Like Richard, I also believe SPDX should not be overinfluenced by license steward, and consider exclusively legal aspects (and not political aspects). Legally speaking, as soon the exact version number is expressly specified, I do not see the difference between "licensed under the GPL-3.0" and "licensed under the GPL-3.0-only". For example, if source code is expressly licensed under OSL-3.0 it looks clear enough, without the need to create some "-only" version of the OSL-3.0 identifier. But for sure, FSF has political reasons. However, questions will be openly submitted to Project Officers and, as Max underlined, harmonisation according to a standard is good practice.
Le ven. 20 oct. 2023 à 16:17, Richard Fontana <[email protected]> a écrit : > I am not really familiar with the reasons given by the FSF for persuading > SPDX to adopt the `-only` and `-or-later` identifiers. I am not sure if > those reasons were publicized. I generally believe SPDX should not be > overly influenced by license stewards, or particular project maintainers, > in making decisions about license identifiers. > > One problem I have seen around the *GPL identifiers is that license > scanning tools attempting to use SPDX identifiers seem to commonly identify > *GPL license files themselves as inherently signifying the "-only" variant, > when of course this is generally incorrect. The license text is ambiguous > as to later versions by design. Perhaps scanning tools should continue to > use the deprecated base identifier in such cases; maybe SPDX could > recommend this. > > I believe there is a consequence occurring here that the FSF probably > didn't intend: a tendency (in the community of people surrounding the use > of SPDX identifiers) to err on the side of assuming the "-only" version of > the license applies, even in the face of textual evidence or background > cultural practice that "-or-later" is likely the correct license. Of > course, one can question whether any of this really matters most of the > time. > > Richard > > > > On Fri, Oct 20, 2023 at 9:46 AM Patrice-Emmanuel Schmitz < > [email protected]> wrote: > >> David, >> It was SPDX's decision to accept those identifiers. This is done >> apparently after long debates and I'm not going to question it again. >> However, it will be our decision to use it or not, for example as long >> the identifier GPL-3.0 exists, we may decide to use it and not use the >> legally equivalent GPL-3.0-only. >> But once again, our decision is not fixed yet. It will be debated inside >> the EU Office of Publication, SEMIC, JOINUP and other EC projects. >> Kind regards, >> P-E >> >> >> >> Le ven. 20 oct. 2023 à 15:02, David Edelsohn <[email protected]> a >> écrit : >> >>> Patrice, >>> >>> >>> >>> “-only” or “-or-later” are not new identifiers for all SPDX >>> identifiers. The license steward for the GPL class of license has >>> specified, and SPDX has agreed, that the identifiers are “GPL-3.0-only” and >>> “GPL-3.0-or-later”, etc. Those are the officially recognized and approved >>> SPDX identifiers. >>> >>> >>> >>> Thanks, David >>> >>> >>> >>> -- >>> >>> David Edelsohn, Ph.D. >>> >>> STSM, IBM Open Ecosystem, CTO GNU Toolchain >>> >>> IBM T.J. Watson Research Center >>> >>> +1 914 945 4364 >>> >>> >>> >>> *From: *<[email protected]> on behalf of "Patrice-Emmanuel SCHMITZ >>> via lists.spdx.org" <[email protected]> >>> *Reply-To: *"[email protected]" <[email protected]> >>> *Date: *Friday, October 20, 2023 at 08:46 >>> *To: *Gary O'Neall <[email protected]> >>> *Cc: *Richard Fontana <[email protected]>, "[email protected]" < >>> [email protected]> >>> *Subject: *[EXTERNAL] Re: [spdx] SPDX identifiers for "or-later" or "+" >>> mentions >>> >>> >>> >>> Hi Gary, Thanks a lot for this clarification on the reasons why those >>> new SPDX identifiers "-only" and "-or-later" have been created. It was very >>> useful. SPDX is a great initiative and unique identifiers should be >>> considered >>> >>> ZjQcmQRYFpfptBannerStart >>> >>> *This Message Is From an External Sender * >>> >>> This message came from outside your organization. >>> >>> * Report Suspicious * >>> <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!12-vrJA_wvVWsG2VuMnohcnrTvfc__HoS6cS066Li4aPB7zcjVcW6EV4IXnLdyuJVoFlPkdR_LZELJ-PEIgkeq5dWKGsWZcs2xYJ7_VwvdNkqVqE4HXqYncpVP8$> >>> >>> >>> >>> ZjQcmQRYFpfptBannerEnd >>> >>> Hi Gary, >>> >>> Thanks a lot for this clarification on the reasons why those new SPDX >>> identifiers "-only" and "-or-later" have been created. >>> >>> It was very useful. >>> >>> SPDX is a great initiative and unique identifiers should be considered >>> as a strong standard. >>> >>> We will definitely try to align all EU projects and datasets on it, but >>> depending on the project officers decision we may perhaps ignore those >>> "-only" and "-or-later" rather confusing identifiers and withdraw them from >>> tools (like the Joinup Licensing Assistant) that currently uses them. No >>> decision is currently taken; it will be discussed soon with relevant POs. >>> >>> Best regards, >>> >>> Patrice-Emmanuel >>> >>> . >>> >>> >>> >>> >>> >>> >>> >>> Le ven. 20 oct. 2023 à 00:44, Gary O'Neall <[email protected]> a >>> écrit : >>> >>> Hi Patrice-Emmanuel, >>> >>> >>> >>> Responses inline below. >>> >>> >>> Gary >>> >>> >>> >>> *From:* Patrice-Emmanuel Schmitz <[email protected]> >>> *Sent:* Thursday, October 19, 2023 2:02 PM >>> *To:* Richard Fontana <[email protected]>; Gary O'Neall < >>> [email protected]> >>> *Cc:* [email protected] >>> *Subject:* SPDX identifiers for "or-later" or "+" mentions >>> >>> >>> >>> Hi Richard & Gary, >>> >>> At a time I am requested to align various projects and the EC >>> publication office license lists (data sets) I am still uncertain about the >>> SPDX policy of creating "actual" SPDX identifiers for "future" or "later" >>> licenses. I shared concerns with Jilayne but be sure that this is not done >>> for creating some controversy, just to check that the SPDX policy is well >>> understood. >>> >>> - Adding "or-later" (and much more rarely "-only") is indeed a >>> frequent licensor practice because recommended by some license steward. >>> For >>> example if you search Google for "Licensed under the EUPL-1.2-or-later" >>> you >>> will find references. But don’t you think that this mention should be >>> considered as a future intention, commitment or guarantee provided by the >>> licensor and that it should not merit a specific “actual” SPDX ID, >>> because >>> no later text exists at this time? >>> >>> *[G.O.] Within SPDX we define a license expression syntax that has a >>> number of operators or modifiers on a given license (e.g., ‘AND’, ‘OR’). >>> For “or later” we defined the “+” operator which can be applied to any >>> license. We do not currently have an operator that defines “only”. In >>> rare cases, we have separate license ID’s to denote only and or-later (see >>> below), but these are not defined in the syntax for the license >>> expressions. Although there is a convention to add “or-later” to some >>> licenses, we did not adopt that syntax for our expressions.* >>> >>> - It seems that this addition is done for the GNU licenses (where >>> the licence steward is the FSF – Free Software Foundation) and not for >>> all >>> the others.Is this a special treatment for GNU licenses or is SPDX policy >>> to allow or apply it for all licenses, i.e. depending on the license >>> steward request? >>> >>> *[G.O.] Due to strong insistence from the license stewards for GNU >>> licenses, we created separate license ID’s for the “only” and “or-later”. >>> These are not part of the expression syntax and therefore not processed by >>> any of the machine readable SPDX license expression parsers – one would >>> have to read the license notes to understand the semantics. In other >>> words, the “only” and “or-later” is a convention used by GNU that we >>> carried forward in the license ID’s – not something intended to be >>> standardized in the SPDX license syntax.* >>> >>> - Has SPDX assessed the risk that this practice would multiply the >>> number of identifiers with uncertain use and possibly add some confusion? >>> >>> *[G.O.] In the case of the GNU licenses, the license ID’s are associated >>> with the license text plus the notes. It was highly debated and the risk >>> of confusion was taken into account. In the case of the or-later operator, >>> there is a risk that the “+” operator would be applied to a license that >>> does not have any subsequent license versions, but we decided that was a >>> reasonable risk compared to the benefit of having a machine readable >>> “or-later” operator.* >>> >>> - SPDX now considers GPL-3.0, AGPL-3.0, LGPL-3.0 etc. as >>> "deprecated". Did SPDX assess the impact – which could appear as nonsense >>> for most users? >>> >>> *[G.O.] Again – highly debated at the time, and yes. We don’t like to >>> deprecate the license ID’s as it does cause issues in our community – but >>> the license steward was extremely insistent.* >>> >>> - Until a subsequent version, for example some GPL-4.0, exists, is >>> it consistent to associate the text of the current GPL-3.0 with a >>> specific >>> SPDX identifier "GPL-3.0-or-later"? >>> >>> *[G.O.] From what I recall, the reason the license steward insisted on >>> this approach was to force the documenter of the license information to >>> make a decision as to whether it was “only” or “or-later”. I think you >>> would have to defer to the license steward to answer this question. * >>> >>> - ·Is it still possible for SPDX to backtrack on this subject or is >>> it a definitive policy? >>> >>> *[G.O.] Since the decision to deprecate the previous GPL identifiers >>> consumed significant time and was highly debated, there would likely be >>> considerable resistance to re-opening this issue unless the license steward >>> changed their mind. The pattern of questions seems to indicate you may not >>> agree with the license steward for GPL on many of these topics – perhaps >>> opening a dialog with the license steward could provide you more >>> information.* >>> >>> -- >>> >>> Patrice-Emmanuel Schmitz >>> [email protected] >>> tel. + 32 478 50 40 65 >>> >>> >>> >>> >>> -- >>> >>> Patrice-Emmanuel Schmitz >>> [email protected] >>> tel. + 32 478 50 40 65 >>> >>> >>> >>> >> >> -- >> Patrice-Emmanuel Schmitz >> [email protected] >> tel. + 32 478 50 40 65 >> > > -- Patrice-Emmanuel Schmitz [email protected] tel. + 32 478 50 40 65 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1787): https://lists.spdx.org/g/spdx/message/1787 Mute This Topic: https://lists.spdx.org/mt/102069167/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
