One consideration in this discussion is the practical limits of the legal
team’s capacity.
Adding a new license on the list requires a chunk of work and every license on
the list adds incrementally to the maintenance burden over time. There’s been
some great work done to putting infrastructure in place automate and track, but
processing licenses still involves humans. IMO, there would be more appetite
for broadening the criteria if more folks were getting involved, rolling up
their sleeves and helping to process license requests.
We’re pinched for resources across the board in SPDX, but this is a particular
choke point. The SPDX Legal Group is very welcoming and the leaders are some of
the nicest folks I know.
Phil
On 6/3/19, 5:12 PM, "Spdx-legal@lists.spdx.org on behalf of Kyle Mitchell"
<Spdx-legal@lists.spdx.org on behalf of k...@kemitchell.com> wrote:
On 2019-06-03 20:06, David A. Wheeler wrote:
> Phil Odence:
> > And, also, bear in mind that SPDX can handle any
> > license. Worst case, you identify a local license
> > identifier and include the license. The goal of the
> > license list is to minimize the need to do that, but at
> > the same time, this keeps the list from being a
> > constraint.
>
> For those people who are using the entire SPDX file
> format, that’s absolutely true.
>
> For those who are *only* using SPDX License Expressions
> within a larger context (e.g., within a package
> specification), that doesn’t work. MANY people use ONLY
> the SPDX license expressions.
It's true that many folks only use SPDX for the license
list, to code their own license information in package
manifests. But npm defines its own magic values for
unidentified licenses. Those values function as surrogates
for the "missing pieces" from the broader SPDX XML standard.
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.npmjs.com_files_package.json-23license&d=DwIDaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=Lagm9_rSjPYjWrFYo1zL4JF-bPtuo7YaHfWyPgsI_Rw&m=0lzIdrRzTIONdga6XuMk0iQ_a1Pk-sI7rqXfdqM6jNg&s=RM4cPzVRO3GPFbuXIqNSzLxez8yclWXpHHTNuDq6xi8&e=
:
> If you are using a license that hasn’t been assigned an
> SPDX identifier, or if you are using a custom license, use
> a string value like this one:
>
> { "license" : "SEE LICENSE IN <filename>" }
>
> Then include a file named <filename> at the top level of
> the package.
>
> ...
>
> Finally, if you do not wish to grant others the right to
> use a private or unpublished package under any terms:
>
> { "license": "UNLICENSED" }
>
> Consider also setting "private": true to prevent
> accidental publication.
I'd strongly recommend that other manifest standards define
magic values, too.
--
Kyle Mitchell, attorney // Oakland // (510) 712 - 0933
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#2613): https://lists.spdx.org/g/Spdx-legal/message/2613
Mute This Topic: https://lists.spdx.org/mt/31872337/21656
Group Owner: spdx-legal+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-legal/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
