(responding via email so I can add spdx-legal mailing list; not sure
what mess this will make in Github, so apologies in advance)
On 5/26/22 12:00 AM, Alexios Zavras (zvr) wrote:
Quick couple of comments to @jlovejoy <https://github.com/jlovejoy>
reply above:
Starting from the end, yes, the idea for these private lists is that
they cover licenses not in SPDX License List. But I assume people
might also want to use them for licenses not /currently/ in the SPDX
License List.
that is my understanding too
On the publishing point (3), you are correct in understanding the
problem: given an identifier
|LicenseRef-.mynamespace.com.-LicenseABC|, there has to be an SPDX
Document that uses the "other license info detected" section to say
"hey, for this |LicenseRef-.mynamespace.com.-LicenseABC| the
corresponding text is this".
The two alternatives we have are:
a) people submit this document and we store it in a repo; or
b) people submit the /location/ of this document and we store (the
location) in a repo.
There are obvious pros and cons to both approaches. But I think we just
need to be realistic that (a) may end up requiring some "curation" of
some kind if it's in an SPDX repo.
On that note, it appears that the current submission tool is really just
(b)?
In both cases, the SPDX project will /not/ be checking content like
"someone using a license text that matches a license already on the
SPDX License List" or anything like this. Yes, it would be "bad", but
this can also happen today: someone defining their own |LicenseRef-MIT|.
while you are correct that this could happen today, I still think that
by not checking the content, we almost give greater license.
Look at Philippe's submission, for example, it links to the entire
database of licenses ScanCode has found, which presumably includes all
that are already on the SPDX License List. So already we are not
differentiating well b/w SPDX License List and the point of LicenseRef
(not on SPDX License List).
The SPDX project registers /namespaces/, not what goes within them.
but what goes within them - which I take to mean the specific, full
LicenseRef with namespace and license, plus text of license has to go
somewhere (see above)
Related to checks during registration process (point 4), I believe
everyone until now only talks about automated checks, no human
decision involved. Things like:
* checking whether the namespace is not already registered;
* checking whether the format of the namespace is correct;
* checking whether the URL is valid;
* checking whether the URL resolves to a document;
* checking whether the document is a syntactically correct SPDX
document;
* etc.
do we currently have all the tooling to do all these things? If not, who
is going to develop for the gaps?
—
Reply to this email directly, view it on GitHub
<https://github.com/spdx/spdx-spec/pull/681#issuecomment-1138184754>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGQSU77N2IZTKI5YKTUXITVL4HRPANCNFSM5WEHR7FQ>.
You are receiving this because you were mentioned.Message ID:
<spdx/spdx-spec/pull/681/c1138184...@github.com>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#3130): https://lists.spdx.org/g/Spdx-legal/message/3130
Mute This Topic: https://lists.spdx.org/mt/91357440/21656
Group Owner: spdx-legal+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-legal/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
