Dear Scott,
In message
<36b44e6fbcd79f48b50fd2e0122f7dce3bab2...@g9w0766.americas.hpqcorp.net> you
wrote:
>
> I applaud the your efforts in the u-boot project to clean up the
> licensing and make a clear choice using the spdx license tag;
Thanks!
> however
> I'm not convinced that all projects would be willing or even able to
> do that and therefore I stand pretty firm in my opinion that it
> shouldn't be a requirement to do so -- perhaps a recommendation or
> best practice. IMO, there's still a lot of value in adding the tags
> because they will enable automated production of SPDX and required
> notices.
I agree. Especially for smaller projects with a more homogenous code
base there is probably not so much benefit to switch. On the other
hand, in complex projects (like U-Boot, which borrows code from a lot
of other projects, including for example the Linux kernel, BusyBox,
libfdt, YAFFS, ...) we may be faced with a mix of different license
terms. If such code is used in commercial projects (where things like
license clearing reports become an issue), the change can greatly
reduce the effort for any such license audits.
Actually I wonder if we should not take the idea even a step further.
So far we only focus on the license terms of the source code.
However, U-Boot is very flexible to configure, and as is it is not
trvial to tell if a specific piece of code actually gets linked into
the final product. I wonder if we should turn the comment as we have
it now into actual code, i. e. into a macro that compiles the license
ID into the generated object file. We could easily make the linker
combine identical tags into a single entry, to the total memory
overhead would be minimal - but then it would be possible to easily
find out which components have actually been built into the final
product, so which licenses apply tho that. You don;t have to bother
about license terms for code that you don;t actually use in your
product, right?
And there is another topic that's on my mind. License terms for the
source code are one thing, but there are is additional information
that may be relevant when releasing a product, for example (known)
patents or other intellectual property rights that may apply. For
example, despite the fact that all code to implement FAT/VFAT file
system support is licensed under GPL-2.0+ in U-Boot, we know that
Microsoft holds patents on parts of that technology, which may become
an issue if you include VFAT support in your product.
Should we also add similar tags to list known patents etc.? for
example, the FAT code could be augmented like that:
SPDX-Patent-Notice: US5,579,517 US5,758,352 US5,745,902 US6,286,013 EP0618550
[Of course I'm not sure if SPDX would cover such an entry; I'm just
interested in feedback for the general idea.]
> I do wonder however if the tag should contain some link or
> reference to the actual license text as discussed in some of the
> other replies to this post. I actually don't like the idea of a link
> because there's really no guarantee it survives the lifespan of the
> code. This suggests to me that centralizing the license text (e.g in
> the root directory or license subdirectory) and some sort of
> reference to the file level tagging needs to be part of our
> recommendation or best practice.
I fully agree that just providing an URL to the (current) location of
a license is not sufficient, as we have zero control of the location
or content of such documents - they may disappear or be modified any
time, which would leave the license terms of our project undefined.
I think iti is mandatory to include a verbatim copy of the applicable
license texts as part of the source code of the project.
> Thanks for your feedback and helping us "blaze the trail" on this initiative.
Thanks for picking it up - I'm glad to see things get rolling!
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de
"An organization dries up if you don't challenge it with growth."
- Mark Shepherd, former President and CEO of Texas Instruments
_______________________________________________
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech
