Hi Mark,
Is this the problem you are looking to address?
Almost.
- "LicenseConcluded:" is meant for conclusion of a review, not to a
declaration of license by the IPR holder
- IPR holders are unable to declare a license for a file (for e.g.
"FileLicenseDeclared:")
- LicenseRef-23 is not a fixed reference. It is understood by manual
analysis but not automated
Looking to address:
- A consistent way for software authors to declare that a license
governing a given file is the same as the license declared for the whole
package.
Thanks.
With kind regards,
Nuno Brito
---
email: [email protected]
phone: +49 615 146 03187
twitter: @triplechecked
On 2013-12-12 10:05, Gisi, Mark wrote:
Hi Nuno Brito
I think I understand. Without jumping to a solution, let me see if I
can summarize the problem.
A single copyright holder (IPR holder) provides the same software to
different parties each potentially under different licensing terms. At
the time the software is developed and tested the precise licensing
terms are not known. It is not until later that the terms are
determined (e.g., via a negotiation). Therefore the file does not
include a license notice - just perhaps a copyright notice such as:
/*
* Copyright 2013 ABC Company, Inc.
*/
I do believe a minimum license notice like the following:
/*
* Copyright 2013 ABC Company, Inc.
*
* This software is licensed pursuant to the terms of the
* ABC Company software license agreement.
*
*/
is useful even if it is not very specific (i.e., the terms have not
been written in stone). It is helpful to understand that the intent of
the IPR holder is to offer this file/software to others under terms
that are subject to a negotiation or discussion. Assuming that company
ABC Company is 100% the copyright (IPR) holder - the above license
notice does not prevent ABC Company from offering the same file to one
party (recipient 1) under one set of license terms and to a different
party (recipient 2) under a different set of licensing terms. That is:
(i) ABC Company may not know the precise terms until the day they
deliver the code to a given customer; and
(ii) different customers may potentially receive different terms;
One can create the following SPDX record for the example file:
FileName: ./Config.src
FileType: SOURCE
FileChecksum: SHA1: 53f410f780bf5659aa100aa0161c2d5229944d2b
LicenseInfoInFile: LicenseRef-23
LicenseConcluded: LicenseRef-23
where LicenseRef-23 either:
(a) simply repeats the license notice above; or
(b) provides a reference to a specific contract (e.g., a formal name
+ date); or
(c) provides the precise terms of the agreement for a given
recipient.
With option (a) you can prepare just one SPDX file that can be
delivered to all recipients and essentially achieve your "DEFAULT"
reference without adding the default keyword to the SDPX spec. With
options (b) and (c) one would need to generate and deliver a custom
SPDX file with each software delivery but you contain the
customization to the SPDX file (and more specifically to the
LicenseRef-23 record) as opposed to all the source files.
Is this the problem you are looking to address?
Regards,
- Mark
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Nuno Brito
Sent: Wednesday, December 11, 2013 3:38 AM
To: [email protected]
Subject: RE: SPDX meta-tag for implicit license terms (Gisi, Mark)
Hi Mark,
I understand why software developers want to Inherit from the package
license. It's a short cut to avoid having to include a license notice
in every file. However, there are many short cuts in life that
actually make life more difficult. The global license approach or
inherit the package license approach are good examples. The more
successful a project becomes the more sharing that takes place and the
greater the nightmare "inherited the package license" approach
becomes. Attached is an SPDX file for Busybox. Busybox is an example
of a successful project that benefited greatly by borrowing (sharing)
code from/with other projects. Notice how many files have a different
license from the Busybox package.
I work in projects where changing the header of source code files is
not an option after a given code was certified and locked by quality
assurance or some other business reason. It isn't a shortcut as exists
no intention of writing the license terms in stone (file header), they
vary according to whom receives the files (not open source code). In
essence, expressing the implicit licensing nature of these files in
consistent manner.
Would perhaps this syntax be possible to consider?
FileName: ./Config.src
FileType: SOURCE
FileChecksum: SHA1: 53f410f780bf5659aa100aa0161c2d5229944d2b
LicenseInfoInFile: NONE
LicenseConcluded: NOASSERTION
FileLicenseDeclared: DEFAULT
Expressing that:
- no license is included with the file
- the SPDX creator has not yet made a conclusion about the license
- the IPR holder declared a license connected to the overall declared
license
At this moment the standard does not prescribe declaring licenses on a
file level, "FileLicenseDeclared" nor the keyword DEFAULT exist.
With kind regards,
Nuno Brito
---
email: [email protected]
phone: +49 615 146 03187
twitter: @triplechecked
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
