Hi Vladimir, See below for a few attempts at some clarifications that are hopefully helpful. It's great you are looking at the SPDX spec so closely. I think you might also want to check out some of the documentation around the SPDX License List, as that may help clarify some of your questions (or be an opportunity to help us improve the documentation).
On Thu, Jun 13, 2019 at 02:17 PM, Vladimir Sitnikov wrote: > > > The last number (if there is one) in a SPDX license id is the version > number > > Is that documented? > I fail to see that in the standard. > As far as I can see, SPDX 2.1, 6.1 License Identifier uses just > <<[idstring] is a unique string containing letters, numbers, “.” or “-”.>> > > > There are other exceptions like > Artistic-1.0, Artistic-1.0-cl8, Artistic-1.0-Perl, Artistic-2.0 > > or > > LPPL-1.2, LPPL-1.3a > > Could I use the software under LPPL-1.3a if the original author declares > LPPL-1.2+ ? > The + operator to indicate "or any later version" was only intended to be used with licenses that allow this option. There is no "test" or "validation" to reject an improper use of the + operator (for example with MIT or BSD-3-Clause or Apache-2.0 - none of which include the "upgrade to a later version" text that some licenses have) - we can't validate for every wrong thing. > > > Of course it's complicated, however in any case there should be a rule to > compare version numbers. > For instance: 1.1 > 1.10? Or is it 1.1<1.10? That has to be in the > standard if we admit licenses can have versions. > I'm not sure what you are trying to achieve here, but it seems like you may be assuming that license authors are standardized in the way they version their licenses. I can assure you, they are not! We have not choice but to take and record the licenses as we find them - with or without version numbering (and sometimes with version numbering that is not necessarily sequential.) > > > > Note: it is not like "I absolutely want to use all the license operators > which exist in the wild". > > Here's what I'm trying to do. > I want to classify third-party dependencies based on my own license and > the license of the third-party (isn't it surprising?) > Well, "my own" license happens to be Apache 2.0, and luckily for me, > there's a web page: https://apache.org/legal/resolved.html > > For instance, the page says that "GNU GPL 1,2,3" goes to "Category X" > (==please never use GPL dependencies in Apache-2.0-licensed projects) > I use GPL here because "incompatibility with AL2.0 is clear for everyone". > I don't try to discuss "-only vs -or-later" here which is a completely > different subject. > However, what if "third-party declares it's license as GPL-2.0-or-later"? > > For instance, I could see a manifest attribute of "Bundle-License: > GPL-2.0-or-later" or it could be "Bundle-License: GPL-2.0+" > GPL-2.0-or-later would be the current SPDX identifier; GPL-2.0+ would be the old SPDX identifier (from SPDX License List pre-3.0 versions) - either way, it means the same thing. For more on why we changed this, see: https://www.gnu.org/licenses/identify-licenses-clearly.html > > > > Of course, I could just hard-code that "GPL 1,2,3" really means all the > possible versions of GPL (-only, or-later, or-whatever). > GPL-1.0-or-later means all possible versions of GPL > > > However it would be great if one could the **standard** to deduce "all the > possible licensing options" out of "GPL-2.0-or-later" expression. > > As of now, there is NO automatic way to tell which licenses could satisfy > GPL-2.0-or-later expression. > Note: the standard should better be strict rather than "please do that > somehow, and note 10% of the licenses are exceptions". > I'm not sure what you mean here. > > > For instance, Unicode standard declares rules to perform upper-case > conversion. That is why I suggest to do something with meaning of "license > versions" in SPDX. > > For instance, if there was a notion of "license name" vs "license > version", then one could iterate over all the versions of "GPL" and expand > that "GPL-2.0-or-later" to the set of possible known licenses. > Of course that does not solve all the cases, however it would still > provide me with information like "even if we try all the possibilities, we > get categoryX every time". > > Alternative option is to add a notion of "aliases" to the standard. > For instance, we could say that "GPL-2.0-or-later" is an alias for > "GPL-2.0-only > GPL-2.0-or-later and GPL-2.0-only are not aliases for each other. They have different meanings for the downstream user. Please see Richard Stallman's article, link above. Thanks, Jilayne SPDX legal team co-lead > > OR GPL-3.0-only OR GPL-3.0-or-later OR unknown_license" (while the latter > is a hypothetical GPL-4.0), then we could declare "GPL-2.0+" to be an > alias for "GPL-2.0-or-later". > Of course everybody would have to code those equivalence tables, however > the tables could be shared in a machine-readable formats. > Then machines could recognize that "MIT+" is an unknown alias. > > Vladimir > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3714): https://lists.spdx.org/g/Spdx-tech/message/3714 Mute This Topic: https://lists.spdx.org/mt/32049933/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
