Brad Edmondson [mailto:brad.edmond...@gmail.com] > I think your points are good ones, but it seems to me they go to the separate > issues of "file:detected license" and "package:concluded license." > The clarity of the spec argument is aimed at making the "file:detected > license" case more explicit, and if it leaves tools with NOASSERTION for > "package:concluded license," then I think that's OK, no?
No, it fails to work for multiple reasons: 1. "NOASSERTION" is basically useless, because it provides no information. In many cases, all I need to know is "there's a version of the GPL here", and I can make a decision. Being able to provide *some* information is often all that's needed , while providing *no* information creates a lot of unnecessary work for tool users. 2. Tools, lacking sentience, often cannot determine whether or not "or later versions" applies. So they're unable to be "more explicit" in package:concluded. The current structure requires that conclude either "only 2.0" or "2.0 or later"... even though tools typically CANNOT make that determination. SPDX should make it possible report the information *actually* available. 3. The majority of SPDX users do not use SPDX files. Instead, they *only* use SPDX license expressions (as available in package managers, file content declarations, etc.). So there's no "file:detected" vs. "package:concluded" entries to compare anyway. --- David A. Wheeler _______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
