Hi Philippe, (I mistyped the spdx-tech address, fixed here)
~ Philippe Ombredanne [2021-07-28 12:04 +0200]: > On Wed, Jul 28, 2021 at 11:01 AM Max Mehl <max.m...@fsfe.org> wrote: >> In the scope of REUSE we've noticed [^1] that just providing LPGL-3.0* – >> as downloaded from SPDX – in a repo does not suffice as it requires its >> mother license, GPL-3.0*. LGPL could be seen as an exception to GPL, but >> it's not treated as such by the FSF. >> >> Matija and I discussed that with FSF and the different options we have >> to suit SPDX, REUSE and other downstreams. We found a compromise: there >> is now an officially acknowledged license text that contains both >> LGPL-3.0 and GPL-3.0: >> >> https://www.gnu.org/licenses/lgpl+gpl.txt > > Has this been discussed publicly? The ticket in the reuse-tool is public, the discussions with FSF were private with John Sullivan and Donald Robertson. >> Now my request: can we get this combined version into SPDX' license list >> data, e.g. [^2]? >> [^1]: https://github.com/fsfe/reuse-tool/issues/86 >> [^2]: >> https://github.com/spdx/license-list-data/blob/master/text/LGPL-3.0-or-later.txt > > I think that you stated explicitly this is not a new license, just a > clarification (optional one?) that providing both texts when > referencing LGPL-3* is better. > How could one ever handle this sanely in practice? If this is not a > new license, why would you need a new license identifier? If this is a > new license, or a new previsously unstated requirement of the LGPL 3 > it would need some wide open and public discussion IMHO. Sorry if this has been unclear. I do not request a new license identifier but an amendment of the full text version. LGPL-3.0* requires the GPL-3.0 text, and FSF has officially provided a concatenated version. For SPDX and other downstreams it would just make sense to use the "complete" version IMHO, as it meets users expectations. > Some examples of the new and updated clarity issues this brings: > > Say I stumbled on the text at > https://www.gnu.org/licenses/lgpl+gpl.txt in some project... is this > project using the LGPL only or the LGPL and the GPL that apply? It is > impossible to disambiguate which one applies short of a statement by > the authors that they mean the GPL not to apply but that only the LGPL > should be considered there and that the GPL text is there only for > reference. The top of the file quite clearly states that this is about the LGPL. But of course, just from this text it's unclear how the actual code is licensed, but that's a common problem in repos using multiple licenses. That's why SPDX license identifiers make a lot of sense, and also why the REUSE way of storing license texts is so useful. It's very clear if you store the above license text under `LICENSES/LGPL-3.0-or-later.txt` and mark the files with `SPDX-License-Identifier: LGPL-3.0-or-later`. > What if a project contains both GPL3 and LGPL 3-licensed code? They > could use the exact same text as above and I would still not be able > to disambiguate short of extra statements. Well, in the example above, that wouldn't be any problem. You can have both GPL and LGPL licensed code in your repo, and by using SPDX expressions you can even dual-license selected files if you wanted. Again, just by having a LICENSE file things are ambiguous anyway. And what's the alternative for LGPL-3.0? Just using the text that SPDX provides currently is not compliant as the license requires the GPL-3.0 to be present. What changed now is that there is an official upstream combined version, so SPDX should use it. > Now say the author added a license identifier in the code saying that > this is "LGPL-3.0-only"... did they forget to reference the GPL text > in the combined text above? Or is this really just LGPL? Or is some > part of the code GPL-licensed but not marked as such? I cannot say for > sure either and I would not trust that. I still need some more > explicit statements to get clarity. > > IMHO the status of the LGPL as a self standing text or whether it > needs to be accompanied by the GPL text has been a jolly mess of > ambiguity since the release of the L/GPL3*. > > I cannot see how the FSF releasing a text that combines two texts > makes it any better, to the contrary: it just adds even more ambiguity > and confusion. Even more so if there has been no public discussion on > the topic. > > I cannot fathom how this kind of confusion, uncertainty and doubt is > helpful to anyone producing or consuming LGPL-licensed code. I get your point, and it's also not the most ideal outcome, but as written above I think the situation improved. And of course we need explicit statements, and thanks to the combination of SPDX and REUSE that's a common best practice. Best, Max -- Max Mehl - Programme Manager - Free Software Foundation Europe Contact and information: https://fsfe.org/about/mehl | @mxmehl Become a supporter of software freedom: https://fsfe.org/join -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4135): https://lists.spdx.org/g/Spdx-tech/message/4135 Mute This Topic: https://lists.spdx.org/mt/84502210/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
