Hi Philippe, >> PPS: Some of this may not mesh entirely well with the current SPDX licenses >> list state >> (such as expressing "or later versions" generically or how we deal with >> exceptions).
This is the main thesis that is driving this breakout discussion. >> I hope this helps fueling the discussion. Thank you for the extensive list of examples and proposals. They represent the types of scenarios we need to test the solution we are seeking to determine how well we have done. One basic observation - We need to consider how far one can go in constructing an expression that implies some level of legal interpretation. For instance, in one of your examples you noted: >> * gpl-2.0 < mit: I think that the license that applies here is gpl-2.0, >> despite >> being asserted originally as MIT-licensed (possibly because of linking, >> dependencies, code reuse or else). One objective might be: To support the construction of license expressions that represent licensing terms of the pieces that go into building a distributable component (e.g., program) yet allow different organizations the ability to apply their legal interpretation. I do realize this is easier said than done. I see a fair amount of differences among organization in their interpretation of licensing, especially when multiple licenses are present (as you have illustrated below). I hope we can encourage others to present situations they believe the current SPDX licensing mechanism does not easily support. Best, Mark Gisi | Wind River | Senior Intellectual Property Manager Tel (510) 749-2016 | Fax (510) 749-4552 -----Original Message----- From: Philippe Ombredanne [mailto:pombreda...@nexb.com] Sent: Thursday, October 24, 2013 3:39 AM To: Gisi, Mark Cc: SPDX-legal; spdx-t...@lists.spdx.org Subject: Re: Revisiting the SPDX license representation syntax On Tue, Oct 22, 2013 at 6:01 PM, Gisi, Mark <mark.g...@windriver.com> wrote: > In the last SPDX Legal meeting we discussed whether the current SPDX > license representation syntax is sufficient to represent the licensing > terms of most files (e.g., source, library and binary programs). For > example, is the combination of the SPDX license list + current binary > operands (AND and OR) sufficient to describe the licensing of most > programs derived from multiple source and library files, where each is > potentially under a different license. Let me bring my 2 cents to the discussion. A while back I wrote down this little language to compose licenses. The point was to : - make this easy enough for humans and machines to read, write and understand. - have a terse yet expressive way to represent actual licensing in one statement, eventually expressing the complex licenses composition of whole packages. - support factual licenses statements as well as interpretations such as selection from a choice, the fact that some license may apply that were not asserted originally, etc. PS: For most of it there is nothing new there, SPDX does it alright. PPS: Some of this may not mesh entirely well with the current SPDX licenses list state (such as expressing "or later versions" generically or how we deal with exceptions). Here are the basic examples updated to SPDX: * lgpl-2.0 : a single license applies. * apache-2.0 lgpl-2.0 : All the licenses listed apply, space-separated list. (AND is implied as the default operator, CONJUNCTION) * mit & lgpl-2.0 : All licenses listed apply, ampersand-separated list. (explicit AND, CONJUNCTION) * mit | gpl-2.0 : a license choice: either one of the licenses can apply, the choice does not have to be made and can be passed downstream. (CHOICE, OR) * mit ? gpl-2.0 : a disjunctive license choice of mit or gpl-2.0. A choice must be made. (CHOICE, EXCLUSIVE OR, DISJUNCTION) * gpl-2.0 ^ classpath : a license exception or supplemental terms: here, the classpath exception to the gpl-2.0. nb: here we have a slight change with the SPDX license list, where the exception would be just the exception and not the whole gpl-and-classpath taken together as one license.(EXTRA TERMS, EXCEPTION) * gpl-1.0 + : this license version or a later version applies: i.e. gpl-1.0 or later. nb: here the plus sign is not part of the license id, but part of the syntax which is also different from SPDX (OR LATER version) * (apache-1.1 mit gpl-2.0) : a grouping of licenses. This is useful for explicit grouping in complex statements, rather than relying only on eventual operators precedence (GROUP) * ftl [ftl ? gpl-2.0]: a license selection expressed with brackets: here I picked ftl from the disjunctive choice of ftl or gpl. (SELECTION using brackets) * apache-2.0 {mit bsd-3-clause lgpl-3.0} : I think that the primary license is overall apache-2.0 and that other secondary license apply. This is handy to express composite licenses at a package level. (PRIMARY and SECONDARY using braces) * gpl-2.0 < mit: I think that the license that applies here is gpl-2.0, despite being asserted originally as MIT-licensed (possibly because of linking, dependencies, code reuse or else). (INTERPRETATION, INTERACTION) * gpl-2.0 ! commercial : I think that the gpl applies and that the commercial the license id CANNOT apply. Negations are usually aberrations with conflicting terms but I see vendors releasing dual GPL/proprietary making this type of interpretation in supplemental terms often enough. Some proprietary licenses state the opposite explicitly too: this is commercial and cannot be gpl. This rarely of a practical use but may be needed for completeness (NOT, NEGATION) And more complex examples: * apache-1.1 ( mit | gpl-2.0) : apache AND mit or gpl using a grouping of licenses choice. * mpl-1.1 [gpl-2.0 | lgpl-2.1 | mpl-1.1 ]: I picked mpl-1.1 from the choice of mpl, lgpl or gpl. * gpl-2.0 < (mpl-1.1 [gpl-2.0 ? lgpl-2.1 ? mpl-1.1 ]): I think gpl-2.0 applies here despite a selection of mpl-1.1 from a disjunctive choice. * apache 1.1 & bsd-3-clause & (openssl ^ gpl-exception) : apache AND bsd AND (openssl with a gpl-exception taken together) apply. * gpl-2.0 [gpl-2.0 ^ gpl-2.0-with-classpath-exception | cddl-1.0] : I picked gpl-2.0 from a choice of gpl with classpath exception or cddl. * proprietary & {mit bsd-3-clause apache-2.0 gpl-2.0-with-bison-exception}: My primary license is proprietary with MIT, BSD, GPL with bison exception and Apache-licensed code as secondary * lgpl-2.0 [lgpl +] : I picked the v2 of the lgpl out of a choice of any LGPL versions. * gpl-2.0 < (gpl-2.0 | mpl-1.1): I think that the license that applies here is only gpl-2.0, despite being asserted originally as choice of gpl or mpl may be because this code is running in kernel space. I hope this helps fueling the discussion. Cheers -- Philippe Ombredanne +1 650 799 0949 | pombreda...@nexb.com DejaCode Enterprise at http://www.dejacode.com | What's in your software? (sm) nexB Inc. at http://www.nexb.com _______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
