The call yesterday revealed to me that there are *two* kinds of license version
ambiguity in SPDX license expressions.
I don't know if this is actually a problem, or if it is, that solving it is
worth the trouble. For many people the "second kind" is probably immaterial.
However, I want to record the subtlety here for the record, and for discussion
in case people think that this *is* a problem that needs solving. I thought it
should at least be captured somewhere, so that others can determine whether or
not this subtlety is important. Details below.
Thanks.
--- David A. Wheeler
=== DETAILS ===
In short, there are two different kinds of version number ambiguities in a
license:
1. A particular version of a license is known to be acceptable, but it's
unclear if later versions are acceptable. This is what we've focused on.
2. A license name is referenced, but no particular version of it is identified,
so it's unclear *which* version(s) of the license are acceptable.
I'm primarily concerned with case #1. It's becoming quite common to copy a
particular license (with a particular version) into a repository, and that is
the *ONLY* information explaining what license is acceptable. At that point,
it's not always clear if "or later" is acceptable unless the license
*specifically* says that later versions are automatically acceptable. The FSF
rep yesterday noted that people should be following license instructions on how
to include the license, which is fair enough, but people don't always follow
directions :-). The current proposals (e.g., on an ONLY operator) focus on
this issue, and I think this is the main concern today.
Case #2 is a different situation, where we have *no* idea what license version
is being applied. It can occur when (for example) someone says "This is
licensed under the GPL" or "This is licensed under the CC-BY license". SPDX's
license expressions do not have a direct way to say "I don't know which
version", and license identifiers are all tied to a specific version.
It's not clear that that case #2 is *really* a significant problem. If all you
care about is "what is acceptable", in many cases a SPDX license expression can
capture the final result of what's acceptable, though that appears to depend on
the text of the individual license. In particular, all versions of the GPL
license (so far!) say that if you don't specify a version, the recipient can
use any version. So you can express the rights granted by "GPL no version
specified" as the license expression "GPL-1.0+". However, this expression
appears to depend on the specifics of the license, and I suspect that you
cannot do this with all licenses. There's also a small loss of information, as
you can't distinguish between "This is licensed under any version of LICENSE"
and "This is licensed under LICENSE (but I won't tell you which version)" -
which is probably irrelevant for the GPL, but might be important for some other
licenses.
If SDPX wanted to capture case#2, the situation where "version number
completely unknown", one approach would be to allow license identifiers to
*omit* the version number to mean "version number unknown". E.g., "GPL" would
mean "GPL, I don't know which version(s)". However, that would create
hardships for unversioned licenses like MIT - if there is ever an MIT license
version 2.0, then "MIT-2.0" would suddenly render all the uses of "MIT"
ambiguous. I think that would be unacceptable. In any case, it's a common
mistake to just use "GPL" when a specific version *is* present, and we don't
want to make it easy to make hard-to-detect mistakes. So instead, I think
replacing "-version" with a special marker like "-?" or "-UNKNOWN" would be the
better approach. You'd then capture this situation as "GPL-?" or
"GPL-UNKNOWN". That would expressly capture "version number uncertain". I
think that'd be the way to go *if* this case #2 is worth capturing.
That said, it's not clear to me that this information of case#2 really needs to
be captured. Others may know of more critical cases, though, so I thought it'd
be important to record this.
Thanks for reading all the way to the end...!
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal