Re: [spdx-tech] various threads on "only" suffix (for GPL)
On Fri, May 26, 2017 at 02:19:14PM -0700, W. Trevor King wrote: > Digging at this “acceptable” idea a bit more, I'm guessing it's > something like “adapters may share adapted works under”. But the SPDX > isn't just about copyleft (e.g. it includes CC-BY-ND-*). I think it > makes more sense to focus on licenses (just the text, e.g. GPL-2.0) > and license grants. For example, here are some SPDX License > Expressions translated into grants: > > * GPL-2.0: You can redistribute it and/or modify it under the terms of > the GNU General Public License version 2 as published by the Free > Software Foundation. > > * GPL-2.0+: You can redistribute it and/or modify it under the terms > of the GNU General Public License as published by the Free Software > Foundation; either version 2 of the License, or (at your option) any > later version. > > * CC-BY-SA-4.0: This work is licensed under a Creative Commons > Attribution-ShareAlike 4.0 International License. > > You can distribute an adaptation under a later version of the CC > BY-SA because that's part of the CC-BY-SA-4.0 [1]. > > * CC-BY-SA-4.0+: This work is licensed under a Creative Commons > Attribution 4.0 International License; either version 4.0 of the > License, or (at your option) any later version. > > The CC-BY-SA-4.0 tries to grant you that right anyway, but > regardless of how you read the CC-BY-SA-4.0, I'm granting you that > right directly. CC BY-SA 4.0 implies that an adaptation can be licensed under a future CC BY-SA 5.0, but the original material can't. If one explicitly said some content was licensed under "CC BY-SA 4.0 or later", it might mean that the originally-received material can be distributed downstream under CC BY-SA 5.0. Thus CC-BY-SA-4.0+ does not mean the same thing as CC-BY-SA-4.0. The traditional GPL "or later" notice says clearly that the licensee can distribute the original under a later version of the GPL, and that's the concept that seems to be imported in the post-GPLv2/LGPLv2.0 copyleft "open source" licenses that have built-in or-later provisions. (What that actually means, as to unmodified code, may not be clear, which I speculate might be why Creative Commons makes a point of not saying there is any permission to distribute the original material under the later license). I don't know if that point makes a difference as to this discussion though. There might also be a problem with the way SPDX defines the '+', which as far as I know is this: "An SPDX License List Short Form Identifier with a unary"+" operator suffix to represent the current version of the license or any later version." This is *not* really the same as what the traditional GPL "or later" notice says, or is perhaps one of multiple possible legal interpretations of what the traditional GPL "or later" notice says (which I think goes against the whole SPDX philosophy of objective description of license texts). Richard ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
Re: [spdx-tech] various threads on "only" suffix (for GPL)
On Fri, May 26, 2017 at 03:15:44PM -0400, Wheeler, David A wrote: > J Lovejoy: > > Thanks Bradley. Your point re: other licenses building in a de > > facto “or later” clause versus the GPL family of licenses leaving > > the choice to the copyright holders is exactly the thing I wanted > > to confirm and is also (I think, but need to do more thinking on > > this) why the GPL family may indeed need it’s own unique > > treatment. > > > > Deprecating “GPL-2.0” for use of “GPL-2.0-only”, along with the > > use of the existing “GPL-2.0+” is what I’m leaning towards > > Please DO NOT deprecate "GPL-2.0". DO NOT DO THIS. If you do, we'll > have *exactly* the same problem again in a few years. > > We need at least *3* cases. Here they are, with potential > names/expressions: > * GPL-2.0-only. I *know* that *only* the GPL version 2.0 is > acceptable. I had originally proposed a "!" suffix. > * GPL-2.0+. I *know* that GPL version 2.0, or later, is acceptable. How could you know this before GPL-4.0 has been written? Maybe I'm just not clear on what your “acceptable” means. > * GPL-2.0. I *know* that at least GPL version 2.0 is acceptable > (e.g., I found its license text). However, I'm not entirely > certain whether or