SPDX meta-tag for implicit license terms
Hello, after converting the U-Boot project to use SPDX meta-tags, we now started working on another Open Source project; here we face a somewhat different situation: a large number of the individual source files do not contain any per-file license header at all. Instead, they rerely on the fact that they inherit the global, project-wide license as defined in the top level README and COPYING files. My understanding is that this is technically and legally clean as is. However, I see a handling problem here: the conversion of the project to use SPDX meta-tags will probably be an incremental process, and there will be some period of time (eventually even a long one) where still files exist that have not been converted yet. I would like to define a way to mark such files where implicit licensing applies, so that we do not have to check these again and again. Of course we could insert a license tag corresponding to the actual project-wide license, but such a modification is considered intrusive by some of affected people. I think it would be better (and easier acceptable by the respective copyright holders) to have some "neutral" SPDX meta-tag that reflects the fact that this file inherits the project's global license terms. Would such a meta-tag be acceptable to the SPDX team? I'm still looking for a good "name" for such a tag; suggestions we have so far include: SPDX-License-Identifier: implicit SPDX-License-Identifier: inherit SPDX-License-Identifier: none SPDX-License-Identifier: - Suggestions and comments welcome... Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de There is a time in the tides of men, Which, taken at its flood, leads on to success. On the other hand, don't count on it. - T. K. Lawson ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
AW: SPDX meta-tag for implicit license terms
Hi, As far as I under stood the standard one would express this kind of association (file without license information - is assumed to be licensed under the "conluded" license of the package) with the following elements on file level: LicenseInfoInFile: NONE License concluded: SPDX Identifier of the "concluded" license of the package Would it be possible to transfer the information from the SDPX file to the package. Meaning that those files will receive (or better to say: these files will be modified with) the Strings: LicenseInfoInFile: NONE License concluded: SPDX Identifier of the "concluded" license of the package This is just a suggestion Best Regards Oliver Fendt Siemens AG Corporate Technology Corporate Standards & Guidance CT CSG SWI OSS Otto-Hahn-Ring 6 81739 München, Deutschland Tel: +49 89 636-46033 mailto:oliver.fe...@siemens.com -Ursprüngliche Nachricht- Von: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech-boun...@lists.spdx.org] Im Auftrag von Wolfgang Denk Gesendet: Dienstag, 10. Dezember 2013 11:10 An: spdx-t...@lists.spdx.org; spdx-legal@lists.spdx.org Betreff: SPDX meta-tag for implicit license terms Hello, after converting the U-Boot project to use SPDX meta-tags, we now started working on another Open Source project; here we face a somewhat different situation: a large number of the individual source files do not contain any per-file license header at all. Instead, they rerely on the fact that they inherit the global, project-wide license as defined in the top level README and COPYING files. My understanding is that this is technically and legally clean as is. However, I see a handling problem here: the conversion of the project to use SPDX meta-tags will probably be an incremental process, and there will be some period of time (eventually even a long one) where still files exist that have not been converted yet. I would like to define a way to mark such files where implicit licensing applies, so that we do not have to check these again and again. Of course we could insert a license tag corresponding to the actual project-wide license, but such a modification is considered intrusive by some of affected people. I think it would be better (and easier acceptable by the respective copyright holders) to have some "neutral" SPDX meta-tag that reflects the fact that this file inherits the project's global license terms. Would such a meta-tag be acceptable to the SPDX team? I'm still looking for a good "name" for such a tag; suggestions we have so far include: SPDX-License-Identifier: implicit SPDX-License-Identifier: inherit SPDX-License-Identifier: none SPDX-License-Identifier: - Suggestions and comments welcome... Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de There is a time in the tides of men, Which, taken at its flood, leads on to success. On the other hand, don't count on it. - T. K. Lawson ___ Spdx-tech mailing list spdx-t...@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
Re: SPDX meta-tag for implicit license terms
Hello Wolfgang, >- Original Message - >From: Wolfgang Denk >To: spdx-t...@lists.spdx.org; spdx-legal@lists.spdx.org >Cc: "Meier, Roger" >Sent: Tuesday, December 10, 2013 4:09 AM >Subject: SPDX meta-tag for implicit license terms > >Hello, > >after converting the U-Boot project to use SPDX meta-tags, we now >started working on another Open Source project; here we face a >somewhat different situation: a large number of the individual source >files do not contain any per-file license header at all. Instead, >they rerely on the fact that they inherit the global, project-wide >license as defined in the top level README and COPYING files. > >My understanding is that this is technically and legally clean as is. > >However, I see a handling problem here: the conversion of the project >to use SPDX meta-tags will probably be an incremental process, and >there will be some period of time (eventually even a long one) where >still files exist that have not been converted yet. > >I would like to define a way to mark such files where implicit >licensing applies, so that we do not have to check these again and >again. > >Of course we could insert a license tag corresponding to the actual >project-wide license, but such a modification is considered intrusive >by some of affected people. > >I think it would be better (and easier acceptable by the respective >copyright holders) to have some "neutral" SPDX meta-tag that reflects >the fact that this file inherits the project's global license terms. > >Would such a meta-tag be acceptable to the SPDX team? > >I'm still looking for a good "name" for such a tag; suggestions we >have so far include: > > SPDX-License-Identifier: implicit > > SPDX-License-Identifier: inherit > > SPDX-License-Identifier: none > > SPDX-License-Identifier: - > >Suggestions and comments welcome... I recommend we conform to the existing terms already in the specification to handle this type of ambiguity, in Section 6.5 of version 1.2 which details how the License Information In File is specified. 6.5.1 Purpose: This field contains the license information actually found in the file, if any. Any license information not actually in the file, e.g., “COPYING.txt” file in a top level directory, should not be reflected in this field. This information is most commonly found in the header of the file, although it may be in other areas of the actual file. The options to populate this field are limited to: >(a) the SPDX License List short form identifier, if the license is on the SPDX >License List; >(b) a reference to the license, denoted by LicenseRef-[idString], if the >license is not on the SPDX License List; >(c) NONE, if the actual file contains no license information whatsoever; or >(d) NOASSERTION, if the SPDX file creator has not examined the contents of the >actual file or the SPDX file creator has intentionally provided no information (no meaning should be implied by doing so). >With respect to “a” and “b” above, if license information for more than one >license is contained in the file or if the license information offers the package recipient a choice of licenses, then each of the choices should be listed as a separate entry. Where there is no license present use "NOASSERTION" is probably the best option, when the discussion has not been had with the creator. Using "NONE" when it is known to be a deliberate choice. ie. SPDX-License-Identifier: NOASSERTION or SPDX-License-Identifer: NONE Hope this helps, Kate ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
RE: SPDX meta-tag for implicit license terms
>> Instead, they rely on the fact that they inherit the global, project-wide >> license as defined in the top >> level README and COPYING files. Although a global license file is a commonly used approach, I would categorize it as a "bad" practice from a license compliance perspective. It is analogous to programming with global variables which, in most situations, is also considered a bad practice for similar reasons. Global License files are particularly problematic when a lot of code sharing takes place between projects. Consider the following: 1) one project copies a file from another project where the projects are under different licenses; 2) both projects use the global license file approach; and 3) due to lack of good discipline - the license info does not travel with the file Now you have a file with incorrect licensing info. This is a big problem because file sharing, the core activity that fuels the open source movement, occurs in a big way. Including a license notice in every file is, by far, the best practice because the license information travels with the file. There is a reason why high quality disciplined projects include a license notice in every single file (e.g., Apache, Eclipse, Kernel.org, Busybox). By the way, including a COPYING file is a good practice when the sole purpose of the file is to provide a copy of the license. >> My understanding is that this is technically and legally clean as is. Different organizations (e.g., projects, foundations and companies) may reach different technical and legal conclusions on how clean it is. Some organizations may be ok with this interpretation while others may see this as a real problem. All in all, from a compliance perspective - THERE IS NO BETTER PRACTICE THEN INCLUDING A CLEAR LICENSE NOTICE IN EVERY FILE. All other approaches increase the risk of losing key licensing information with the increase in code sharing. Meta tagging should augment an already existing license notice for the sole purpose of automating the generation of an SPDX file for a given project. Mega tagging should NOT serve as a replacement for a license notice. regards, Mark Mark Gisi | Wind River | Senior Intellectual Property Manager Tel (510) 749-2016 | Fax (510) 749-4552 -Original Message- From: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech-boun...@lists.spdx.org] On Behalf Of Wolfgang Denk Sent: Tuesday, December 10, 2013 2:10 AM To: spdx-t...@lists.spdx.org; spdx-legal@lists.spdx.org Subject: SPDX meta-tag for implicit license terms Hello, after converting the U-Boot project to use SPDX meta-tags, we now started working on another Open Source project; here we face a somewhat different situation: a large number of the individual source files do not contain any per-file license header at all. Instead, they rerely on the fact that they inherit the global, project-wide license as defined in the top level README and COPYING files. My understanding is that this is technically and legally clean as is. However, I see a handling problem here: the conversion of the project to use SPDX meta-tags will probably be an incremental process, and there will be some period of time (eventually even a long one) where still files exist that have not been converted yet. I would like to define a way to mark such files where implicit licensing applies, so that we do not have to check these again and again. Of course we could insert a license tag corresponding to the actual project-wide license, but such a modification is considered intrusive by some of affected people. I think it would be better (and easier acceptable by the respective copyright holders) to have some "neutral" SPDX meta-tag that reflects the fact that this file inherits the project's global license terms. Would such a meta-tag be acceptable to the SPDX team? I'm still looking for a good "name" for such a tag; suggestions we have so far include: SPDX-License-Identifier: implicit SPDX-License-Identifier: inherit SPDX-License-Identifier: none SPDX-License-Identifier: - Suggestions and comments welcome... Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de There is a time in the tides of men, Which, taken at its flood, leads on to success. On the other hand, don't count on it. - T. K. Lawson ___ Spdx-tech mailing list spdx-t...@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
