I concur with David. A license is in effect a “terms of use” contract which an end user agrees to. The SPDX SBOM need to be very clear on the license that is in effect for the software. But, I too am not a lawyer and defer to the legal experts on this point.
Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of David Kemp Sent: Friday, June 16, 2023 8:24 AM To: [email protected] Subject: Re: [spdx-tech] SPDX special meeting on Properties vs Relationships Although it's a technical question, the preferred approach should be driven by the legal use case. * Security classification is an inherent part of a document, and changing it means making a different document. * Annotations can be added to things after the fact, and anyone can chime in without changing the artifact. So if the legal team thinks declared and/or concluded licenses are intrinsic to the meaning of the artifact, like classification, they are properties. If different people can have different opinions about those licenses or the opinions could change over time, they are relationships. I don't have a dog in this or an opinion on which better reflects the legal status of those licenses, but the technical approach should reflect policy. David. On Wed, Jun 14, 2023 at 4:20 AM Alexios Zavras <[email protected] <mailto:[email protected]> > wrote: Hi all, During the tech call yesterday, we decided we should have an extra meeting to advance on the topic of modeling the licensing info. The three questions that will drive the discussion are: 1. Do we prefer declaredLicense to be a property or a relationship? 2. Do we prefer concludedLicense to be a property or a relationship? 3. Do we prefer both of the above to be of the same type? I think it was made clear that any answer is possible and we can make things work. This is about how strong our preferences are and reaching compromises... I've put the names of people who expressed interest in participating explicitly (and I don't have David Edelsohn's email), but everyone is welcome to join! In order to determine whether we can find a suitable timeslot this week, I created an online poll: please, if you want to attend, mark your preferences at https://dud-poll.inf.tu-dresden.de/spdx-prop-rels/. All times are in UTC! I'll leave the poll open for 24 hours or so. -- zvr Intel Deutschland GmbH Registered Address: Am Campeon 10, 85579 Neubiberg, Germany Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de> Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva Chairperson of the Supervisory Board: Nicole Lau Registered Office: Munich Commercial Register: Amtsgericht Muenchen HRB 186928 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5181): https://lists.spdx.org/g/Spdx-tech/message/5181 Mute This Topic: https://lists.spdx.org/mt/99523557/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
