toggle quoted message
Show quoted text
Here’s some feedback on license identification in FOSSology based a recent scan I was looking at. I think some of the things I saw originally would be taken care of by using the LicenseRef-<FOSSology identifier> as discussed in a previous thread. Likewise, some of these may have already been caught or cleaned up otherwise, but just in case:
FOSSology match name on left - notes on left:
NewBSD - should be: BSD-2-Clause-NetBSD
BSD-Style - again, would be nice if this could use the License-Ref maybe?
GPL-3.0+-with-autoconf-exception - wasn’t the standard autoconf exception, so maybe use a different name for that (or submit to add to SPDX exceptions list)
MIT-style - was actually ISC (on SPDX License List)
Additionally - at some point in the future, it would be great if FOSSology found:
SPDX-Identifier: <SPDX license identifier or expression>
Thanks Jilayne. We look forward to your FOSSology feedback.
FYI, in FOSSology 3.0 we are adding a third license scanner - ninka. The idea behind three scanners that operate so differently is to give users even more confidence in the results and to be able to automate more clearing decisions. 3.0 also has our new SPDX generator, a more unified UI, export control scanner, and more compliance workflow features to speed up the process. We are targeting a mid-august release to coincide with LinuxCon NA.
Great Bob! Funny timing, as I was just looking at some FOSSology scans (haven’t done so in awhile, it’s like re-visiting an old friend :) and may have some other feedback for re: license matching. I’ll shoot you an email with something more articulate soon.
thanks again for all your work,
Thanks Jilayne and Kate,
It looks like we need to do some updating on FOSSology to be SPDX 2.0 compliant. Thanks for your answers.
Thanks for asking! My additional comments to Kate’s also below:
On Jul 16, 2015, at 5:33 AM, Kate Stewart <kstewart@...
This should definitely be handled as a new exception added to the exception list; if you think this is something SPDX should have on its list, please have a look at information needed to request a new license and let the legal list know if you want to request it be added. In which case, it would be expressed as: GPL-2.0 WITH Asterisk-exception (or whatever the exception ends up being called.)
As per SPDX 2.0, this license would currently be expressed as a Lic-Ref (section 5 of the spec), as we don’t currently have a way to represent a valid license identifier (e.g., “GPL-2.0”) with an exception not on our list. This is functionality we discussed adding in a future version (e.g., a Lic-Ref equivalent for exceptions), but it remains to be seen when that will get added.
I would strongly urge against adding this as a new license in whole. Now that we have the license expression syntax for exception (“WITH”), and have moved all such exceptions to their own list, we ought to be consistent in that going forward. :)
Assuming when you say “dual” you mean it’s a choice between GPL-3.0 and CDDL-x.y, then Kate is correct, that “OR” would be the correct license syntax. Again, it would be preferably for any disjunctive or conjunctive license situations to use the short identifiers and the license expression syntax (“OR” or “AND”) rather than calling it a whole new license name.