RE: SPDX meta-tag for implicit license terms
Gisi, Mark: > All in all, from a compliance perspective - THERE IS NO BETTER PRACTICE THEN > INCLUDING A CLEAR LICENSE NOTICE IN EVERY FILE. Sure. However, in a world where a LARGE number of people intentionally include NO LICENSE and wrongly assert that "no license"=="I can do anything I want", I'm delighted to have *one* well-understood license with the software package. Github has since made major improvements, but this is still useful for context: http://www.infoworld.com/d/open-source-software/github-needs-take-open-source-seriously-208046. My "thanks" to the people at RIAA et al who have successfully convinced many in a generation that copyright is a no-longer-relevant or evil law and that "all the cool kids" ignore it :-(. At this point I'm trying to get people to include a well-understood lawyer-and-OSI-approved OSS license SOMEWHERE in their project if they intend to release software as OSS. Getting license text into every file is lower in my priority list. It's hard to water the plants when the building is on fire. But I agree that per-file is best. If you want a clear license notice in every file, it needs to be REALLY EASY to add. Adding a lot of text in a large number of files is less likely to happen. --- David A. Wheeler ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
Re: SPDX meta-tag for implicit license terms
I would agree with Oliver's point, as well as Kate's - that we should be consistent with what is already defined in the standard. Oliver has concisely summarized the information you would expect to find in the SPDX document for the file level information for a file that has no license info in it - that is, as Kate also pointed out, the LicenseInfoInFile would be NONE or NOASSERTION and then the Concluded License field would be used to declare the license based upon extrinsic (e.g. directly level license) information. The question here seems to be a matter of order: can the fields of the spec also be used for meta-tagging preemptively? And if so, would such information then be dumped into the SPDX file for the project. Or the other way around, could information from an SPDX file for an entire project be used to generate file-level meta-tags? While I completely agree with Mark that file-level licensing information is the way to go ultimately, the concept of someone determining the license for unmarked files and then inserting some license information seems to be treading in potentially dangerous water - if someone is incredibly diligent in this process, it could be incredibly helpful; but if they are sloppy in even the slightest bit (perhaps, unknowingly so), then you have license information that is wrong. It might be safer to just leave this info, that is, the concluded license for files with no explicit license info, in the SPDX document that will go with the package (and its files) and leave the preemptive meta-tagging to project/file authors. If someone really wanted to, I suppose they could generate the tags from the SPDX document as suggested below, but then that seems a bit like replacing or duplicating some of the SPDX file… just my off-the-top of my head (and late) thoughts on the matter… (which I reserve the right to alter upon further discussion) Jilayne SPDX Legal Team lead lovejoyl...@gmail.com On Dec 10, 2013, at 4:45 AM, "Fendt, Oliver" wrote: > Hi, > > As far as I under stood the standard one would express this kind of > association (file without license information - is assumed to be licensed > under the "conluded" license of the package) with the following elements on > file level: > LicenseInfoInFile: NONE > License concluded: SPDX Identifier of the "concluded" license of the package > > Would it be possible to transfer the information from the SDPX file to the > package. Meaning that those files will receive (or better to say: these files > will be modified with) the Strings: > LicenseInfoInFile: NONE > License concluded: SPDX Identifier of the "concluded" license of the package > > This is just a suggestion > > Best Regards > Oliver Fendt > > Siemens AG > Corporate Technology > Corporate Standards & Guidance > CT CSG SWI OSS > Otto-Hahn-Ring 6 > 81739 München, Deutschland > Tel: +49 89 636-46033 > mailto:oliver.fe...@siemens.com > > > -Ursprüngliche Nachricht- > Von: spdx-tech-boun...@lists.spdx.org > [mailto:spdx-tech-boun...@lists.spdx.org] Im Auftrag von Wolfgang Denk > Gesendet: Dienstag, 10. Dezember 2013 11:10 > An: spdx-t...@lists.spdx.org; spdx-legal@lists.spdx.org > Betreff: SPDX meta-tag for implicit license terms > > Hello, > > after converting the U-Boot project to use SPDX meta-tags, we now started > working on another Open Source project; here we face a somewhat different > situation: a large number of the individual source files do not contain any > per-file license header at all. Instead, they rerely on the fact that they > inherit the global, project-wide license as defined in the top level README > and COPYING files. > > My understanding is that this is technically and legally clean as is. > > However, I see a handling problem here: the conversion of the project to use > SPDX meta-tags will probably be an incremental process, and there will be > some period of time (eventually even a long one) where still files exist that > have not been converted yet. > > I would like to define a way to mark such files where implicit licensing > applies, so that we do not have to check these again and again. > > Of course we could insert a license tag corresponding to the actual > project-wide license, but such a modification is considered intrusive by some > of affected people. > > I think it would be better (and easier acceptable by the respective copyright > holders) to have some "neutral" SPDX meta-tag that reflects the fact that > this file inherits the project's global license terms. > > Would such a meta-tag be acceptable to the SPDX team? > > I'm still looking for a good "name" for such a tag; suggestions we h
