Re: update on only/or later etc.

[Philippe Ombredanne]

On Mon, Nov 27, 2017 at 5:55 PM, Wheeler, David A  wrote:
> No tool can guarantee that always determines if "or any later version" 
> applies.
> Certainly not licensee, which is the tool used automatically by GitHub.
> Indeed, licensee generally only looks at the LICENSE file - it doesn't even 
> *try*
> to parse the README file (which it could only do imperfectly anyway).
>
> Oh, and for many developers, the license output from licensee is the *only*
> SPDX data they'll see, because GitHub does that analysis automatically for 
> them
> when they view a project (they don't have to run a tool).  I'd love to see
> licensee improved, but most developers have ZERO interest in all the details
> of a SPDX file anyway; they just want the license expression, and that's it.
> In many places, the *developers* choose the libraries that will be used;
> there are no lawyers to double-check anything.

OK, so GH licensee does not even make a serious attempt at providing
accurate information and instead returns half-baked partial license
information. Despite all the good intentions, I find it quite
irresponsible to then promote this tool globally on a site with such a
viewership.

If this were a C compiler this would akin to say: I will ignore the
function definitions from your header .h files. Once in a while I will
compile a program that may run, though it may not run as you expected.
Often I will crash and now and then I will just destroy your hard
drive. But bear with me and use me anyway, I am "good enough".

I just hope none would use such a tool to further propagate this
half-baked misinformation when better tools exist out there. I am all
for "good enough" but good enough is only good enough when there is at
least __enough of the good__: otherwise this is counterproductive and
dangerous especially when widely promoted.

-- 
Cordially
Philippe Ombredanne
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: [spdx-tech] Proposed topic for this week's tech call: Extend license expressions to include OR-MAYBE

[W. Trevor King]

On Mon, Nov 27, 2017 at 10:17:22PM -0800, Gary O'Neall wrote:
> >   binary-confidence-expression-operator = "AND"
> >   confidence-expression = license-expression space "CONFIDENCE" space "0." 
> > 1*DIGIT
> >   confidence-list = confidence-expression *(space confidence-expression) 
> > [space license-expression]
> >   / confidence-list space 
> > binary-confidence-expression-operator space confidence-list
> >   / license-expression
>
> [G.O.] My preference is for the "OR-MAYBE" approach just due to the
> simplicity.  In the audit use case, it is difficult to assign a
> confidence that has any precision.  The weighting would work for a
> tool where there is some algorithm that results in a weighting or
> confidence measure.

I agree that getting consistent confidence numbers is going to be
hard, and that without that (and maybe even with that), confidence
weights may not be very useful.  But with two license tools returning
confidence-weighted alternatives, I want to make sure we understand
their intended use cases before we commit to backwards-compat for a
binary OR-MAYBE.

Cheers,
Trevor

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: this likely calls for a new L/GPL "exception"?

[Bradley M. Kuhn]

Philippe Ombredanne wrote:
> A similar logic applies to the infamous BSD-4-Clause: if the copyright is
> from the UC Regent, then the 4th clause has be rescinded and this is
> equivalent to a 3 clause aka. a BSD-4-Clause-UC. Otherwise, it is a regular
> 4 clause. The only different between the two is the copyright holder.

Indeed, that's an excellent example of how an out-of-band statement about
licensing does indeed impact the copyright license of a work and grant
additional permissions from the copyright holder.

I'm now having trouble seeing any implication distinction between UC's
1999-07-22 statement at
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change and the
statement at https://www.redhat.com/en/about/gplv3-enforcement-statement

Can someone explain the distinction that I'm missing?  Why do you consider
the UC statement of license exception legally binding under copyright and the
Red Hat one *not* legally binding under copyright?
--
Bradley M. Kuhn

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

EDL - Eclipse Distribution License

[Simon Bernard]

Hi,

  I would like to now if this could make sense to add the "EDL - 
Eclipse Distribution License" to spdx ?
  I ask the question because it seems this is a 
https://opensource.org/licenses/BSD-3-Clause.

  See : https://eclipse.org/org/documents/edl-v10.php
  But many eclipse projects use it and this could help to identify it 
quickly with tools like spdx.


Thx.

Simon

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: EDL - Eclipse Distribution License

[Philippe Ombredanne]

On Tue, Nov 28, 2017 at 3:32 PM, Simon Bernard  wrote:
> Hi,
>
>   I would like to now if this could make sense to add the "EDL - Eclipse
> Distribution License" to spdx ?
>   I ask the question because it seems this is a
> https://opensource.org/licenses/BSD-3-Clause.
>   See : https://eclipse.org/org/documents/edl-v10.php
>   But many eclipse projects use it and this could help to identify it
> quickly with tools like spdx.

Simon:
I think this has been discussed in the past: this is exactly a
BSD-3-Clause. The only difference is that Eclipse gave it a name.
Since this is the same it did not need to have its own ID.

For instance in the scancode-toolkit (which the Eclipse Foundation
uses for IP due diligence BTW) I used to have an entry for EDL
separate from the BSD. This was leading to randomly returning one or
the other at times and looking really ugly because again they are not
distinguishable. I dropped the EDL then.

-- 
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombreda...@nexb.com
DejaCode - What's in your code?! - http://www.dejacode.com
AboutCode - Open source for open source - https://www.aboutcode.org
nexB Inc. - http://www.nexb.com
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: this likely calls for a new L/GPL "exception"?

