Re: [spdx-tech] various threads on "only" suffix (for GPL)

2017-05-26 Thread Richard Fontana 
On Fri, May 26, 2017 at 02:19:14PM -0700, W. Trevor King wrote:

> Digging at this “acceptable” idea a bit more, I'm guessing it's
> something like “adapters may share adapted works under”.  But the SPDX
> isn't just about copyleft (e.g. it includes CC-BY-ND-*).  I think it
> makes more sense to focus on licenses (just the text, e.g. GPL-2.0)
> and license grants.  For example, here are some SPDX License
> Expressions translated into grants:
> 
> * GPL-2.0: You can redistribute it and/or modify it under the terms of
>   the GNU General Public License version 2 as published by the Free
>   Software Foundation.
> 
> * GPL-2.0+: You can redistribute it and/or modify it under the terms
>   of the GNU General Public License as published by the Free Software
>   Foundation; either version 2 of the License, or (at your option) any
>   later version.
> 
> * CC-BY-SA-4.0: This work is licensed under a Creative Commons
>   Attribution-ShareAlike 4.0 International License.
> 
>   You can distribute an adaptation under a later version of the CC
>   BY-SA because that's part of the CC-BY-SA-4.0 [1].
> 
> * CC-BY-SA-4.0+: This work is licensed under a Creative Commons
>   Attribution 4.0 International License; either version 4.0 of the
>   License, or (at your option) any later version.
> 
>   The CC-BY-SA-4.0 tries to grant you that right anyway, but
>   regardless of how you read the CC-BY-SA-4.0, I'm granting you that
>   right directly.

CC BY-SA 4.0 implies that an adaptation can be licensed under a future
CC BY-SA 5.0, but the original material can't. If one explicitly said
some content was licensed under "CC BY-SA 4.0 or later", it might mean
that the originally-received material can be distributed downstream
under CC BY-SA 5.0. Thus CC-BY-SA-4.0+ does not mean the same thing as
CC-BY-SA-4.0.

The traditional GPL "or later" notice says clearly that the licensee
can distribute the original under a later version of the GPL, and
that's the concept that seems to be imported in the
post-GPLv2/LGPLv2.0 copyleft "open source" licenses that have built-in
or-later provisions. (What that actually means, as to unmodified code,
may not be clear, which I speculate might be why Creative Commons
makes a point of not saying there is any permission to distribute the
original material under the later license).

I don't know if that point makes a difference as to this discussion
though.

There might also be a problem with the way SPDX defines the '+', which
as far as I know is this: "An SPDX License List Short Form Identifier
with a unary"+" operator suffix to represent the current version of
the license or any later version." This is *not* really the same as
what the traditional GPL "or later" notice says, or is perhaps one of
multiple possible legal interpretations of what the traditional GPL
"or later" notice says (which I think goes against the whole SPDX
philosophy of objective description of license texts).

Richard

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: [spdx-tech] various threads on "only" suffix (for GPL)

2017-05-26 Thread W. Trevor King 
On Fri, May 26, 2017 at 03:15:44PM -0400, Wheeler, David A wrote:
> J Lovejoy:
> > Thanks Bradley.  Your point re: other licenses building in a de
> > facto “or later” clause versus the GPL family of licenses leaving
> > the choice to the copyright holders is exactly the thing I wanted
> > to confirm and is also (I think, but need to do more thinking on
> > this) why the GPL family may indeed need it’s own unique
> > treatment.
> > 
> > Deprecating “GPL-2.0” for use of “GPL-2.0-only”, along with the
> > use of the existing “GPL-2.0+” is what I’m leaning towards
> 
> Please DO NOT deprecate "GPL-2.0". DO NOT DO THIS.  If you do, we'll
> have *exactly* the same problem again in a few years.
> 
> We need at least *3* cases.  Here they are, with potential
> names/expressions:
> * GPL-2.0-only.  I *know* that *only* the GPL version 2.0 is
>   acceptable.  I had originally proposed a "!" suffix.
> * GPL-2.0+.  I *know* that GPL version 2.0, or later, is acceptable.

How could you know this before GPL-4.0 has been written?  Maybe I'm
just not clear on what your “acceptable” means.

