On Mon, Nov 06, 2017 at 09:22:50PM -0700, J Lovejoy wrote: > > On Oct 12, 2017, at 11:31 AM, W. Trevor King <wk...@tremily.us> wrote: > > a. Also add operator-compatibility metadata to each license, so > > tooling can tell if the lack of a versioning operator is a > > sign of an ambiguous grant (e.g. a bare ‘GPL-2.0’) or > > nonsense grant (e.g. ‘NPL-1.0 ONLYy’) [6]. > > JL: I’m not sure what this means, or specifically how we would do > this - are you suggesting we go through the entire license list and > add some kind of info that indicates whether, for example, the > “only” or “+” operators should be used?
Yup. There aren't all that many of them, and we've mostly collected the list already [1]. For the GPL-3, which supports both, I expect something like: $ cat src/GPL-3.0.xml <?xml version="1.0" encoding="UTF-8"?> <SPDXLicenseCollection xmlns="http://www.spdx.org/license";> <license isOsiApproved="true" licenseId="GPL-3.0" name="GNU General Public License v3.0" compatibleWithOnly="true" compatibleWithPlus="true"> … </license> </SPDXLicenseCollection> Or instead of separate compatibleWith* attributes, you could have a single: compatibleWith="+ only" I'm fine either way. > > b. Also add an ‘AMBIGUOUS’ operator [7] so license-expression > > authors can mark in an obvious-to-casual-readers way that > > they were not comfortable making an unambiguous conclusion > > (e.g. ‘GPL-2.0 AMBIGUOUS’). Or maybe > > JL: this idea still makes me really squeamish: if I saw “GPL-2.0 > AMBIGUOUS” what would I think? I don’t think this would be clear at > all as to the meaning and could potentially cause more confusion. I > think we are all aiming to avoid that! Plus, it’s not ambiguous that > GPL, version 2 exists, it’s only unclear as to if the copyright > holder meant to indicate only version 2 or any later version - it’s > a narrow kind of ambiguity… which brings to c: Yes, I'm personally much happier with (c) than with (b). I only listed (b) because it's been proposed before, and it would narrowly solve the “I'm not comfortable applying a versioning operator here, but this license needs one for an unambiguous grant”. > > c. Also add an ‘OR-MAYBE’ operator so license-expression authors > > can mark in an obvious-to-casual-readers way the set of > > license expressions that are still in the running for their > > conclusion [8], even though they haven't narrowed that down > > enough to pick a single one (e.g. ‘GPL-2.0 ONLY OR-MAYBE > > GPL-2.0+’). > > JL: this seems better than b , but I’m not sure how this is > significantly different than simply: GPL-2.0 ONLY OR GPL-2.0+ ? It’s > one of the other, isn’t it? OR means “I understand exactly what the licensor wants. You, the downstream consumer, are allowed to use this content under either of these licenses”. So you could legally use it under the GPL-2.0. Or under the GPL-3.0+. Or under the GPL-3.0. Etc. OR-MAYBE means “I couldn't figure out exactly what the licensor wants. You, the downstream consumer, may be allowed to use this under the GPL-2.0+. Or maybe you're only allowed to use the GPL-2.0, and the author will sue you if you try and use it under the GPL-3.0.” > Adding option B.(as per my previous email): > B. Add “only” to GPL-2.0, add GPL-2.0+ back to the license list as a > separate line item. keep the + operator to be used with other > licenses. This would effectively treat the GNU family licenses > differently, and also makes it so the identifiers always indicate > “only” or “any later version”. I think the CDDL family is, like the GPL family, compatible with both + and only [1]. I'm not excited about special-casing the GPL. > (this only works if FSF can provide guidance as to the bare license > default intent of the license, though). Despite my lack of excitement, I disagree with this point. You can, in the absence of a FSF position, still come to your own conclusion on this case, and I've heard people make cases for GPL-1.0+, GPL-2.0 ONLY, and GPL-2.0+. With either (b)'s AMBIGUOUS or (c)'s OR-MAYBE, you can also represent the “I'm not comfortable making a complete conclusion” sitatuation, while still making it clear that folks who want to use the GPL-2.0 are going to be pretty safe, because it's covered by all the possible conclusions. An official FSF position just lends more weight to one of those conclusions; you can still conclude whatever you want to conclude with or without the FSF. If/when you get a lawsuit, whoever is deciding the case gets to figure out who's most convincing. Cheers, Trevor [1]: https://wiki.spdx.org/view/Legal_Team/later-version-clauses -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