[W. Trevor King]

On Tue, Nov 28, 2017 at 06:01:36AM -0800, Bradley M. Kuhn wrote:
> Philippe Ombredanne wrote:
> > A similar logic applies to the infamous BSD-4-Clause: if the copyright is
> > from the UC Regent, then the 4th clause has be rescinded and this is
> > equivalent to a 3 clause aka. a BSD-4-Clause-UC. Otherwise, it is a regular
> > 4 clause. The only different between the two is the copyright holder.
> 
> …
> 
> I'm now having trouble seeing any implication distinction between UC's
> 1999-07-22 statement at
> ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change and the
> statement at https://www.redhat.com/en/about/gplv3-enforcement-statement

Relicensing like these cases would need all copyright holders to sign
off on the change or the change would be incomplete, right?.  The Red
Hat post has:

  In the Commitment set forth below, Red Hat uses another approach: we
  commit to apply the cure and reinstatement language of GPLv3 to our
  copyrighted code that is licensed under GPLv2, LGPLv2.1 and LGPLv2
  (except where we are responding to a legal proceeding). We hope that
  other copyright holders who have licensed software under earlier
  versions of GPL and LGPL will follow our lead.

So if a project has Red Hat contributions and third-party
contributions, the project will be ‘GPL-2.0-only WITH GPL-3-cure’ (or
whatever) only if all the other contributors also make the same
commitment.  If one or more of the third-party contributors does not
join on, the project as a whole would be:

  GPL-2.0-only AND GPL-2.0-only WITH GPL-3-cure

and users violating the GPL-2.0-only would be exposed to prosecution
from the unjoined contributors if their copyrighted code was involved.

The FTP link isn't working for me, but there's a purported mirror at
[1].  That has:

  … licensees and distributors are no longer required to include the
  acknowledgement within advertising materials…

which doesn't explicitly spell out “but, while the Regents no longer
require that acknowledgement, other contributors may still require you
to include the acknowledgement”.  Perhaps they hunted down all the
copyright holders and got them on board?  Or they were using a
copyright-assignment CLA, so they're the only copyright holder?

Anyway, while it's nice to have individual copyright holders relax
their requirements, in most projects I've seen it would take a fair
amount of digging to get an exhaustive list of copyright holders.  Any
once you had that, you'd still need a clear document listing joiners
(or similar) before you could claim the whole project was covered by
the new exception.  For example, the kernel has a list of individual
copyright holders who have signed off on on the enforcement statement
[2].  But that list has ~100 entries (as of v4.15-rc1), and the kernel
has ~23k unique authors (although there may be missing .mailmap
entries leading to duplicate counts, and commit authors are not
necessarily copyright holders anyway).

Still, I have no problem with minting new exceptions or license IDs to
cover these cases, for the folks who want to tilt that windmill ;).

Cheers,
Trevor

[1]: https://www.freebsd.org/copyright/license.html
[2]: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/kernel-enforcement-statement.rst?h=v4.15-rc1#n50

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

new GPL identifiers

[Zavras, Alexios]

Hi all,

May I humbly suggest that, in our new SPDX identifiers for the different cases 
of GPL, we drop the ".0" ?
I mean, to have them like GPL-2-or-later, GPL-3-only, etc.

Obviously the new identifiers of LGPL-2.1 will keep the exact version.

-- zvr -

Intel Deutschland GmbH
Registered Address: Am Campeon 10-12, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Christian Lamprechter
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Generating optional and alt text for titles and bullets

[gary]

The tool that generates the license-list-data and spdx.org/licenses website
is currently adding optional tags and var (or alt to use the
license-list-XML term) tags around the title and bullets respectively.  

 

I found this to be necessary to match the text from the previous license
list text where there were different bullet formats and different title
texts for a small number of licenses.  It should also help consumers of the
license templates do a better job of matching per the license matching
guidelines.

 

These changes are consistent with the license matching guidelines, however,
I thought I should check with the larger community to see if anyone
disagrees with this approach.

 

Note that the optional and var texts are highlighted on the web pages.  The
title and bullets will also be highlighted.

 

The preview website has been updated with these change:
https://spdx.org/licenses/preview/

 

Gary

 

-

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:   g...@sourceauditor.com

 

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

SPDX Legal "feature freeze" until the next release is done

[Michael Dolan]

Hi everyone, I spoke to Jilayne late her time as she's traveling this week.
While she's probably too polite to say it, I realize she's very unable to
devote time to new issues right now. As adoption picks up we're finding it
more complicated to move forward. We will have a lot to be proud of for
this next release so let's take a pause on new issues and roll up sleeves
to finish this release.

The goal until the next release goes out is to address current work to get
the XML translation done and tasks required for the release. Any new
debates or issues will have to wait. It's coming to a point where keeping
up with just the traffic on the mailing list is hard to track in addition
to day jobs.

While I realize there are a number of engaging comments and thoughts,
please hold them for after the release. We need to be mindful of the time
demands we're putting on others' participation.

Thanks,

Mike

---
Mike Dolan
VP of Strategic Programs
The Linux Foundation
Office: +1.330.460.3250   Cell: +1.440.552.5322  Skype: michaelkdolan
mdo...@linuxfoundation.org
---
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal