Just a few more points to add into this discussion: - In SPDX, there are 2 properties related to licenses - declared and concluded. We created 2 properties rather than one to help with some the issues listed below. Declared relates to the metadata found in the package and concluded is a conclusion reached by the SPDX document creator. So, if you trust the judgement of the SPDX document creator, you may be able to trust the concluded license field. In my day job, I audit software for license compliance and produce SPDX documents with concluded licenses - some of which take quite some time to manually confirm especially if the open source software package is very old and pre-dates good license compliance practices. - In SPDX 2.1 an SPDX Lite[1] Annex was added. One of the reasons for adding this Annex was to make it easier for the originator of a package to add metadata in a machine readable form which would enable downstream packages to have accurate information from the package originators. - Over the past 3-4 years, there has been very good adoption of SPDX license identifiers, SPDX license expressions and clearer license related properties in package managers. For example, NPM now includes much more machine readable license information.
I'm not arguing we are anywhere near our goal of having consistently reliable machine and human readable license information, but we're making some good progress. If you have any specific improvements we can make to the specification itself, please feel free to open an issue in the SPDX spec repo [2]. Gary [1] https://spdx.github.io/spdx-spec/v2.3/SPDX-Lite/ [2] https://github.com/spdx/spdx-spec/issues > -----Original Message----- > From: [email protected] <[email protected]> On Behalf Of > Alberto Pianon > Sent: Sunday, January 15, 2023 10:20 AM > To: Paul Sherwood <[email protected]> > Cc: Karsten Klein <[email protected]>; Spdx Tech <spdx- > [email protected]> > Subject: Re: [spdx-tech] SPDX - true or false? (was Re: Getting started...) > > Il 2023-01-15 09:56 Paul Sherwood ha scritto: > > Hi Karsten, > > > > thank you. Please see my comments inline > > > > On 2023-01-14 14:10, Karsten Klein wrote: > >> I would also argue that SPDX does not help you in this context. > > > > Well, in principle, I believe that getting people to think about > > licencing in general is better than not, so SPDX contributes at least > > in that way. And if we can establish confidence that the metadata is > > correct, and in line with our expected usage of software, we can > > obtain some mitigation against licence compliance risk. > > > > My concern is specifically the false confidence situation, i.e. where > > the presence of SPDX metadata may cause people to assume incorrectly > > that licencing has been properly dealt with > > > > "properly dealt with" may require a definition too :). There are different > approaches in dealing with licenses in complex third-party software > components, that depend both on the tools that are used and on the review > policy of the IP audit team - policy which in turn may depend on case-specific > and context-dependent risk assessments. Such information can hardly, if not > at all, be expressed in a machine-readable way. > > A project that may address your concerns is openchainproject.org, aimed at > building trust in the open source supply chain, with a particular focus on > license compliance. It is a Linux Foundation project, too, and its specifications > recently became an ISO standard. > > Regards, > > Alberto > array.eu > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4927): https://lists.spdx.org/g/Spdx-tech/message/4927 Mute This Topic: https://lists.spdx.org/mt/96263894/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
