On Tue, Nov 21, 2017 at 5:28 PM, Wheeler, David A <dwhee...@ida.org> wrote: > J Lovejoy [mailto:opensou...@jilayne.com]: >> If this is a potential problem once GPL-2.0 is changed to GPL-2.0-only, then >> it is currently a problem. > > Yes indeed, that's my point :-). > >> And perhaps by altering the current identifier (GPL-2.0) to be more explicit >> (GPL-2.0-only) we will expose just how often GPL-2.0 has been used >> incorrectly. > > The tools are currently *required* to be incorrect, because they cannot report > the information they have ("I have GPL-2.0, and I don't know if 'or later' > applies"). Neither the proposed "GPL-2.0-only" nor "GPL-2.0+" correctly > represents the information they have. Tools will have to output *something*, > and whatever they produce will dilute in *practice* the strict meanings of > those license identifiers.
David, Speaking as the author of a fine license detection engine, I think this is a red herring. A license detection result can be: "I am 95% sure this is GPL-2.0-only but it could be GPL-2.0+: please review me to fill in your conclusion." So detection does not have to be binary as in either 100% right or 100% wrong. If a tool can only report red or blue binary results, that's a possibly fine but weak tool. For instance scancode-toolkit can cope with ambiguity alright and surface this for review when it cannot come with a definitive detection answer. Therefore I have no issue whatsoever to implement Jilyane's comprehensive proposal and I can always output something on my side. So since this can be done by one tool alright this is NOT an issue for the SPDX spec to worry about and tools should adjust: that's for tools implementors to cope with ambiguity, not something to specify here. Please let's keep this spec simple! -- Cordially Philippe Ombredanne _______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
