Re: only/or later and the goals of SPDX

2017-11-07 Thread W. Trevor King 
On Tue, Nov 07, 2017 at 11:31:07AM -0700, J Lovejoy wrote:
> https://fedoraproject.org/wiki/Licensing:Main#Good_Licenses

And they have an official position on the javierwilson/tonto case,
where the GPL-3.0 text is in LICENSE, but no other file in the
repository contains copyright or licensing information.  From the
Fedora wiki:

  Full Name: GNU General Public License (no version)
  Short Name: GPL+
  FSF Free? Yes
  GPLv2 Compat? Yes
  GPLv3 Compat? Yes
  Notes (stuffed into the “Upstream URL” column):
A GPL or LGPL licensed package that lacks any statement of what
version that it's licensed under in the source code/program
output/accompanying docs is technically licensed under *any*
version of the GPL or LGPL, not just the version in whatever
COPYING file they include.

so their position is that the presence of a particular version of the
text in the COPYING (or presumably LICENSE, etc.) does not count as
the program specifying a version of the license [2].

Cheers,
Trevor

[1]: 
https://github.com/javierwilson/tonto/tree/75be0678be565872cbe7b99d5af4a1946393ee77
[2]: 
https://github.com/spdx/license-list-XML/blob/4aac6f8459901a6061c243cbfa3970afb39e3879/src/GPL-1.0.xml#L169-L170

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: only/or later and the goals of SPDX

2017-11-07 Thread J Lovejoy 
(top-posting, as this part isn’t directly related)

It just occurred to me that how SPDX currently has the identifiers: plain 
GPL-2.0 and GPL-2.0+ is the same pattern that Fedora uses: they have a slightly 
different nomenclature, but also have a “plain” identifier and the + version: 
GPLv2 and GPLv2+ - see: 
https://fedoraproject.org/wiki/Licensing:Main#Good_Licenses 


Point being, even though Fedora has not fully adopted SPDX identifiers, we have 
a long-standing effort of aligning as much as we can - so any change we make, 
we need to keep them in the loop as well.  I have emailed Tom Callaway to make 
him aware of the proposal over here.

Jilayne

> On Nov 6, 2017, at 10:21 PM, W. Trevor King  wrote:
> 
> On Mon, Nov 06, 2017 at 09:12:20PM -0800, W. Trevor King wrote:
>> On Mon, Nov 06, 2017 at 09:22:50PM -0700, J Lovejoy wrote:
>>> Adding option B.(as per my previous email):
>>> B. Add “only” to GPL-2.0, add GPL-2.0+ back to the license list as
>>> a separate line item. keep the + operator to be used with other
>>> licenses. This would effectively treat the GNU family licenses
>>> differently, and also makes it so the identifiers always indicate
>>> “only” or “any later version”.
>> 
>> I think the CDDL family is, like the GPL family, compatible with
>> both + and only [1].  I'm not excited about special-casing the GPL.
> 
> And a stronger agrument against this is that you cannot extend it to
> cover the PROXY case [1].  We're punting on that for now, but I think
> we need to stick with:
> 
> * a license identifier for the license and
> * versioning operators to produce the grants.
> 
> if we want to address the PROXY case later.

good point - it is more extensible all around.

> 
> Cheers,
> Trvor
> 
> [1]: https://lists.spdx.org/pipermail/spdx-legal/2017-August/002110.html
> Subject: Re: joint call legal/tech team - Tuesday, Aug 8
> Date: Fri, 04 Aug 2017 17:03:26 -0700
> Message-ID: <20170805000326.gw23...@valgrind.tremily.us>
> 
> -- 
> This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
> For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: only/or later and the goals of SPDX

2017-11-07 Thread W. Trevor King 
On Tue, Nov 07, 2017 at 10:19:31AM +0100, Philippe Ombredanne wrote:
> I think that whatever is done on the SPDX side to be
> precise vs. being accurate-enough and good-enough will unlikely ever
> be adopted as the magnitude of the education and changes required
> would be immense…

Backwards compat is certainly important, and the plan with a new ONLY
operator would be to have tooling warn, but not error, on ambiguous
declarations like ‘GPL-2.0’ for the next few years [1].  Then when
SPDX cuts a 3.0, we'd start erroring on ‘GPL-2.0’ and only support
‘GPL-2.0+’ or ‘GPL-2.0 ONLY’.  And depending on how the rest of this
works out, ‘GPL-2.0 AMBIGUOUS’ or ‘GPL-2.0 OR-MAYBE GPL-2.0+’.

Being able to warn/error on ambiguously versioned declarations is why
I want to compatibleWith… metadata.

And to keep supporting folks who will never update their declarations,
we just need to version the license-expression-consuming fields.  For
example, we could explicitly make ‘SPDX-License-Identifier’ [2] mean
“a 2.x SPDX license expression” and create a new field
(SPDX-License-Identifier-3?) for “a 3.x SPDX license expression”.

External consumers could do the same thing.  For example, npm's
package.json is already explicitly an SPDX 2.0 license expression [3].
That means they only have access to the 2.0 license list (2015-04
[4]), not SPDX 2.1's 2.5 license list (2016-07 [5]).  Which means they
cannot use 0BSD or other identifiers which were added between list 2.0
and list 2.5.  If/when the npm community wants to explicitly support
those newer expressions, they can bump their supported SPDX version.
And it will be up to them whether they decide to do that with a new
field or whether they'd rather change the semantics of their existing
field.  [3] discusses a previous ‘licenses’ which had different
semantics, so they've used the new-field approach in the past.

> … for minuscule benefits…

I think the FSF has a reasonable point that ‘GPL-2.0’ by itself isn't
immediately obvious to folks who don't bother to look it up in the
spec.  If they do look it up, they can see that we intend it to be
‘GPL-2.0 ONLY’.  But in 2015, you guessed it to be ‘GPL-2.0+’ [6].
Suggesting (and, in a few years and/or with SPDX 3.0, requiring) an
explicit versioning operator will make the semantics much more clear
to casual readers.  I think that's a more-than-miniscule benefit.

> … and hyper confusion.

Can you go into more details about the confusion you expect?  There
will certainly be a maintenance *cost*, as current ‘GPL-2.0’ users
update their strings to use the new ONLY operator (or another
versioning operator, if they hadn't realized that ‘GPL-2.0’ meant
‘GPL-2.0 ONLY’).  But I don't see a new source of confusion.

Cheers,
Trevor

[1]: https://wiki.spdx.org/view/Technical_Team/Minutes/2017-08-07
[2]: https://spdx.org/spdx-specification-21-web-version#h.twlc0ztnng3b
[3]: https://docs.npmjs.com/files/package.json#license
[4]: https://spdx.org/sites/cpstandard/files/pages/files/spdx-2.0.pdf#page=64
[5]: https://spdx.org/spdx-specification-21-web-version#h.1jlao46
[6]: https://lists.spdx.org/pipermail/spdx-legal/2015-November/001537.html
 Subject: Is "+" a valid character of a LicenseRef idstring?
 Date: Mon Nov 2 09:56:47 UTC 2015

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal