Re: SPDX Identifier in licenses/source headers

Mark Gisi

Roger - Thanks for bring attention to these additional efforts. As a more general comment:


There are at least five different stakeholders who need to be taken into consideration when determining what the right amount of info is required for a file header:

1.       Developers

2.       Legal Professionals

3.       Compliance Professionals

4.       Auditors & SPDX file creators

5.       The Open Source Movement (Collectively)


The desire to streamline the number of lines in the header from a developer’s perspective is clear. Although the standard Apache header is better than having to include the entire copy of the Apache license, can we do better? Legal professionals are concerned about ensuring sufficient information is provided to mitigate risk (e.g., warrantee disclaimers and copyright holder info). Compliance professionals need sufficient information to achieve compliant (e.g., full BSD or MIT notices are require for compliance, …). SPDX file creators need sufficient info to determine what license(s) govern each file. The Open Source movement (as a collective) is about facilitating the creation and pervasive dissemination of great software.


The Open Source Movement loses when a file is shared (copied) from one project to another under different license terms *where* pertinent information is lost (e.g., left behind  in a License.txt, COPYING, NOTICE.txt, or SPDX file). Sharing is the key underlying force of the movement. The more sharing the better. But also the more sharing, the more important it becomes for each file to retain *sufficient* information required to grant the users the rights to use the software as it travels. SDPX License identifiers typically represent only partial information. If certain information is lost, then the file may cease to be open source (due to lack sufficient rights granted). This is one of the greatest threats to the movement today.  Looking at the problem more holistically, the sole inclusion of SPDX License identifiers will potentially do more harm than good for the movement.


We need to think hard about the impact on all stakeholders (and more precisely what the problem is) before promoting a certain practice for managing license headers. Although not ideal, the current standard Apache header is sufficient to serve all the stakeholders today. The question is, can we improve on what goes into the file header such that all stakeholders benefit (or at least no one stakeholder loses). Most importantly - the Open Source Movement collectively.


- Mark


From: Meier, Roger [mailto:r.meier@...]
Sent: Tuesday, June 09, 2015 2:44 AM
To: Henri Yandell; Gisi, Mark
Cc: spdx-tech@...; spdx-legal@...
Subject: RE: SPDX Identifier in licenses/source headers


Hi all


This might be of interest:


and here is another project using SPDX-License-Identifier:


all the best!




From: spdx-tech-bounces@... [mailto:spdx-tech-bounces@...] On Behalf Of Henri Yandell
Sent: Dienstag, 9. Juni 2015 03:47
To: Gisi, Mark
spdx-tech@...; spdx-legal@...
Subject: Re: SPDX Identifier in licenses/source headers


Thanks Mark.


Partly I was wondering if there was value in proposing a change to that Apache source header to include the SPDX identifier somehow. :)




On Mon, Jun 8, 2015 at 12:20 AM, Gisi, Mark <Mark.Gisi@...> wrote:

Hi Hen,


There is no recommendation by yet on whether to use SPDX short license identifiers within a file. There has been a fair amount of discussion with some concerns identified when *only* short identifiers are included in file headers. This is still an active discussion for which I anticipate a recommendation for a best practice will be made sometime in 2015.


As one of the largest producers of SPDX files, Wind River has come to the conclusion (for now) the best general practice is to use a standard license file notice if one exists. In the case of the Apache 2.0 license, that would be to include the following license notice in every file (as recommend by the appendix of the Apache 2.0 license):


Copyright [yyyy] [name of copyright owner]

Licensed under the Apache License, Version 2.0 (the "License"); 
you may not use this file except in compliance with the License. 
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software 
distributed under the License is distributed on an "AS IS" BASIS, 
See the License for the specific language governing permissions and 
limitations under the License.

This is easy to identify by many SPDX generation tools today. This is also a best practice followed by the Apache Foundation (along with including a full copy of the Apache 2.0 in LICENSE.txt). It is my opinion that the Apache Foundation approach for managing license information in source code represents the current gold standard. An approach where a clear simple license notice appears at the top of every source file, eliminating license ambiguity that is commonly found in many other easily accessible source code repositories.


- Mark



Mark Gisi | Wind River | Director, IP & Open Source

Tel (510) 749-2016 | Fax (510) 749-4552



From: spdx-tech-bounces@... [mailto:spdx-tech-bounces@...] On Behalf Of Henri Yandell
Sent: Saturday, June 06, 2015 10:09 AM
Subject: SPDX Identifier in licenses/source headers



What would be the correct tag to put in a license and license source header to make life easier for SPDX?


I see 'SPDX-License-Identifier' referenced in 2013 emails, but searching the spec doesn't find that.


As an example, If I've an Apache 2.0 license, should I be inserting 'SPDX-License-Identifier: Apache 2.0' into the LICENSE.txt and each source header?


If that's the case, is there any best practice location to put it in?






Join { to automatically receive all group messages.