McCoy's topic reminds me of a question I asked here some time ago: https://lists.spdx.org/g/Spdx-legal/message/2706?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2Ccomposite%2C20%2C2%2C0%2C68280619
I wasn't really satisfied with that discussion; I was left feeling that in some situations (perhaps rare in practice, admittedly) there is a loss of useful information when you replace a set of license notice strata in a source file with a conjunctive expression in an SPDX-License-Identifier: statement. McCoy's question seems to be a little different though. Richard On Wed, Jul 6, 2022 at 10:29 AM Steve Winslow <swins...@gmail.com> wrote: > > If I'm following the discussion correctly, I'd agree with Warner here. > > If I take code that I received under BSD-2-Clause and I redistribute it under > MIT, I'm really redistributing it under MIT subject to the requirements of > the original BSD-2-Clause license under which I received it. I'd say that > BSD-2-Clause doesn't give me the right to "relicense" the code in the sense > of eliminating the inbound requirements and applying a fully different > license in its place. > > Rather, BSD-2-Clause allows me to redistribute under different terms as long > as I also comply with the BSD-2-Clause obligations; and the same would apply > to any downstream recipient of the code. In SPDX license expression terms, > I'd describe the resulting license as "MIT AND BSD-2-Clause". (And subject of > course to Warner's very good point, about whether in any particular case > you're using a sufficiently copyrightable amount of the BSD-2-Clause code > such that you need a license under applicable copyright laws.) > > In terms of how to express this in source code files: I could see a couple of > different ways to do so: > > 1. You could just include a single comment header at the top of the file with > "SPDX-License-Identifier: MIT AND BSD-2-Clause" > > 2. Or if you wanted to be more specific about the particular portions of the > code, you could use "SPDX-License-Identifier: MIT" at the top of the file, > and then Snippet Tags [0] with "SPDX-License-Identifier: BSD-2-Clause" within > the specific marked snippet of code which is subject to that license. > > Steve > > [0] Newly added in SPDX 2.3; see > https://github.com/spdx/spdx-spec/blob/development/v2.3/chapters/file-tags.md#h3-snippet-tags-format- > > On Wed, Jul 6, 2022 at 10:08 AM Warner Losh <i...@bsdimp.com> wrote: >> >> >> >> On Wed, Jul 6, 2022 at 5:48 AM McCoy Smith <mc...@lexpan.law> wrote: >>> >>> No, that’s not really my issue. I believe the logical operators and the >>> ability to designate file-level licenses in SPDX handle your situation. >>> >>> I’m talking about using SPDX to provide a copy of the terms of a license >>> which don’t apply, but which nevertheless must be provided per the license >>> itself. As is required in BSD/MIT/Apache (as well as copyleft licenses, but >>> that’s really not applicable to my circumstances since copyleft requires >>> the license terms be provided, *and* be applied) >> >> >> What makes you think they don't apply? If you have to reproduce the notice, >> the terms apply. You can't just take code and change the license without the >> permission of the copyright holders/owners/etc. As an author of BSD code, I >> for one would strongly and strenuously object to this sort of thing were it >> done to my code. Either you used enough code that the terms apply (you >> created a derived work and have to comply) or you didn't (you created a new >> enough work the terms do not apply and you don't need to comply). If it >> applies, it is an AND. If it doesn't apply, I'd say it's outside the scope >> of SPDX. There is no "provide the notice but doesn't comply" option that I'm >> aware of in copyright law. >> >> So, I don't think legally there's this halfway thing that you are >> suggesting, but I'm going to let others on the list opine about that as I'm >> not an attorney. I've just been doing this for the last 30 years and have >> been FreeBSD's licensing expert for much of that time. >> >> Warner >>> >>> >>> >>> From: s...@lists.spdx.org <s...@lists.spdx.org> On Behalf Of Shawn Clark >>> Sent: Tuesday, July 5, 2022 10:48 AM >>> To: s...