David, It was SPDX's decision to accept those identifiers. This is done apparently after long debates and I'm not going to question it again. However, it will be our decision to use it or not, for example as long the identifier GPL-3.0 exists, we may decide to use it and not use the legally equivalent GPL-3.0-only. But once again, our decision is not fixed yet. It will be debated inside the EU Office of Publication, SEMIC, JOINUP and other EC projects. Kind regards, P-E
Le ven. 20 oct. 2023 à 15:02, David Edelsohn <[email protected]> a écrit : > Patrice, > > > > “-only” or “-or-later” are not new identifiers for all SPDX identifiers. > The license steward for the GPL class of license has specified, and SPDX > has agreed, that the identifiers are “GPL-3.0-only” and “GPL-3.0-or-later”, > etc. Those are the officially recognized and approved SPDX identifiers. > > > > Thanks, David > > > > -- > > David Edelsohn, Ph.D. > > STSM, IBM Open Ecosystem, CTO GNU Toolchain > > IBM T.J. Watson Research Center > > +1 914 945 4364 > > > > *From: *<[email protected]> on behalf of "Patrice-Emmanuel SCHMITZ via > lists.spdx.org" <[email protected]> > *Reply-To: *"[email protected]" <[email protected]> > *Date: *Friday, October 20, 2023 at 08:46 > *To: *Gary O'Neall <[email protected]> > *Cc: *Richard Fontana <[email protected]>, "[email protected]" < > [email protected]> > *Subject: *[EXTERNAL] Re: [spdx] SPDX identifiers for "or-later" or "+" > mentions > > > > Hi Gary, Thanks a lot for this clarification on the reasons why those new > SPDX identifiers "-only" and "-or-later" have been created. It was very > useful. SPDX is a great initiative and unique identifiers should be > considered > > ZjQcmQRYFpfptBannerStart > > *This Message Is From an External Sender * > > This message came from outside your organization. > > * Report Suspicious * > <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!12-vrJA_wvVWsG2VuMnohcnrTvfc__HoS6cS066Li4aPB7zcjVcW6EV4IXnLdyuJVoFlPkdR_LZELJ-PEIgkeq5dWKGsWZcs2xYJ7_VwvdNkqVqE4HXqYncpVP8$> > > > > ZjQcmQRYFpfptBannerEnd > > Hi Gary, > > Thanks a lot for this clarification on the reasons why those new SPDX > identifiers "-only" and "-or-later" have been created. > > It was very useful. > > SPDX is a great initiative and unique identifiers should be considered as > a strong standard. > > We will definitely try to align all EU projects and datasets on it, but > depending on the project officers decision we may perhaps ignore those > "-only" and "-or-later" rather confusing identifiers and withdraw them from > tools (like the Joinup Licensing Assistant) that currently uses them. No > decision is currently taken; it will be discussed soon with relevant POs. > > Best regards, > > Patrice-Emmanuel > > . > > > > > > > > Le ven. 20 oct. 2023 à 00:44, Gary O'Neall <[email protected]> a > écrit : > > Hi Patrice-Emmanuel, > > > > Responses inline below. > > > Gary > > > > *From:* Patrice-Emmanuel Schmitz <[email protected]> > *Sent:* Thursday, October 19, 2023 2:02 PM > *To:* Richard Fontana <[email protected]>; Gary O'Neall < > [email protected]> > *Cc:* [email protected] > *Subject:* SPDX identifiers for "or-later" or "+" mentions > > > > Hi Richard & Gary, > > At a time I am requested to align various projects and the EC publication > office license lists (data sets) I am still uncertain about the SPDX policy > of creating "actual" SPDX identifiers for "future" or "later" licenses. I > shared concerns with Jilayne but be sure that this is not done for creating > some controversy, just to check that the SPDX policy is well understood. > > - Adding "or-later" (and much more rarely "-only") is indeed a > frequent licensor practice because recommended by some license steward. For > example if you search Google for "Licensed under the EUPL-1.2-or-later" you > will find references. But don’t you think that this mention should be > considered as a future intention, commitment or guarantee provided by the > licensor and that it should not merit a specific “actual” SPDX ID, because > no later text exists at this time? > > *[G.O.] Within SPDX we define a license expression syntax that has a > number of operators or modifiers on a given license (e.g., ‘AND’, ‘OR’). > For “or later” we defined the “+” operator which can be applied to any > license. We do not currently have an operator that defines “only”. In > rare cases, we have separate license ID’s to denote only and or-later (see > below), but these are not defined in the syntax for the license > expressions. Although there is a convention to add “or-later” to some > licenses, we did not adopt that syntax for our expressions.* > > - It seems that this addition is done for the GNU licenses (where the > licence steward is the FSF – Free Software Foundation) and not for all the > others.Is this a special treatment for GNU licenses or is SPDX policy to > allow or apply it for all licenses, i.e. depending on the license steward > request? > > *[G.O.] Due to strong insistence from the license stewards for GNU > licenses, we created separate license ID’s for the “only” and “or-later”. > These are not part of the expression syntax and therefore not processed by > any of the machine readable SPDX license expression parsers – one would > have to read the license notes to understand the semantics. In other > words, the “only” and “or-later” is a convention used by GNU that we > carried forward in the license ID’s – not something intended to be > standardized in the SPDX license syntax.* > > - Has SPDX assessed the risk that this practice would multiply the > number of identifiers with uncertain use and possibly add some confusion? > > *[G.O.] In the case of the GNU licenses, the license ID’s are associated > with the license text plus the notes. It was highly debated and the risk > of confusion was taken into account. In the case of the or-later operator, > there is a risk that the “+” operator would be applied to a license that > does not have any subsequent license versions, but we decided that was a > reasonable risk compared to the benefit of having a machine readable > “or-later” operator.* > > - SPDX now considers GPL-3.0, AGPL-3.0, LGPL-3.0 etc. as "deprecated". > Did SPDX assess the impact – which could appear as nonsense for most users? > > *[G.O.] Again – highly debated at the time, and yes. We don’t like to > deprecate the license ID’s as it does cause issues in our community – but > the license steward was extremely insistent.* > > - Until a subsequent version, for example some GPL-4.0, exists, is it > consistent to associate the text of the current GPL-3.0 with a specific > SPDX identifier "GPL-3.0-or-later"? > > *[G.O.] From what I recall, the reason the license steward insisted on > this approach was to force the documenter of the license information to > make a decision as to whether it was “only” or “or-later”. I think you > would have to defer to the license steward to answer this question. * > > - ·Is it still possible for SPDX to backtrack on this subject or is it > a definitive policy? > > *[G.O.] Since the decision to deprecate the previous GPL identifiers > consumed significant time and was highly debated, there would likely be > considerable resistance to re-opening this issue unless the license steward > changed their mind. The pattern of questions seems to indicate you may not > agree with the license steward for GPL on many of these topics – perhaps > opening a dialog with the license steward could provide you more > information.* > > -- > > Patrice-Emmanuel Schmitz > [email protected] > tel. + 32 478 50 40 65 > > > > > -- > > Patrice-Emmanuel Schmitz > [email protected] > tel. + 32 478 50 40 65 > > > > -- Patrice-Emmanuel Schmitz [email protected] tel. + 32 478 50 40 65 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1784): https://lists.spdx.org/g/spdx/message/1784 Mute This Topic: https://lists.spdx.org/mt/102069167/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
