Patrice, “-only” or “-or-later” are not new identifiers for all SPDX identifiers. The license steward for the GPL class of license has specified, and SPDX has agreed, that the identifiers are “GPL-3.0-only” and “GPL-3.0-or-later”, etc. Those are the officially recognized and approved SPDX identifiers.
Thanks, David -- David Edelsohn, Ph.D. STSM, IBM Open Ecosystem, CTO GNU Toolchain IBM T.J. Watson Research Center +1 914 945 4364 From: <[email protected]> on behalf of "Patrice-Emmanuel SCHMITZ via lists.spdx.org" <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Friday, October 20, 2023 at 08:46 To: Gary O'Neall <[email protected]> Cc: Richard Fontana <[email protected]>, "[email protected]" <[email protected]> Subject: [EXTERNAL] Re: [spdx] SPDX identifiers for "or-later" or "+" mentions Hi Gary, Thanks a lot for this clarification on the reasons why those new SPDX identifiers "-only" and "-or-later" have been created. It was very useful. SPDX is a great initiative and unique identifiers should be considered ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!12-vrJA_wvVWsG2VuMnohcnrTvfc__HoS6cS066Li4aPB7zcjVcW6EV4IXnLdyuJVoFlPkdR_LZELJ-PEIgkeq5dWKGsWZcs2xYJ7_VwvdNkqVqE4HXqYncpVP8$> ZjQcmQRYFpfptBannerEnd Hi Gary, Thanks a lot for this clarification on the reasons why those new SPDX identifiers "-only" and "-or-later" have been created. It was very useful. SPDX is a great initiative and unique identifiers should be considered as a strong standard. We will definitely try to align all EU projects and datasets on it, but depending on the project officers decision we may perhaps ignore those "-only" and "-or-later" rather confusing identifiers and withdraw them from tools (like the Joinup Licensing Assistant) that currently uses them. No decision is currently taken; it will be discussed soon with relevant POs. Best regards, Patrice-Emmanuel . Le ven. 20 oct. 2023 à 00:44, Gary O'Neall <[email protected]<mailto:[email protected]>> a écrit : Hi Patrice-Emmanuel, Responses inline below. Gary From: Patrice-Emmanuel Schmitz <[email protected]<mailto:[email protected]>> Sent: Thursday, October 19, 2023 2:02 PM To: Richard Fontana <[email protected]<mailto:[email protected]>>; Gary O'Neall <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: SPDX identifiers for "or-later" or "+" mentions Hi Richard & Gary, At a time I am requested to align various projects and the EC publication office license lists (data sets) I am still uncertain about the SPDX policy of creating "actual" SPDX identifiers for "future" or "later" licenses. I shared concerns with Jilayne but be sure that this is not done for creating some controversy, just to check that the SPDX policy is well understood. * Adding "or-later" (and much more rarely "-only") is indeed a frequent licensor practice because recommended by some license steward. For example if you search Google for "Licensed under the EUPL-1.2-or-later" you will find references. But don’t you think that this mention should be considered as a future intention, commitment or guarantee provided by the licensor and that it should not merit a specific “actual” SPDX ID, because no later text exists at this time? [G.O.] Within SPDX we define a license expression syntax that has a number of operators or modifiers on a given license (e.g., ‘AND’, ‘OR’). For “or later” we defined the “+” operator which can be applied to any license. We do not currently have an operator that defines “only”. In rare cases, we have separate license ID’s to denote only and or-later (see below), but these are not defined in the syntax for the license expressions. Although there is a convention to add “or-later” to some licenses, we did not adopt that syntax for our expressions. * It seems that this addition is done for the GNU licenses (where the licence steward is the FSF – Free Software Foundation) and not for all the others.Is this a special treatment for GNU licenses or is SPDX policy to allow or apply it for all licenses, i.e. depending on the license steward request? [G.O.] Due to strong insistence from the license stewards for GNU licenses, we created separate license ID’s for the “only” and “or-later”. These are not part of the expression syntax and therefore not processed by any of the machine readable SPDX license expression parsers – one would have to read the license notes to understand the semantics. In other words, the “only” and “or-later” is a convention used by GNU that we carried forward in the license ID’s – not something intended to be standardized in the SPDX license syntax. * Has SPDX assessed the risk that this practice would multiply the number of identifiers with uncertain use and possibly add some confusion? [G.O.] In the case of the GNU licenses, the license ID’s are associated with the license text plus the notes. It was highly debated and the risk of confusion was taken into account. In the case of the or-later operator, there is a risk that the “+” operator would be applied to a license that does not have any subsequent license versions, but we decided that was a reasonable risk compared to the benefit of having a machine readable “or-later” operator. * SPDX now considers GPL-3.0, AGPL-3.0, LGPL-3.0 etc. as "deprecated". Did SPDX assess the impact – which could appear as nonsense for most users? [G.O.] Again – highly debated at the time, and yes. We don’t like to deprecate the license ID’s as it does cause issues in our community – but the license steward was extremely insistent. * Until a subsequent version, for example some GPL-4.0, exists, is it consistent to associate the text of the current GPL-3.0 with a specific SPDX identifier "GPL-3.0-or-later"? [G.O.] From what I recall, the reason the license steward insisted on this approach was to force the documenter of the license information to make a decision as to whether it was “only” or “or-later”. I think you would have to defer to the license steward to answer this question. * ·Is it still possible for SPDX to backtrack on this subject or is it a definitive policy? [G.O.] Since the decision to deprecate the previous GPL identifiers consumed significant time and was highly debated, there would likely be considerable resistance to re-opening this issue unless the license steward changed their mind. The pattern of questions seems to indicate you may not agree with the license steward for GPL on many of these topics – perhaps opening a dialog with the license steward could provide you more information. -- Patrice-Emmanuel Schmitz [email protected]<mailto:[email protected]> tel. + 32 478 50 40 65 -- Patrice-Emmanuel Schmitz [email protected]<mailto:[email protected]> tel. + 32 478 50 40 65 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1783): https://lists.spdx.org/g/spdx/message/1783 Mute This Topic: https://lists.spdx.org/mt/102069167/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