@lists.spdx.org >>> Cc: SPDX-legal <spdx-legal@lists.spdx.org> >>> Subject: Re: [spdx] Specific SPDX identifier question I didn't see >>> addressed in the specification >>> >>> >>> >>> I have spent a lot of time contemplating the question, but want to confirm >>> I'm thinking about the same thing: >>> >>> >>> >>> Are you talking about the nature of open source requiring (such as in a >>> requirements.txt) other open source code/components that ultimately mean >>> the terms of several licenses would apply to the top level software package >>> (such as the total python package)? And how to include those identifiers in >>> spdx, either as a requirement of the open source license, or as a >>> pass-through of a license (such as lgpl/gpl)? >>> >>> >>> >>> I have thoughts on the topic but wanted to confirm before I ramble on about >>> it 😁 I may be off the rails here. >>> >>> >>> >>> Cheers! >>> >>> -Shawn Clark >>> >>> Michigan Attorney, P79081 >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Fri, Jul 1, 2022, 4:17 PM McCoy Smith <mc...@lexpan.law> wrote: >>> >>> Well the example is the reverse: inbound BSD-2-Clause, outbound MIT. >>> >>> I’m more thinking license identifiers that go with the code (since I think >>> for most folks that’s where they do license attribution/license copy >>> requirements). >>> >>> But obviously the issue/problem is more generic given that some permissive >>> licenses allow the notice to be in either (or in some cases require in >>> both) the source or documentation. >>> >>> >>> >>> From: s...@lists.spdx.org <s...@lists.spdx.org> On Behalf Of J Lovejoy >>> Sent: Friday, July 1, 2022 1:11 PM >>> To: SPDX-legal <spdx-legal@lists.spdx.org> >>> Subject: Re: [spdx] Specific SPDX identifier question I didn't see >>> addressed in the specification >>> >>> >>> >>> Hi McCoy! >>> >>> >>> >>> I’m moving the SPDX-general list to BCC and replying to SPDX-legal as that >>> is the right place for this discussion. >>> >>> >>> >>> Where is this question coming up in terms of context? That is, are you >>> thinking in the context of an SPDX document and capturing the licensing >>> info for a file that is under MIT originally but then redistributed under >>> BSD-2-Clause? Or are you thinking in the context of using an SPDX license >>> identifiers in the source files? >>> >>> >>> >>> Thanks, >>> >>> Jilayne >>> >>> >>> >>> On Jul 1, 2022, at 12:01 PM, McCoy Smith <mc...@lexpan.law> wrote: >>> >>> >>> >>> I didn’t see this particular topic addressed in the specification (although >>> I’m happy to be correcedt if I missed it), so I thought I’d post and see >>> whether there is a solution that’s commonly used, or if there’s room for a >>> new identifier. >>> >>> >>> >>> Virtually all so-called “permissive” licenses permit the recipient of code >>> to license out under different terms, as long as all the requirements of >>> the in-bound license are met. In almost all of these permissive licenses >>> those requirement boil down to: >>> >>> Preserve all existing IP notices (or in some cases, just copyright notices) >>> Provide a copy of the license (or something to that effect: retaining “this >>> permission notice” (ICU/Unicode/MIT) or “this list of conditions” (BSD) or >>> providing “a copy of this License” (Apache 2.0)) >>> >>> >>> >>> The rules around element 1 and SPDX are well-described. >>> >>> With regard to element 2, a fully-compliant but informative notice when >>> there is a change from the in-bound to the out-bound license would look >>> something like this (with the square bracketed part being an example of a >>> way to say this): >>> >>> >>> >>> SPDX-License-Identifier: MIT >>> >>> [This file/package/project contains code originally licensed under:] >>> >>> SPDX-License-Identifier: BSD-2-Clause >>> >>> >>> >>> The point being to express that the outbound license is MIT, but in order >>> to fully comply with the requirements of BSD-2-Clause, one must retain “ >>> this list of conditions and the following disclaimer” which including a >>> copy of BSD-2-Clause accomplishes. Without the square bracketed statement >>> above, it seems confusing as to what the license is (or whether, for >>> example, the code is dual-licensed MIT AND BSD-2-Clause. >>> >>> >>> One way to do this I suppose is to use the LicenseComment: field to include >>> this information, but it seems to me that this is enough of a common >>> situation that there ought to be something more specific to address this >>> situation. >>> >>> >>> >>> Thoughts? Am I missing something? >>> >>> > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3170): https://lists.spdx.org/g/Spdx-legal/message/3170 Mute This Topic: https://lists.spdx.org/mt/92118585/21656 Group Owner: spdx-legal+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-legal/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
