I agree that it’d be better to expressly define “or later” in the SPDX specification itself.
Something like this: SPDX licenses are constructed as follows: LICENSE_ROOT_NAME [ “-“ VERSION [“-only” | “-or-later”]] The SPDX license expression suffix operator “+”and the SPDX license suffix “-or-later” suffix both mean that the license, as identified by the LICENSE_ROOT_NAME, can be version VERSION or later. Certain SPDX license is expressly include “-only” or “-or-later” to prevent ambiguity. --- David A. Wheeler From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Vladimir Sitnikov Sent: Monday, June 24, 2019 9:32 AM To: Alexios Zavras <alexios.zav...@intel.com>; Spdx-tech@lists.spdx.org Subject: Re: [spdx-tech] "Or later" operator is not well defined Alexios>The same way that in Unicode the sequence of [U+03C0 GREEK SMALL LETTER PI] and [U+0301 COMBINING ACUTE ACCENT] is permitted (syntactically valid) but meaningless (semantically invalid), in SPDX license expression grammar you can have “MIT+”. I am sure you are aware of Unicode Normalization Forms (see https://unicode.org/reports/tr15/ ) I am sure you are aware that SPDX misses "normalization forms". It looks like you are using MIT+ example as a way to tell that "SPDX does not need any definition of or-later operator". I agree MIT+ does not make much sense, and it would hardly be used in the real life. In case MIT+ happens in a real code, then it would be better that software would just fail and ask a human. However, GPL-2.0+ could easily be present in the real life, and it is really sad SPDX provides no clue to interpret that. Alexios>If you’re start disallowing “MIT+”, where will you stop? Is “GPL-2.0-only AND GPL-3.0-only” a semantically meaningful expression? I don't really care. What I care is the way to mechanically interpret "or later" expression. For instance: "GPL-2.0-only AND GPL-3.0-only". This expression falls under "category X" for ASF policy (https://www.apache.org/legal/resolved.html) because GPL-2.0-only is "category X", and "GPL-3.0-only" is "category X". "X and X" produces X which means that dependency can't be used in ASF projects. I don't need to know if the expression makes sense or not. I can just mechanically evaluate the expression and check if it is "category A, B or X" However, "or-later" breaks that. I can't really do the check of "GPL-2.0+" because the standard provides no meaning to "or-later". Alexios>If your question was specifically about the equivalence of “GPL-2.0+” and “GPL-2.0-or-later”, this is not stated explicitly anywhere, since it is implied by the definition of the operator. I'm afraid you are wrong here. SPDX standard does not specify what "a version" of a license is. SDPX standard does not specify the way to compare versions, so there is NO way to tell which version is "later" There can be no "implied" definition. The definition has to be in the standard. Vladimir -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3724): https://lists.spdx.org/g/Spdx-tech/message/3724 Mute This Topic: https://lists.spdx.org/mt/32049933/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