> * GPL-2.0.  I *know* that at least GPL version 2.0 is acceptable
>   (e.g., I found its license text).  However, I'm not entirely
>   certain whether or not later versions are acceptable, so I make
>   *no* assertion either way.

If you've audited both GPL-2.0 and GPL-3.0 for your package and want
the "or later" language to include GPL-4.0, etc. when they get
written, you could say [1]:

  GPL-2.0+ OR GPL-3.0+

but whether you've read the license or deem it “acceptable” seems
orthogonal to whether you're granting the “or any later version”
choice defined in the GPL (§14 as of GPL 3.0 [2]).

Back in 2013, Mark pointed out that GPL-2.0+ is not a license [3],
which means you're not going to be able to distinguish between
GPL-2.0+ and GPL-2.0-only (or whatever) by scanning for license text
[4].  So I'd rather:

* Leave GPL-2.0 as the license identifier.

* Add '+' and '-only' suffixes to support folks who want to be
  explicit (e.g. who don't trust readers to be familar with baked-in +
  semantics).

  CC-BY-SA-3.0+ would be a synonym for CC-BY-SA-3.0 [6], but I don't
  see a problem with that.  It would probably be useful to call that
  out in the wording that forbids the -only suffix for CC-BY-SA-3.0…

* Forbid '-only' for licenses that bake in some forbidding wording
  (e.g. the “Adapter’s License” conditions in CC-BY-SA-4.0's §3.b
  [5]).

  You'd need a formal exception to get around that wording
  (e.g. CC-BY-SA-4.0 WITH CC-only-this-version-exception) or your own
  name if the CC's alteration wording would not allow ‘CC-BY-SA-4.0
  WITH additional-restrictions’ [7].

Then tools like [4] can cleanly say that they're guessing the
appropriate license identifier (e.g. “we found GPL-2.0”), but are not
attempting to construct the appropriate license expression for the
package (e.g. “this package is GPL-2.0+” or “this package is
GPL-2.0[-only]”).  To distinguish between *those* you'd need to look
for the “or any later version” grant.

Cheers,
Trevor

[1]: https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60
[2]: https://www.gnu.org/licenses/gpl-3.0.txt
[3]: https://lists.spdx.org/pipermail/spdx-legal/2013-October/000949.html
[4]: https://github.com/benbalter/licensee
[5]: https://creativecommons.org/licenses/by-sa/4.0/legalcode
[6]: 
https://creativecommons.org/share-your-work/licensing-considerations/compatible-licenses/
[7]: 
https://creativecommons.org/faq/#can-i-change-the-license-terms-or-conditions

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

RE: [spdx-tech] various threads on "only" suffix (for GPL)

2017-05-26 Thread Wheeler, David A 
J Lovejoy:
> Thanks Bradley.  Your point re: other licenses building in a de facto “or 
> later”
> clause versus the GPL family of licenses leaving the choice to the copyright
> holders is exactly the thing I wanted to confirm and is also (I think, but 
> need
> to do more thinking on this) why the GPL family may indeed need it’s own
> unique treatment.
> 
> Deprecating “GPL-2.0” for use of  “GPL-2.0-only”, along with the use of the
> existing “GPL-2.0+” is what I’m leaning towards

Please DO NOT deprecate "GPL-2.0". DO NOT DO THIS.  If you do, we'll have 
*exactly* the same problem again in a few years.

We need at least *3* cases.  Here they are, with potential names/expressions:
* GPL-2.0-only.  I *know* that *only* the GPL version 2.0 is acceptable.  I had 
originally proposed a "!" suffix.
* GPL-2.0+.  I *know* that GPL version 2.0, or later, is acceptable.
* GPL-2.0.  I *know* that at least GPL version 2.0 is acceptable (e.g., I found 
its license text).  However, I'm not entirely certain whether or not later 
versions are acceptable, so I make *no* assertion either way.  This appears to 
be what "GPL-2.0" has become, in some cases, in spite of the spec.  Which is 
why we need a way to mark certainty vs. uncertainty.  If you prefer, you could 
label this "GPL-2.0-at-least", or add a "?" suffix to mean "I don't know if 
later/other versions are acceptable".

