>> Instead, they rely on the fact that they inherit the global, project-wide >> license as defined in the top >> level README and COPYING files.
Although a global license file is a commonly used approach, I would categorize it as a "bad" practice from a license compliance perspective. It is analogous to programming with global variables which, in most situations, is also considered a bad practice for similar reasons. Global License files are particularly problematic when a lot of code sharing takes place between projects. Consider the following: 1) one project copies a file from another project where the projects are under different licenses; 2) both projects use the global license file approach; and 3) due to lack of good discipline - the license info does not travel with the file Now you have a file with incorrect licensing info. This is a big problem because file sharing, the core activity that fuels the open source movement, occurs in a big way. Including a license notice in every file is, by far, the best practice because the license information travels with the file. There is a reason why high quality disciplined projects include a license notice in every single file (e.g., Apache, Eclipse, Kernel.org, Busybox). By the way, including a COPYING file is a good practice when the sole purpose of the file is to provide a copy of the license. >> My understanding is that this is technically and legally clean as is. Different organizations (e.g., projects, foundations and companies) may reach different technical and legal conclusions on how clean it is. Some organizations may be ok with this interpretation while others may see this as a real problem. All in all, from a compliance perspective - THERE IS NO BETTER PRACTICE THEN INCLUDING A CLEAR LICENSE NOTICE IN EVERY FILE. All other approaches increase the risk of losing key licensing information with the increase in code sharing. Meta tagging should augment an already existing license notice for the sole purpose of automating the generation of an SPDX file for a given project. Mega tagging should NOT serve as a replacement for a license notice. regards, Mark Mark Gisi | Wind River | Senior Intellectual Property Manager Tel (510) 749-2016 | Fax (510) 749-4552 -----Original Message----- From: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech-boun...@lists.spdx.org] On Behalf Of Wolfgang Denk Sent: Tuesday, December 10, 2013 2:10 AM To: spdx-t...@lists.spdx.org; spdx-legal@lists.spdx.org Subject: SPDX meta-tag for implicit license terms Hello, after converting the U-Boot project to use SPDX meta-tags, we now started working on another Open Source project; here we face a somewhat different situation: a large number of the individual source files do not contain any per-file license header at all. Instead, they rerely on the fact that they inherit the global, project-wide license as defined in the top level README and COPYING files. My understanding is that this is technically and legally clean as is. However, I see a handling problem here: the conversion of the project to use SPDX meta-tags will probably be an incremental process, and there will be some period of time (eventually even a long one) where still files exist that have not been converted yet. I would like to define a way to mark such files where implicit licensing applies, so that we do not have to check these again and again. Of course we could insert a license tag corresponding to the actual project-wide license, but such a modification is considered intrusive by some of affected people. I think it would be better (and easier acceptable by the respective copyright holders) to have some "neutral" SPDX meta-tag that reflects the fact that this file inherits the project's global license terms. Would such a meta-tag be acceptable to the SPDX team? I'm still looking for a good "name" for such a tag; suggestions we have so far include: SPDX-License-Identifier: implicit SPDX-License-Identifier: inherit SPDX-License-Identifier: none SPDX-License-Identifier: - Suggestions and comments welcome... Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de There is a time in the tides of men, Which, taken at its flood, leads on to success. On the other hand, don't count on it. - T. K. Lawson _______________________________________________ Spdx-tech mailing list spdx-t...@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech _______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
