The meaning of "AND" in license expressions [was:Re: call tomorrow, agenda]

Philippe Ombredanne

Here is my understanding of how the "AND" thread started:

Mark brought up a concern about the meaning of AND.
He felt this could be misleading to have to say AND in a top level
package without details about what each license applies to which file
exactly. And Debian uses a comma to provide a list of licenses in
these cases rather than an AND.
And he pointed out that using AND for something like "GPL 2.0 AND
Proprietary-License" could be puzzling at best.
(Mark please correct me if I am wrong: this is just hearsay.)

I agree with Sam E., Gary O., Alan T. and Jilayne L.: the current spec
is correct and there are ways to express things precisely using
relationships and other measn. (Thanks Jilayne for your excellent

I also agree with Mark G. and Dennis C.: some expressions look
surprising and feel contradictory, such as GPL and Proprietary.

I think both points can be reconciled.

My take:
On the substance:
* AND means that all licenses apply. Simple and clear.
In the context of Debian, the comma means exactly the same thing: all
licenses apply.

* AND can be used at a granular per file or directory level or at a
coarse aggregated level.
When aggregated it identifies all the licenses used, say a single SPDX
document with no details of where each licenses applies.
While not precise and detailed to the tastes of many, this can be an
accurate yet coarse representation of a package licensing.
If I am not provided with more details of what applies to what it does
not imply that all licenses apply to everything.
It just means that all these licenses apply in aggregate at some level.

Having more details documented would be preferred but this is not a mandate.
This is a perfectly valid SPDX usage and much better than no SPDX at all.

On the form:
Say I receive an SPDX doc for a fictitious AirStream RT 12.1 package that says:
Commercial and GPL-2.0
The package contains a GPL-licensed kernel module and a
commercially-licensed set of user space utilities.
But AirStream did not provide details in additional SPDX elements or docs.
This license expression is factually correct but it may be surprising
if you were not provided with more details.

Surprising is not good: we can do better!

My suggestion:
1. Do not add anything to the semantics of the license expressions:
AFAIK anything can be documented with SPDX (eventually with
relationships) to add more details if an SPDX author wants to do so.
We can add notes or commentary alright in the spec or outside the spec
to make it easier to understand alright.

2. Add the comma as an alternative representation for AND where "AND"
and "," are exactly equivalent and can be used interchangeably.

The benefit is that AirStream may prefer to provide a single top-level
SPDX doc with no further file details with:
Commercial, GPL-2.0

With this alternative form the surprise goes away. Debian does not
have to change its ways either.
And you could even write things like this as a valid expression and
good plain English:

This package contains code under various licenses:
Commercial, LGPL-2.1, GPL-2.0+, MPL-2.0 and MIT

This is formally equivalent to this other expression which can be
surprising to some:
LGPL-2.1, Commercial and GPL-2.0+, MPL-2.0 and MIT

Philippe Ombredanne

Join { to automatically receive all group messages.