J Lovejoy: > Thanks Bradley. Your point re: other licenses building in a de facto “or > later” > clause versus the GPL family of licenses leaving the choice to the copyright > holders is exactly the thing I wanted to confirm and is also (I think, but > need > to do more thinking on this) why the GPL family may indeed need it’s own > unique treatment. > > Deprecating “GPL-2.0” for use of “GPL-2.0-only”, along with the use of the > existing “GPL-2.0+” is what I’m leaning towards....
Please DO NOT deprecate "GPL-2.0". DO NOT DO THIS. If you do, we'll have *exactly* the same problem again in a few years. We need at least *3* cases. Here they are, with potential names/expressions: * GPL-2.0-only. I *know* that *only* the GPL version 2.0 is acceptable. I had originally proposed a "!" suffix. * GPL-2.0+. I *know* that GPL version 2.0, or later, is acceptable. * GPL-2.0. I *know* that at least GPL version 2.0 is acceptable (e.g., I found its license text). However, I'm not entirely certain whether or not later versions are acceptable, so I make *no* assertion either way. This appears to be what "GPL-2.0" has become, in some cases, in spite of the spec. Which is why we need a way to mark certainty vs. uncertainty. If you prefer, you could label this "GPL-2.0-at-least", or add a "?" suffix to mean "I don't know if later/other versions are acceptable". The problem is that while tools can detect the presence of a license, it's often difficult for them to determine if an "or later" clause is valid in some cases. In many cases SPDX is capturing tool output, so we need for there to be a valid expression for tools to output. My understanding is that some tools that find GPL version 2.0 will currently report "GPL-2.0"... even if a later version is also acceptable... and as a result, "GPL-2.0" is not being interpreted as originally intended. What's more, without a third case, it'll just happen again. Tools can't easily determine if "or later" applies, and in many cases you do *NOT* need more information than this. It can take a lot of effort ($) to determine if it's really "GPL-2.0-only" or "GPL-2.0+", and if the spec only supports those two options, then that's a problem.. because people are *not* going to spend effort unnecessarily. If "GPL-2.0" is deprecated, then tools will start reporting "GPL-2.0-only" when they're not sure if later versions apply, because in many cases they can't easily determine it. Then we'll be back to the original problem, where "GPL-2.0-only" may mean "I found GPL 2.0 but maybe later versions will be okay". Ugh. Since many tools can only determine "at least this version", there needs to be a standard way to report it. Same argument applies to GPL version 3, LGPL, AGPL, and perhaps MPL. > but again, we need to vet all > options, think through all possible pros and cons, and ensure a clear path > (with limited pain) for existing users before coming to a conclusion. I wholeheartedly agree. --- David A. Wheeler _______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
