Wolfgang, " I wonder if we should turn the comment as we have it now into actual code, i. e. into a macro that compiles the license ID into the generated object file. We could easily make the linker combine identical tags into a single entry, to the total memory overhead would be minimal - but then it would be possible to easily find out which components have actually been built into the final product, so which licenses apply tho that. You don;t have to bother about license terms for code that you don;t actually use in your product, right?"
Ed (can't remember his last name) from Cisco actually prototyped this and did some real examples. He was also capturing the copyrights I believe which did make the memory requirements somewhat higher. If we only captured license information it would be doable but we would have to decide that the copyright info in there was something we could do without or get a different way. Maybe we can get Ed to re-post his work. I agree it was nice and solved some thorny issues. Should we also add similar tags to list known patents etc.? for example, the FAT code could be augmented like that: Interesting tag. I know Yocto does something similar with packages and warning that there might be patents in an area. I don't recall the exact language and Im pretty sure they don't list a specific patent but use an mp3 codec and you will see it :). It's useful. I agree there could be more tags as you suggest. This is one reason why I left the door open on the wiki page for that. As an example I would like to see one to capture license exceptions. As an example consider FreeRTOS. It could say as an example: SPDX-License-Identifier: GPL-2.0 SPDX-License-Exception: " The modification to the GPL is included to allow you to distribute a combined work that includes FreeRTOS without being obliged to provide the source code for proprietary components outside of the FreeRTOS kernel." It seems as though we are reaching some consensus on the Identifier and that we should be considering other tags as well? I will try and summarize so I can update wiki page. Jack -----Original Message----- From: Wolfgang Denk [mailto:w...@denx.de] Sent: Thursday, October 10, 2013 6:43 AM To: Lamons, Scott (Open Source Program Office) Cc: Manbeck, Jack; Jilayne Lovejoy; spdx-tech@lists.spdx.org; Meier, Roger; SPDX-biz; SPDX-legal Subject: Re: meta-tag page Dear Scott, In message <36b44e6fbcd79f48b50fd2e0122f7dce3bab2...@g9w0766.americas.hpqcorp.net> you wrote: > > I applaud the your efforts in the u-boot project to clean up the > licensing and make a clear choice using the spdx license tag; Thanks! > however > I'm not convinced that all projects would be willing or even able to > do that and therefore I stand pretty firm in my opinion that it > shouldn't be a requirement to do so -- perhaps a recommendation or > best practice. IMO, there's still a lot of value in adding the tags > because they will enable automated production of SPDX and required > notices. I agree. Especially for smaller projects with a more homogenous code base there is probably not so much benefit to switch. On the other hand, in complex projects (like U-Boot, which borrows code from a lot of other projects, including for example the Linux kernel, BusyBox, libfdt, YAFFS, ...) we may be faced with a mix of different license terms. If such code is used in commercial projects (where things like license clearing reports become an issue), the change can greatly reduce the effort for any such license audits. Actually I wonder if we should not take the idea even a step further. So far we only focus on the license terms of the source code. However, U-Boot is very flexible to configure, and as is it is not trvial to tell if a specific piece of code actually gets linked into the final product. I wonder if we should turn the comment as we have it now into actual code, i. e. into a macro that compiles the license ID into the generated object file. We could easily make the linker combine identical tags into a single entry, to the total memory overhead would be minimal - but then it would be possible to easily find out which components have actually been built into the final product, so which licenses apply tho that. You don;t have to bother about license terms for code that you don;t actually use in your product, right? And there is another topic that's on my mind. License terms for the source code are one thing, but there are is additional information that may be relevant when releasing a product, for example (known) patents or other intellectual property rights that may apply. For example, despite the fact that all code to implement FAT/VFAT file system support is licensed under GPL-2.0+ in U-Boot, we know that Microsoft holds patents on parts of that technology, which may become an issue if you include VFAT support in your product. Should we also add similar tags to list known patents etc.? for example, the FAT code could be augmented like that: SPDX-Patent-Notice: US5,579,517 US5,758,352 US5,745,902 US6,286,013 EP0618550 [Of course I'm not sure if SPDX would cover such an entry; I'm just interested in feedback for the general idea.] > I do wonder however if the tag should contain some link or > reference to the actual license text as discussed in some of the other > replies to this post. I actually don't like the idea of a link because > there's really no guarantee it survives the lifespan of the code. This > suggests to me that centralizing the license text (e.g in the root > directory or license subdirectory) and some sort of reference to the > file level tagging needs to be part of our recommendation or best > practice. I fully agree that just providing an URL to the (current) location of a license is not sufficient, as we have zero control of the location or content of such documents - they may disappear or be modified any time, which would leave the license terms of our project undefined. I think iti is mandatory to include a verbatim copy of the applicable license texts as part of the source code of the project. > Thanks for your feedback and helping us "blaze the trail" on this initiative. Thanks for picking it up - I'm glad to see things get rolling! Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de "An organization dries up if you don't challenge it with growth." - Mark Shepherd, former President and CEO of Texas Instruments _______________________________________________ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
