Trevor, On Sun, Nov 26, 2017 at 7:56 AM, W. Trevor King <wk...@tremily.us> wrote: > On Fri, Nov 24, 2017 at 09:33:23PM +0000, Wheeler, David A wrote: >> Many package managers use SPDX license expressions >> to indicate the package license. E.g., NPM does: >> https://docs.npmjs.com/files/package.json >> by using the "license:" field - which is *NOT* a SPDX license file. >> According to <http://modulecounts.com/>, *just* the NPM ecosystem >> has 550,951 modules as of Nov 24, with 535 new packages a day on >> average. I don't know what percentage of modules have a "license:" >> entry (is someone willing to find out?) - but for discussion, I'll >> guess it's at *least* 10%.. That would mean that there are 55,095 >> NPM packages that use SDPX license expressions. > > But how many of those authors would use a partial-conclusion syntax if > it existed? > > I expect most npm package authors are also core developers for the > packaged software and know the package license. They won't need to be > able to express a partial conclusion. > > Distibution-specific package managers, on the other hand, seem more > likely to be third parties who are not directly related to the > development team. They are more likely to need to express partial > conclusions. Project developers who inherit an ambiguously-licensed > package from some previous authors would be in the same boat. In > those cases, ideally they'd track down the copyright holders and get > to the bottom of the licensing. In the absence of that, they'd want > some way to express their partial conclusions. > > I'm fine with the SPDX deciding that structured partial conclusions > are out of scope, and leaving it to packaging systems, etc. to define > their own (e.g. an array of SPDX license expressions with confidence > scores). Folks who extract license claims from those packages would > have to write per-packaging-system tooling to convert the partial > conclusion into their own format, but that's ok. And if it turns out > to be a problem, anyone can try to talk folks into whatever > partial-conclusion model they prefer. > > I'm also fine with the SPDX defining it's own partial-conclusion model > and syntax, and trying to talk folks into using it where appropriate. > But I don't think the SPDX needs to take that up if it doesn't want > to.
You are making an excellent argument against adding this to the syntax. And I am with you there that it is OK to have it too, but unlikely needed. -- Cordially Philippe Ombredanne +1 650 799 0949 | pombreda...@nexb.com DejaCode - What's in your code?! - http://www.dejacode.com AboutCode - Open source for open source - https://www.aboutcode.org nexB Inc. - http://www.nexb.com _______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