not later versions are acceptable, so I make > *no* assertion either way. If you've audited both GPL-2.0 and GPL-3.0 for your package and want the "or later" language to include GPL-4.0, etc. when they get written, you could say [1]: GPL-2.0+ OR GPL-3.0+ but whether you've read the license or deem it “acceptable” seems orthogonal to whether you're granting the “or any later version” choice defined in the GPL (§14 as of GPL 3.0 [2]). Back in 2013, Mark pointed out that GPL-2.0+ is not a license [3], which means you're not going to be able to distinguish between GPL-2.0+ and GPL-2.0-only (or whatever) by scanning for license text [4]. So I'd rather: * Leave GPL-2.0 as the license identifier. * Add '+' and '-only' suffixes to support folks who want to be explicit (e.g. who don't trust readers to be familar with baked-in + semantics). CC-BY-SA-3.0+ would be a synonym for CC-BY-SA-3.0 [6], but I don't see a problem with that. It would probably be useful to call that out in the wording that forbids the -only suffix for CC-BY-SA-3.0… * Forbid '-only' for licenses that bake in some forbidding wording (e.g. the “Adapter’s License” conditions in CC-BY-SA-4.0's §3.b [5]). You'd need a formal exception to get around that wording (e.g. CC-BY-SA-4.0 WITH CC-only-this-version-exception) or your own name if the CC's alteration wording would not allow ‘CC-BY-SA-4.0 WITH additional-restrictions’ [7]. Then tools like [4] can cleanly say that they're guessing the appropriate license identifier (e.g. “we found GPL-2.0”), but are not attempting to construct the appropriate license expression for the package (e.g. “this package is GPL-2.0+” or “this package is GPL-2.0[-only]”). To distinguish between *those* you'd need to look for the “or any later version” grant. Cheers, Trevor [1]: https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60 [2]: https://www.gnu.org/licenses/gpl-3.0.txt [3]: https://lists.spdx.org/pipermail/spdx-legal/2013-October/000949.html [4]: https://github.com/benbalter/licensee [5]: https://creativecommons.org/licenses/by-sa/4.0/legalcode [6]: https://creativecommons.org/share-your-work/licensing-considerations/compatible-licenses/ [7]: https://creativecommons.org/faq/#can-i-change-the-license-terms-or-conditions -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy signature.asc Description: OpenPGP digital signature ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
RE: [spdx-tech] various threads on "only" suffix (for GPL)
J Lovejoy: > Thanks Bradley. Your point re: other licenses building in a de facto “or > later” > clause versus the GPL family of licenses leaving the choice to the copyright > holders is exactly the thing I wanted to confirm and is also (I think, but > need > to do more thinking on this) why the GPL family may indeed need it’s own > unique treatment. > > Deprecating “GPL-2.0” for use of “GPL-2.0-only”, along with the use of the > existing “GPL-2.0+” is what I’m leaning towards Please DO NOT deprecate "GPL-2.0". DO NOT DO THIS. If you do, we'll have *exactly* the same problem again in a few years. We need at least *3* cases. Here they are, with potential names/expressions: * GPL-2.0-only. I *know* that *only* the GPL version 2.0 is acceptable. I had originally proposed a "!" suffix. * GPL-2.0+. I *know* that GPL version 2.0, or later, is acceptable. * GPL-2.0. I *know* that at least GPL version 2.0 is acceptable (e.g., I found its license text). However, I'm not entirely certain whether or not later versions are acceptable, so I make *no* assertion either way. This appears to be what "GPL-2.0" has become, in some cases, in spite of the spec. Which is why we need a way to mark certainty vs. uncertainty. If you prefer, you could label this "GPL-2.0-at-least", or add a "?" suffix to mean "I don't know if later/other versions are acceptable". The problem is that while tools can detect the presence of a license, it's often difficult for them to determine if an "or later" clause is valid in some cases. In many cases SPDX is capturing tool output, so we need for there to be a valid expression for tools to output. My understanding is that some tools that find GPL version 2.0 will currently report "GPL-2.0"... even if a later version is also acceptable... and as a result, "GPL-2.0" is not being interpreted as