Hi Legal Team,

The topic that Mark Gisi brought up in the extra time we had in our meeting this morning, the use of "AND" in a license expression, made we wish we had more time to pursue it, and I hope that we make it a priority topic for our next legal group meeting.  

Although my initial reaction to the issue was that we already cover it quite well, the subsequent discussion made it very clear that we have a problem. "AND" should have a reasonably precise definition: 

1. AND means that two or more licenses apply to a software object.  A typical case is a file with various bits of code from multiple open source origins, where all of them still apply.  Another one is an executable that links together code under different licenses.  An implication, although not guaranteed, of the use of AND is that the licenses are compatible. 

2. AND is sometimes, arguably incorrectly, used to identify an assortment of licenses that can be found in various subcomponents of a package, often referring to software objects that are deployed independently in actual practice. Using AND in this case is misleading, as Mark pointed out, since a package can contain components under different licenses that are actually not compatible, although not really a problem depending on how they are ultimately deployed. 

We need to upgrade our license expression syntax to address this, and should do it soon, because the current version does not encourage accuracy, and there could be upgrade issues in the future if we decide to correct the situation.  Mark mentioned the possibility of using a comma (as currently done by Debian and others) or a semicolon.  I'm fine with using a comma, although I am inclined to think that something more explanatory would be better:  how about a "CONTAINS" license expression keyword?  Example: CONTAINS (GPL-2.0, LGPL-2.1, GFDL-1.2). Whatever the solution, we really need to define a way to express the second case described above. 

Thanks to everyone for an interesting meeting!

Dennis Clark

nexB Inc.

On Wed, May 13, 2015 at 7:38 AM, <opensource@...> wrote:

Hi all,

Just a reminder that we have our bi-weekly SPDX Legal Team call
tomorrow, Thursday, 13 May at 18:00 GMT (10:00AM PT, 11:00 MT, 12:00 CT,
1:00PM ET)

Call this number: (United States): +1-857-216-2871
User PIN: 38633
International: visit the URL at http://uberconference.com/SPDXTeam

We will be discussing the Standard Header field.  Please review the
following info ahead of the call:
-
http://wiki.spdx.org/view/Legal_Team/Current_Projects_and_Issues#Standard_Headers
- for a description of the issue
- http://spdx.org/spdx-license-list/license-list-overview - see F at
bottom of page for the description of the Standard Header field
- you might also want to download the SPDX License List spreadsheet from
Git
(http://git.spdx.org/?p=license-list.git;a=tree;hb=64ec66a5460b9da2a836b2c28cac5e31535eedf9
) as then you can easily see all the licenses that have a Standard
Header at one time.

There are 54 licenses on the SPDX License List with a Standard Header.
There seems to be 3 categories of issues:
1) multiple or variable options (e.g., Apache-2.0 and APL-1.0. GFDL-*)

2) variable text w/in header (that is not copyright notice)- do we need
to created a template with markup? (see, e.g., CPAL-1.0, OCLC-2.0,
RPSL-1.0, MPL-*, etc.

3) presence or absence of "or later" in Standard Header making a
difference as to license identification (e.g., L/GPL)

Thanks,
Jilayne & Paul
SPDX Legal co-leads
_______________________________________________
Spdx-legal mailing list
Spdx-legal@...
https://lists.spdx.org/mailman/listinfo/spdx-legal