Yes. Please let's do this in a separate thread. I just wanted to introduce SPDX-tech to how Bazel is starting to leverage your effort.
The discussion of the implications of the use of packages under different licenses and the interactions of complex license clauses with compliant delivery of software is a huge topic that needs some legal expertise and well reasoned designs. On Thu, Apr 23, 2020 at 11:16 AM Gary O'Neall <[email protected]> wrote: > Hi Vladimir, > > > > This may deserver a different thread, but you raise some good points on > limitations on the license expressions below. Have you raised any of these > issues with the SPDX group? > > > > I can think of a few solutions: > > > > Note: unfortunately, SPDX license expressions are not well-defined. > > For instance, there are license terms that allow the use of "this or later > version of the license". > > GPL-2.0+ license expression is likely to mean "GPL-2.0 or GPL-3.0 or ...", > because "+" means "or later", however, SPDX provides no relationship > between GPL-2.0 and GPL-3.0. There's no metadata that tells that GPL-3.0 is > a later version of GPL-2.0. > > *[G.O.] We could introduce some license metadata in the license XML schema > to describe which licenses are versions of the same license. There is a > similar proposal for license families. The limitation in implementing the > suggestion is volunteers to mark up the license data – if this is an > important issue for you and you have bandwidth to help – this can probably > be solved.* > > On the other hand, there's GPL-2.0-or-later "license" which is effectively > the same as GPL-2.0+ > > *[G.O.] No comment on this one – there were a lot of factors that went > into the discussion and decision – I agree it is confusing* > > At the same time, "CC_BY_NC_1_0" means "CC_BY_NC_1_0 or CC_BY_NC_2_0 > or CC_BY_NC_2_5 or .." because the license text for CC_BY_NC_1_0 contains > explicit permission to use the package under later versions of the same > CCBYNC license. > > *[G.O.] This one we probably won’t tackle as it is interpreting the > license. SPDX explicitly stays away from license interpretation and tries > to stay with the facts. There are other efforts out there which do provide > some machine readable interpretation such as the FINOS License Compliance > Handbook > <https://www.finos.org/blog/announcing-the-open-source-license-compliance-handbook> > which is compatible with SPDX. * > > > > SPDX contains **no** metadata on license equivalence (==SPDX says nothing > on what "+" license modifier does), so the checkers would have to implement > that on their own (which might result in different implementations by > different checkers :( ). > > *[G.O.] See SPDX Spec Appendix IV > <https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60> “An > SPDX License List Short Form Identifier with a unary"+" operator suffix to > represent the current version of the license or any later version. For > example: GPL-2.0+”. If you feel this definition can be improved, you can > submit a pull request for the next release in the SPDX Spec Github repo > <https://github.com/spdx/spdx-spec>.* > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3874): https://lists.spdx.org/g/Spdx-tech/message/3874 Mute This Topic: https://lists.spdx.org/mt/73090505/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