The problem is that while tools can detect the presence of a license, it's 
often difficult for them to determine if an "or later" clause is valid in some 
cases.  In many cases SPDX is capturing tool output, so we need for there to be 
a valid expression for tools to output.  My understanding is that some tools 
that find GPL version 2.0 will currently report "GPL-2.0"... even if a later 
version is also acceptable... and as a result, "GPL-2.0" is not being 
interpreted as originally intended.

What's more, without a third case, it'll just happen again.  Tools can't easily 
determine if "or later" applies, and in many cases you do *NOT* need more 
information than this.  It can take a lot of effort ($) to determine if it's 
really "GPL-2.0-only" or "GPL-2.0+", and if the spec only supports those two 
options, then that's a problem.. because people are *not* going to spend effort 
unnecessarily.

If "GPL-2.0" is deprecated, then tools will start reporting "GPL-2.0-only" when 
they're not sure if later versions apply, because in many cases they can't 
easily determine it.  Then we'll be back to the original problem, where 
"GPL-2.0-only" may mean "I found GPL 2.0 but maybe later versions will be 
okay".  Ugh.  Since many tools can only determine "at least this version", 
there needs to be a standard way to report it.

Same argument applies to GPL version 3, LGPL, AGPL, and perhaps MPL.

> but again, we need to vet all
> options, think through all possible pros and cons, and ensure a clear path
> (with limited pain) for existing users before coming to a conclusion.

I wholeheartedly agree.

--- David A. Wheeler

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: [spdx-tech] various threads on "only" suffix (for GPL)

2017-05-26 Thread J Lovejoy 
Thanks Bradley.  Your point re: other licenses building in a de facto “or 
later” clause versus the GPL family of licenses leaving the choice to the 
copyright holders is exactly the thing I wanted to confirm and is also (I 
think, but need to do more thinking on this) why the GPL family may indeed need 
it’s own unique treatment.

Deprecating “GPL-2.0” for use of  “GPL-2.0-only”, along with the use of the 
existing “GPL-2.0+” is what I’m leaning towards, but again, we need to vet all 
options, think through all possible pros and cons, and ensure a clear path 
(with limited pain) for existing users before coming to a conclusion.  I think 
putting this all on a wiki page will be helpful also so that when we reach a 
decision, we have a better record of what our thinking was and why we ended up 
the way we did (and avoids searching old email archives ;)

I feel pretty confident we can get there.  We have a great community around 
SPDX generally and I really can’t say enough good things about how active and 
engaged our legal team has been (even when I’m admittedly a bit “absent”, 
literally or figuratively). 

Jilayne

SPDX Legal Team co-lead
opensou...@jilayne.com


> On May 26, 2017, at 11:54 AM, Bradley M. Kuhn  wrote:
> 
> Jilyane, I'm glad work is proceeding on this.
> 
> J Lovejoy wrote today:
>> In any case, as Kate has already stated - we were just talking about this
>> the other day and thinking through some paths to get to a point of using:
>> "GPL-2.0-only" as the short identifier for when one means exactly that.
> 
> As I mentioned, on the spdx-tech list yesterday, folks may also want to
> review the original thread making this proposal back in October 2013:
>  https://lists.spdx.org/pipermail/spdx-legal/2013-October/000941.html
>  https://lists.spdx.org/pipermail/spdx-tech/2013-October/001965.html
> 
>> GPL does not exist in a vacuum, so we need to make sure that either what’s
>> good for the geese is also good for the gander (other licenses, use of
>> SPDX, etc.); or we consider a proposal that treats the GPL family of
>> licenses unique if that’s warranted.
> 
> There's a related point that's often purposely obscured by GPL's critics and
> is relevant to this problem that SPDX is now facing.  GPL is the *only*
> family of copyleft licenses that permit "-only" decisions by licensors using
> the canonical text of the license.
> 
> In other words, other copylefts (such as MPL, CC BY-SA, CDDL, EPL) all
> require licensors to accept a de-facto "or-later" clause, which allows the
> license steward (e.g., Mozilla, Creative Commons, Oracle, Eclipse Foundation)
> to unilaterally relicense all works under their license text without any
> additional permissions from licensors.  By default, all non-GPL copylefts are
> "-or-later" (in GPL's parlance).  The FSF left the choice of { "-only",
> "-or-later" } where it belongs: with the copyright holders.
> 
> Giving more freedom to users (as FSF is wont to do) admittedly sometimes
> complicates the world, and I think that's why the SPDX License List drafters
> surely legitimately feel that this situation makes everything complicated.
> I'm sympathetic to that challenge, which is why I de-lurk when this issue
> comes up to offer assistance from my expertise in this area.
> 
> And, I'm thankful that the SPDX team is now facing the issue head-on.  I
> understand given the timing it has become tricky because of the "GPL-2.0"
> Identifier has in the intervening years since 2013 become used in the field
> (... but, as David points out in the recent spdx-tech thread, it's often used
> incorrectly).
> 
> While I guess the License List team will receive is a radical proposal, I
> suggest deprecating the "GPL-2.0" Identifier entirely (as was done the GPL
> exception-based ones) and creating new "-or-later" and "-only" versions of
> the Identifier to replace it going forward in future versions of SPDX's
> License List.
> 
>> In any case, this is a discussion that needs to start with the legal team,
>> as the steward of the SPDX License List, so I’d like to ask that we
>> move/keep the discussion there for the time being.
> 
> The original 2013 thread that I mention above was sent to both spdx-tech and
> spdx-legal.
> --
>  -- bkuhn
> ___
> Spdx-legal mailing list
> Spdx-legal@lists.spdx.org
> https://lists.spdx.org/mailman/listinfo/spdx-legal