originally intended. What's more, without a third case, it'll just happen again. Tools can't easily determine if "or later" applies, and in many cases you do *NOT* need more information than this. It can take a lot of effort ($) to determine if it's really "GPL-2.0-only" or "GPL-2.0+", and if the spec only supports those two options, then that's a problem.. because people are *not* going to spend effort unnecessarily. If "GPL-2.0" is deprecated, then tools will start reporting "GPL-2.0-only" when they're not sure if later versions apply, because in many cases they can't easily determine it. Then we'll be back to the original problem, where "GPL-2.0-only" may mean "I found GPL 2.0 but maybe later versions will be okay". Ugh. Since many tools can only determine "at least this version", there needs to be a standard way to report it. Same argument applies to GPL version 3, LGPL, AGPL, and perhaps MPL. > but again, we need to vet all > options, think through all possible pros and cons, and ensure a clear path > (with limited pain) for existing users before coming to a conclusion. I wholeheartedly agree. --- David A. Wheeler ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
Re: [spdx-tech] various threads on "only" suffix (for GPL)
Thanks Bradley. Your point re: other licenses building in a de facto “or later” clause versus the GPL family of licenses leaving the choice to the copyright holders is exactly the thing I wanted to confirm and is also (I think, but need to do more thinking on this) why the GPL family may indeed need it’s own unique treatment. Deprecating “GPL-2.0” for use of “GPL-2.0-only”, along with the use of the existing “GPL-2.0+” is what I’m leaning towards, but again, we need to vet all options, think through all possible pros and cons, and ensure a clear path (with limited pain) for existing users before coming to a conclusion. I think putting this all on a wiki page will be helpful also so that when we reach a decision, we have a better record of what our thinking was and why we ended up the way we did (and avoids searching old email archives ;) I feel pretty confident we can get there. We have a great community around SPDX generally and I really can’t say enough good things about how active and engaged our legal team has been (even when I’m admittedly a bit “absent”, literally or figuratively). Jilayne SPDX Legal Team co-lead opensou...@jilayne.com > On May 26, 2017, at 11:54 AM, Bradley M. Kuhnwrote: > > Jilyane, I'm glad work is proceeding on this. > > J Lovejoy wrote today: >> In any case, as Kate has already stated - we were just talking about this >> the other day and thinking through some paths to get to a point of using: >> "GPL-2.0-only" as the short identifier for when one means exactly that. > > As I mentioned, on the spdx-tech list yesterday, folks may also want to > review the original thread making this proposal back in October 2013: > https://lists.spdx.org/pipermail/spdx-legal/2013-October/000941.html > https://lists.spdx.org/pipermail/spdx-tech/2013-October/001965.html > >> GPL does not exist in a vacuum, so we need to make sure that either what’s >> good for the geese is also good for the gander (other licenses, use of >> SPDX, etc.); or we consider a proposal that treats the GPL family of >> licenses unique if that’s warranted. > > There's a related point that's often purposely obscured by GPL's critics and > is relevant to this problem that SPDX is now facing. GPL is the *only* > family of copyleft licenses that permit "-only" decisions by licensors using > the canonical text of the license. > > In other words, other copylefts (such as MPL, CC BY-SA, CDDL, EPL) all > require licensors to accept a de-facto "or-later" clause, which allows the > license steward (e.g., Mozilla, Creative Commons, Oracle, Eclipse Foundation) > to unilaterally relicense all works under their license text without any > additional permissions from licensors. By default, all non-GPL copylefts are > "-or-later" (in GPL's parlance). The FSF left the choice of { "-only", > "-or-later" } where it belongs: with the copyright holders. > > Giving more freedom to users (as FSF is wont to do) admittedly sometimes > complicates the world, and I think that's why the SPDX License List drafters > surely legitimately feel that this