Hi all,

me and others have been raising this several times before. I regard this is a rather a poliitical blooper. 

However, to manifest the critique and channel the discusion and arguments, I propose filing a change proposal at https://github.com/spdx/change-proposal. This increases visibility and weight within the SPDX community.


Kind regards,
Karsten 


Am 20.10.2023 um 18:32 schrieb Kyle Mitchell <[email protected]>:


I'm not familiar with the reasons for `-only` and `-or-later` GNU-specific extensions, either. If there's a short summary somewhere, I'd appreciate a link. Not least to link other people to.

I've had to deal with some fallout. Technical changes for compliance tools. I don't know how many GitHub issues and e-mails pleading confusion.

I can confirm Richard's point on defaults: The typical approach I've seen is to interpret `GPL-x.y` as version x.y only. If two readings are possible, only the more conservative is safe. This was also arguably implied by the _expression_ syntax. No `+`, no other license versions. In tooling I maintain, we convert `GPL-2.0-or-later` into `GPL-2.0+` and `GPL-2.0-only` into `GPL-2.0`, then pretend `-or-later` and `-only` never happened.

I've been under various pressures to "fork" or "superset" SPDX pretty much since the beginning of implementation for package managers. That includes ignoring deprecation of the unsuffixed GNU license IDs more recently. Thousands of devs quite naturally put `GPLv2` or the like in license metadata to start. Then we badgered them over to `GPL-2.0` or `GPL-2.0+`, which at least made sense for uniformity. Yet another round of deprecation warnings, this time to treat the licenses unlike all the rest, felt like jerking them around.

From the outside looking in, the license list is just a list of strings. If you also take expressions, that grammar's simpler than the C-style math students implement in intro compiler courses. Discovering that's somehow also a source of arbitrary-feeling, user-facing deprecations disappoints people. From the EU group's or any other, similar perspective, there's not a lot of "standard" here to adopt if you're not doing full documents.

What's done is done. Offering this up just for perspective, from "downstream".

For something constructive, I'd support a clarification that `GPL-2.0` = `GPL-2.0-only` and `GPL-2.0+` = `GPL-2.0-or-later`, semantically, coupled with a rollback of the deprecations on the bare IDs.

--
Kyle E. Mitchell, attorney // Oakland, California, USA

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#1790) | Reply To Group | Reply To Sender | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [[email protected]]

_._,_._,_

Reply via email to