___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

Re: [spdx-tech] various threads on "only" suffix (for GPL)

2017-05-26 Thread Bradley M. Kuhn 
Jilyane, I'm glad work is proceeding on this.

J Lovejoy wrote today:
> In any case, as Kate has already stated - we were just talking about this
> the other day and thinking through some paths to get to a point of using:
> "GPL-2.0-only" as the short identifier for when one means exactly that.

As I mentioned, on the spdx-tech list yesterday, folks may also want to
review the original thread making this proposal back in October 2013:
  https://lists.spdx.org/pipermail/spdx-legal/2013-October/000941.html
  https://lists.spdx.org/pipermail/spdx-tech/2013-October/001965.html

> GPL does not exist in a vacuum, so we need to make sure that either what’s
> good for the geese is also good for the gander (other licenses, use of
> SPDX, etc.); or we consider a proposal that treats the GPL family of
> licenses unique if that’s warranted.

There's a related point that's often purposely obscured by GPL's critics and
is relevant to this problem that SPDX is now facing.  GPL is the *only*
family of copyleft licenses that permit "-only" decisions by licensors using
the canonical text of the license.

In other words, other copylefts (such as MPL, CC BY-SA, CDDL, EPL) all
require licensors to accept a de-facto "or-later" clause, which allows the
license steward (e.g., Mozilla, Creative Commons, Oracle, Eclipse Foundation)
to unilaterally relicense all works under their license text without any
additional permissions from licensors.  By default, all non-GPL copylefts are
"-or-later" (in GPL's parlance).  The FSF left the choice of { "-only",
"-or-later" } where it belongs: with the copyright holders.

Giving more freedom to users (as FSF is wont to do) admittedly sometimes
complicates the world, and I think that's why the SPDX License List drafters
surely legitimately feel that this situation makes everything complicated.
I'm sympathetic to that challenge, which is why I de-lurk when this issue
comes up to offer assistance from my expertise in this area.

And, I'm thankful that the SPDX team is now facing the issue head-on.  I
understand given the timing it has become tricky because of the "GPL-2.0"
Identifier has in the intervening years since 2013 become used in the field
(... but, as David points out in the recent spdx-tech thread, it's often used
incorrectly).

While I guess the License List team will receive is a radical proposal, I
suggest deprecating the "GPL-2.0" Identifier entirely (as was done the GPL
exception-based ones) and creating new "-or-later" and "-only" versions of
the Identifier to replace it going forward in future versions of SPDX's
License List.

> In any case, this is a discussion that needs to start with the legal team,
> as the steward of the SPDX License List, so I’d like to ask that we
> move/keep the discussion there for the time being.

The original 2013 thread that I mention above was sent to both spdx-tech and
spdx-legal.
--
  -- bkuhn
___
Spdx-legal mailing list
Spdx-legal@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal