there will be some period of time (eventually even a long one) where
still files exist that have not been converted yet.
I would like to define a way to mark such files where implicit
licensing applies, so that we do not have to check these again and
again.
Of course we could insert a license tag corresponding to the actual
project-wide license, but such a modification is considered intrusive
by some of affected people.
I think it would be better (and easier acceptable by the respective
copyright holders) to have some "neutral" SPDX meta-tag that reflects
the fact that this file inherits the project's global license terms.
Would such a meta-tag be acceptable to the SPDX team?
I'm still looking for a good "name" for such a tag; suggestions we
have so far include:
SPDX-License-Identifier: implicit
SPDX-License-Identifier: inherit
SPDX-License-Identifier: none
SPDX-License-Identifier: -
Suggestions and comments welcome...
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: [email protected]
There is a time in the tides of men, Which, taken at its flood, leads
on to success. On the other hand, don't count on it. - T. K. Lawson
------------------------------
Message: 2
Date: Tue, 10 Dec 2013 11:45:48 +0000
From: "Fendt, Oliver" <[email protected]>
To: "[email protected]" <[email protected]>,
"[email protected]" <[email protected]>
Subject: AW: SPDX meta-tag for implicit license terms
Message-ID:
<d86beb935b7a4249a22e8bce761f8de4124...@defthw99ek2msx.ww902.siemens.net>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
As far as I under stood the standard one would express this kind of
association (file without license information - is assumed to be
licensed under the "conluded" license of the package) with the
following elements on file level:
LicenseInfoInFile: NONE
License concluded: SPDX Identifier of the "concluded" license of the
package
Would it be possible to transfer the information from the SDPX file to
the package. Meaning that those files will receive (or better to say:
these files will be modified with) the Strings:
LicenseInfoInFile: NONE
License concluded: SPDX Identifier of the "concluded" license of the
package
This is just a suggestion
Best Regards
Oliver Fendt
Siemens AG
Corporate Technology
Corporate Standards & Guidance
CT CSG SWI OSS
Otto-Hahn-Ring 6
81739 M?nchen, Deutschland
Tel: +49 89 636-46033
mailto:[email protected]
-----Urspr?ngliche Nachricht-----
Von: [email protected]
[mailto:[email protected]] Im Auftrag von Wolfgang Denk
Gesendet: Dienstag, 10. Dezember 2013 11:10
An: [email protected]; [email protected]
Betreff: SPDX meta-tag for implicit license terms
Hello,
after converting the U-Boot project to use SPDX meta-tags, we now
started working on another Open Source project; here we face a
somewhat different situation: a large number of the individual source
files do not contain any per-file license header at all. Instead,
they rerely on the fact that they inherit the global, project-wide
license as defined in the top level README and COPYING files.
My understanding is that this is technically and legally clean as is.
However, I see a handling problem here: the conversion of the project
to use SPDX meta-tags will probably be an incremental process, and
there will be some period of time (eventually even a long one) where
still files exist that have not been converted yet.
I would like to define a way to mark such files where implicit
licensing applies, so that we do not have to check these again and
again.
Of course we could insert a license tag corresponding to the actual
project-wide license, but such a modification is considered intrusive
by some of affected people.
I think it would be better (and easier acceptable by the respective
copyright holders) to have some "neutral" SPDX meta-tag that reflects
the fact that this file inherits the project's global license terms.
Would such a meta-tag be acceptable to the SPDX team?
I'm still looking for a good "name" for such a tag; suggestions we
have so far include:
SPDX-License-Identifier: implicit
SPDX-License-Identifier: inherit
SPDX-License-Identifier: none
SPDX-License-Identifier: -
Suggestions and comments welcome...
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: [email protected]
There is a time in the tides of men, Which, taken at its flood, leads
on to success. On the other hand, don't count on it. - T. K. Lawson
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
------------------------------
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
End of Spdx-tech Digest, Vol 37, Issue 3
****************************************
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