situation makes everything complicated. > I'm sympathetic to that challenge, which is why I de-lurk when this issue > comes up to offer assistance from my expertise in this area. > > And, I'm thankful that the SPDX team is now facing the issue head-on. I > understand given the timing it has become tricky because of the "GPL-2.0" > Identifier has in the intervening years since 2013 become used in the field > (... but, as David points out in the recent spdx-tech thread, it's often used > incorrectly). > > While I guess the License List team will receive is a radical proposal, I > suggest deprecating the "GPL-2.0" Identifier entirely (as was done the GPL > exception-based ones) and creating new "-or-later" and "-only" versions of > the Identifier to replace it going forward in future versions of SPDX's > License List. > >> In any case, this is a discussion that needs to start with the legal team, >> as the steward of the SPDX License List, so I’d like to ask that we >> move/keep the discussion there for the time being. > > The original 2013 thread that I mention above was sent to both spdx-tech and > spdx-legal. > -- > -- bkuhn > ___ > Spdx-legal mailing list > Spdx-legal@lists.spdx.org > https://lists.spdx.org/mailman/listinfo/spdx-legal ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
Re: [spdx-tech] various threads on "only" suffix (for GPL)
Jilyane, I'm glad work is proceeding on this. J Lovejoy wrote today: > In any case, as Kate has already stated - we were just talking about this > the other day and thinking through some paths to get to a point of using: > "GPL-2.0-only" as the short identifier for when one means exactly that. As I mentioned, on the spdx-tech list yesterday, folks may also want to review the original thread making this proposal back in October 2013: https://lists.spdx.org/pipermail/spdx-legal/2013-October/000941.html https://lists.spdx.org/pipermail/spdx-tech/2013-October/001965.html > GPL does not exist in a vacuum, so we need to make sure that either what’s > good for the geese is also good for the gander (other licenses, use of > SPDX, etc.); or we consider a proposal that treats the GPL family of > licenses unique if that’s warranted. There's a related point that's often purposely obscured by GPL's critics and is relevant to this problem that SPDX is now facing. GPL is the *only* family of copyleft licenses that permit "-only" decisions by licensors using the canonical text of the license. In other words, other copylefts (such as MPL, CC BY-SA, CDDL, EPL) all require licensors to accept a de-facto "or-later" clause, which allows the license steward (e.g., Mozilla, Creative Commons, Oracle, Eclipse Foundation) to unilaterally relicense all works under their license text without any additional permissions from licensors. By default, all non-GPL copylefts are "-or-later" (in GPL's parlance). The FSF left the choice of { "-only", "-or-later" } where it belongs: with the copyright holders. Giving more freedom to users (as FSF is wont to do) admittedly sometimes complicates the world, and I think that's why the SPDX License List drafters surely legitimately feel that this situation makes everything complicated. I'm sympathetic to that challenge, which is why I de-lurk when this issue comes up to offer assistance from my expertise in this area. And, I'm thankful that the SPDX team is now facing the issue head-on. I understand given the timing it has become tricky because of the "GPL-2.0" Identifier has in the intervening years since 2013 become used in the field (... but, as David points out in the recent spdx-tech thread, it's often used incorrectly). While I guess the License List team will receive is a radical proposal, I suggest deprecating the "GPL-2.0" Identifier entirely (as was done the GPL exception-based ones) and creating new "-or-later" and "-only" versions of the Identifier to replace it going forward in future versions of SPDX's License List. > In any case, this is a discussion that needs to start with the legal team, > as the steward of the SPDX License List, so I’d like to ask that we > move/keep the discussion there for the time being. The original 2013 thread that I mention above was sent to both spdx-tech and spdx-legal. -- -- bkuhn ___ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal