Hi Mark, On Mon, Feb 4, 2019 at 2:57 PM Atwood, Mark <[email protected]> wrote:
> Just following up, does anyone have any comments or suggestions for my > proposal for SPDX Private License Identifiers? > > -----Original Message----- > From: [email protected] <[email protected]> On Behalf Of > Mark Atwood via Lists.Spdx.Org > Sent: Thursday, January 24, 2019 10:31 AM > To: [email protected]; [email protected] > Cc: [email protected] > Subject: A proposal for SPDX Private License Identifiers. Example: > .com.amazon.-.ASL-2.0 > > I would like to propose a syntax for SPDX "Private License Identifiers". > > SPDX short identifiers and SPDX-License-Identifier declarations in source > code and in compliance documents have proven to be useful. This proposal > extends SPDX license tags to licenses created and used by organizations, > that are unlikely to be applied to content by anyone other than the license > author. > > And when I see an expanding namespace with worries about collisions and an > overworked central naming authority, I always think "why not use the DNS?" > > Examples (these URLs are not correct): > > SPDX-License-Identifier: .com.amazon.-.ASL-2.0 > > SPDX-License-Identifier: .com.amazon.-.ASL-2.0 > https://aws.amazon.com/doc/ASL-2.0 > > SPDX-License-Identifier: .com.amazon.-.ASL-2.0 > https://github.com/aws/AmazonSoftwareLicense > > Private License Identifiers are indicated by a leading dot, followed by the > reversed DNS name of the organization who created or authored the license, > followed by a dot dash dot and then a short name of the same general form > of > a SPDX license short identifier. > The leading dot is sufficient to separate this namespace from the > registered > SPDX short identifiers, and is inspired by the fact that DNS names have an > implied trailing dot. The dot dash dot is to prevent someone from > reversing the entire identifier string into a DNS name and trying to > dereference it, because a bare dash is not a valid DNS name part. > . DNS names be IDN (Internationalized Domain Name) and thus can contain > non-ASCII characters. IDN components can be encoded in IDN Punycode, or in > UTF-8, or in the Unicode encoding appropriate to the document. > > In a SPDX-License-identifier declaration, a Private License Identifier can > optionally be followed by a URI pointing to the canonical license text. > This URI should be under the control of the entity that controls the DNS > namespace of the Private License Identifier. > I like the notion of using the DNS names being IDN as a way of prefixing this. We have the mechanism of "LicenseRef-" as a reserved prefix already for any id not on the SPDX license list[1]. How do you feel about combining it with your DNS suffix idea? The benefit is that this can extend to use in SPDX docs as well as with external sites, and doesn't force a dependency on external entity to keep list up to date. 404's happen (as web sites move, etc). ie. In text use: SPDX-License-ID: LicenseRef-.com.amazon.-.ASL-2.0 Then if someone shipping a SBOM with the information in it and wanted to record the license contents as well, they could cut/paste into the document. LicenseID: LicenseRef-.com.amazon.-.ASL-2.0 LicenseName: Amazon Software License version 2.0 ExtractedText: <text> insert here info </text> and still be able to represent the known state of the source code without relying completely on the web sites to stay stable over time. Thoughts? Kate [1] https://spdx.github.io/spdx-spec/6-other-licensing-information-detected/ -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3649): https://lists.spdx.org/g/Spdx-tech/message/3649 Mute This Topic: https://lists.spdx.org/mt/29560818/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
