Wheeler, David A wrote at 10:09 (PDT): > Technically “GPL-2.0” in SPDX means “only this version”, but in practice > many practitioners & tools are sloppy about this.
It's worth pointing back to a previous discussion about this issue 4.5 years ago: https://lists.spdx.org/pipermail/spdx-tech/2013-October/001965.html ... since some of the things from that thread are being repeated now. For example, at the time, Jilayne Lovejoy proposed (on 3 Oct 2013): >>> I have long thought that the short identifiers would be better served >>>as: GPL-2.0+ and GPL-2.0-only But also note that there were vehement detractors at the time: Mark Gisi wrote on Thu 3 Oct 2013: >> I don't see why we need to rename GPL-2.0 to GPL-2.0-only. Can someone >> provide source code examples of why the GPL-2.0 identifier is problem? which supports Yev's position today, but contradicts Jilayne's historical position, and in some ways also contradicts David's claim today: > but in practice many practitioners & tools are sloppy about this. So these two polarized positions will presumably need reconciliation to reach consensus on this point, if SPDX is a consensus-based project. Yev Bronshteyn wrote at 10:57 (PDT): >>>>>> Is “SPDX-License-Identifier: GPL-2.0” now to be interpreted as “I’m >>>>>> licensing this under GPL 2.0 and not telling you whether later is ok >>>>>> or not”? Because clearly this is not what the developer intended to >>>>>> convey in using “GPL-2.0” prior to this change. Wheeler, David A replied at 11:24 (PDT): > That is *not* clear. The *spec* is clear, but it doesn't exist in a > vacuum. It appears that many tools will report "GPL-2.0" when they see > the GPL 2.0 license. Toward David's point about "doesn't exist in a vacuum": I have been doing copyleft licensing education talks and tutorials on a regular basis since around 2002. In my experience, the plurality of people (including those who would consider themselves Open Source licensing professionals) haven't read GPLv2§9¶2 & GPLv3§14¶2, and don't understand the "-only significance" of throwing a version number anywhere near the statement "this is GPL'd". On the other side of the equation, many people over-read "-only" into places that are actually "-or-later". I've talked to many Open Source licensing professionals who believe, as the tools David mentions do, that mere presence of a copy of the text of GPLv2 means GPLv2-only. Despite constant education on this issue for nearly two decades, these confusions remain common. That's precisely why Jilyane and David (with me as an occasional de-lurking wingman) have been arguing for so long that even the Identifiers must be explicit on this matter. I remain baffled about why the SPDX project refused to adopt the standard the FSF set in the 1990s of "GPLv2-or-later" and "GPLv2-only", and that the SPDX project only recently reached out to the FSF on this... Kate Stewart wrote at 10:41 (PDT): >>>>> We've started having some discussions with FSF about what they'd >>>>> prefer, and their preference seems to be GPL-2.0-only, ... but I'm glad those discussions have finally begun. It's essential to engage with the license stewards about how to describe their licenses. I'm surprised that the SPDX project took this long to begin such discussions (given that this issue was raised here and on spdx-legal in 2013 (and probably earlier)). Hopefully the damage this has caused that David described is not to bad, and that ultimately on this all will be well that ends well. And, I'm definitely glad to see SPDX finally catching up to the state of the art on this point! -- -- bkuhn _______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
