Mark, Many thanks for your response!
React ----- In their defense, Facebook's licensing hygiene is actually well above the norm in the JavaScript/Node.js community, which tends to use a single LICENSE file and SPDX ID per project. (Copy-and-paste reuse is also less of a concern. Packages are often << 1KLOC.) The files that end up in the tarball for distribution via package manager are consistently marked: ```bash $ cd /tmp $ mkdir react-audit $ cd react-audit $ # Install the React package from repository. $ npm install react $ # Change to the installation directory. $ cd node_modules/react $ # Recursively search for files without "BSD". $ fgrep -riL BSD . ./addons.js ./lib/EventListener.js ./README.md ./react.js ``` EventListener has an Apache-2.0 header. The other source files are one-line `require` calls, akin to `#import <react>` in the C world. They're really just shims to make paths work. The files in the Git repository without license headers are mostly build chain configuration and tests. There are also some code examples under a non-open source license and documentation under a CC license. SPDX Expression --------------- It sounds like we're agreed that BSD-3-Clause plus an additional patent grant is a fundamentally different kind of combination of reusable license terms than AND and OR. Is that a case for another combination operator in SPDX expressions? To try and put a finer point on it: x AND y := contains code licensed per and code licensed per y x OR y := contains code licensed per choice of x or y x PLUS y := contains code licensed per combination of x and y "PLUS" is just a stand-in here. Another name may be appropriate. K On Tue, Jun 16, 2015 at 07:46:13AM +0000, Gisi, Mark wrote: > From a compliance perspective Facebook/React project presents a common > nightmare situation. For example some files explicit state (e.g., > React.js): > > * Copyright 2013-2015, Facebook, Inc. All rights reserved. > * > * This source code is licensed under the BSD-style license found in the > * LICENSE file in the root directory of this source tree. An additional grant > * of patent rights can be found in the PATENTS file in the same directory. > > While other files have no copyright/license notice (e.g., > Gruntfile.js, vendor/jasmine/diff.js, jasmine.js, src/test/all.js, > ...) . Does that mean the Patent license is only available to some > files but not others. The project's license hygiene is questionable. > > >> Better to roll the BSD-3-Clause and additional patent grant into one > >> "Facebook BSD > >> License", akin to the Apple MIT variant (AML)? > > This would be preferred if such a list identifier existed. Until that > days comes, one could roll both licenses up into a single license > reference (e.g., LicenseRef-Facebook-BSD-Patent). > > The WITH operator semantically implies that a given license applies > except under certain special circumstances. Therefore I am not sure an > exception makes sense here. > > AND typically implies two sets of license terms apply. Not sure yet > if it makes sense to make FB-Patents-2.0 a full-fledged license (a > decision for the legal team). Alternatively one could use BSD-3-Clause > AND LicenseRef-FB-Patent. > > For now I think LicenseRef-Facebook-BSD-Patent is an adequate > representation. > > - Mark > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kyle E. Mitchell > Sent: Monday, June 15, 2015 12:01 PM > To: Sam Ellis > Cc: [email protected]; [email protected] > Subject: Re: [Bug 1292] New: What is the correct license expression for a > project with an additional patent license? > > Many thanks for your generous reply, and for sending so quickly. > > Forgive me if I'm behind on general discussions about the purpose and > function of SPDX expressions. I understood their purpose rather more as a > coding system for what terms purportedly apply than a way to state a fully > formed legal conclusion. > > I suppose I tended toward this view especially given that American lawyers > are known to differ on what various standard licenses actually do. The > license plus additional patent grant situation exacerbates these problems, I > think, in a few ways: > > 1. There likely won't be any record of acceptance of either the > BSD-3-Clause terms or the patent grant terms. Defendants will claim > to have accepted whatever licenses grant protection they need once > hauled into court. > > 2. The existence of the additional patent grant might very well affect > an American court's view of what (if any) patent license is implied > by BSD-3-Clause. General principles of contract interpretation will > read both licenses, as contemporaneous agreements on the same subject > matter, together. > > 3. The patent license and BSD license are separate files in the source > code repository, and I think it clear that clause 1 of the BSD > license does _not_ require redistribution with a copy of the > additional patent license. > > 4. On the other hand, the additional grant is entitled "Additional > Grant...", and the read-me file and other documentation repeatedly > mention the application of both licenses. > > One upshot is that a program designed to check SPDX metadata against a white > list of licenses may very well want to assess the "BSD-3-Clause" > in (BSD-3-Clause) differently than in (BSD-3-Clause AND/OR/WITH > FB-Patents-2.0). > > If the answer here is to allow variants with each of AND, OR, and WITH, does > that mean that the additional patent grant should hypothetically seek both a > license identifier and a license exception identifier? > Better to roll the BSD-3-Clause and additional patent grant into one > "Facebook BSD License", akin to the Apple MIT variant (AML)? > > Many thanks, > K > > On Mon, Jun 15, 2015 at 12:38:02PM +0100, Sam Ellis wrote: > > > Subject: [Bug 1292] New: What is the correct license expression for > > > a project with an additional patent license? > > > https://bugs.linuxfoundation.org/show_bug.cgi?id=1292 > > > > I will take the opportunity to offer an opinion to the forums on this > > question that is raised above: > > > > I think first and foremost this is a question around interpretation of > > the licenses. Only when you have that interpretation can you decide > > how to represent that using SPDX syntax. I see two possible > > interpretations: > > > > One interpretation is that that using the software you must agree to > > both the BSD-3-Clause and the patent grant and have no choice in the > > matter. > > > > Another interpretation is that you must agree to the use of the > > BSD-3-Clause license, but you have a choice as to whether or not to > > accept the patent grant. If you accept the patent grant then it is the > > same outcome as above. If you choose to not take the patent grant then > > you run the risk that the software does use some Facebook patents and > > you are now infringing them. > > > > In terms of SPDX representation, I would suggest the former case comes > > out as one of these two: > > > > (BSD-3-Clause AND FB-Patents-2.0) > > (BSD-3-Clause WITH FB-Patents-2.0) > > > > And for the second interpretation I would suggest one of these two: > > > > (BSD-3-Clause OR (BSD-3-Clause AND FB-Patents-2.0)) (BSD-3-Clause OR > > (BSD-3-Clause WITH FB-Patents-2.0)) > > > > As to whether to use the AND or WITH variants, I again think this > > comes down to the interpretation of the patent grant. Does the patent > > grant stand alone as a fully formed license (in which case choose AND) > > or does it depend on some other license (in which case choose WITH)? > > > > In summary I think SPDX license expressions can adequately represent > > all of these cases. The question that SPDX can’t answer is which legal > > interpretation to choose. > > > > -- IMPORTANT NOTICE: The contents of this email and any attachments > > are confidential and may also be privileged. If you are not the > > intended recipient, please notify the sender immediately and do not > > disclose the contents to any other person, use it for any purpose, or > > store or copy the information in any medium. Thank you. > > > > ARM Limited, Registered office 110 Fulbourn Road, Cambridge CB1 9NJ, > > ARM Registered in England & Wales, Company No: 2557590 Holdings plc, > > ARM Registered office 110 Fulbourn Road, Cambridge CB1 9NJ, Registered > > ARM in England & Wales, Company No: 2548782 > > > > -- > Kyle Mitchell, attorney > San Francisco, California > +1 (415) 864 - 9913 > _______________________________________________ > Spdx-tech mailing list > [email protected] > https://lists.spdx.org/mailman/listinfo/spdx-tech -- Kyle Mitchell, attorney San Francisco, California +1 (415) 864 - 9913 _______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
