1. posterid:1160316
  2. Messages

Re: SPDX license question

J Lovejoy
 

Hi Bob,

Here’s some feedback on license identification in FOSSology based a recent scan I was looking at.  I think some of the things I saw originally would be taken care of by using the LicenseRef-<FOSSology identifier> as discussed in a previous thread.  Likewise, some of these may have already been caught or cleaned up otherwise, but just in case:

FOSSology match name on left - notes on left:

NewBSD - should be: BSD-2-Clause-NetBSD 
BSD-Style - again, would be nice if this could use the License-Ref maybe?
Freeware - was matched to the FSF copyright and permissive license (similar to http://spdx.org/licenses/FSFULLR.html, but not an exact match).  “Freeware” is misleading here, I think.
GPL-3.0+-with-autoconf-exception - wasn’t the standard autoconf exception, so maybe use a different name for that (or submit to add to SPDX exceptions list)
MIT-style - was actually ISC (on SPDX License List)
RSA-Security  - I think was a match to http://spdx.org/licenses/RSA-MD.html but cannot verify now

Additionally - at some point in the future, it would be great if FOSSology found:
SPDX-Identifier:  <SPDX license identifier or  expression>
if it would consider it a match to the SPDX identifier or expression, a la https://docs.google.com/document/d/1gmanQVKH6NbbDE9lJPcC6BW0yyMaMXHugY4T3wER__A/edit?pli=1 :)

Thanks much!!
Jilayne




On Jul 22, 2015, at 9:04 AM, Gobeille, Robert <bob.gobeille@...> wrote:

Thanks Jilayne.  We look forward to your FOSSology feedback.

FYI, in FOSSology 3.0 we are adding a third license scanner - ninka.  The idea behind three scanners that operate so differently is to give users even more confidence in the results and to be able to automate more clearing decisions.  3.0 also has our new SPDX generator, a more unified UI, export control scanner, and more compliance workflow features to speed up the process.  We are targeting a mid-august release to coincide with LinuxCon NA.

Thanks,
Bob Gobeille

On Jul 22, 2015, at 2:56 AM, J Lovejoy <opensource@...> wrote:

Great Bob!  Funny timing, as I was just looking at some FOSSology scans (haven’t done so in awhile, it’s like re-visiting an old friend :) and may have some other feedback for re: license matching.  I’ll shoot you an email with something more articulate soon.

thanks again for all your work,
Jilayne

SPDX Legal Team co-lead
opensource@...


On Jul 17, 2015, at 9:14 PM, Gobeille, Robert <bob.gobeille@...> wrote:

Thanks Jilayne and Kate,
It looks like we need to do some updating on FOSSology to be SPDX 2.0 compliant.  Thanks for your answers.

Bob Gobeille

On Jul 16, 2015, at 4:17 PM, J Lovejoy <opensource@...> wrote:

Hi Bob,

Thanks for asking!  My additional comments to Kate’s also below:


On Jul 16, 2015, at 5:33 AM, Kate Stewart <kstewart@...> wrote:

Hi Bob,
     Comments inline...

On Wed, Jul 15, 2015 at 4:54 PM, Gobeille, Robert <bob.gobeille@...> wrote:
We (FOSSology project) are having a discussion about how to name dual licenses.  What is the SPDX policy on naming dual licenses?  Here are some examples:

1.  The Asterisk license is GPL-2.0 with exceptions:
http://svnview.digium.com/svn/asterisk/trunk/LICENSE 
To me, I would call this an Asterisk license because of the number of specific permission granted.

This could be handled either as an explicit exception (add to exception list)  or as a new license
being added to the main list.    Legal team is probably best ones to make the judgement though
as to which way makes most sense. 

This should definitely be handled as a new exception added to the exception list; if you think this is something SPDX should have on its list, please have a look at information needed to request a new license and let the legal list know if you want to request it be added.  In which case, it would be expressed as: GPL-2.0 WITH Asterisk-exception (or whatever the exception ends up being called.)
As per SPDX 2.0, this license would currently be expressed as a Lic-Ref (section 5 of the spec), as we don’t currently have a way to represent a valid license identifier (e.g., “GPL-2.0”) with an exception not on our list.  This is functionality we discussed adding in a future version (e.g., a Lic-Ref equivalent for exceptions), but it remains to be seen when that will get added.

I would strongly urge against adding this as a new license in whole.  Now that we have the license expression syntax for exception (“WITH”), and have moved all such exceptions to their own list, we ought to be consistent in that going forward. :)


2. Gephi License
This is just a dual GPL-3.0, CDDL license.  So in FOSSology, I would call it "Dual GPL-3.0 - CDDL” and some others would call it “Dual Gephi License”.  We have several examples like this where the license is a straight dual license.  To me, “Dual GPL-3.0-CDDL” is more helpful than “Gephi License”.  If you name all these licenses by the project then you have to become familiar with them all (the ultimate in license proliferation).

This is a nice illustration of why the license expressions syntax was created. ;-)

"GPL-3.0 OR CDDL-1.0"  I think is the license expression that should be used. 
see: Appendix IV: SPDX License Expressions in SPDX-2.0 for more details on the
syntax.

Assuming when you say “dual” you mean it’s a choice between GPL-3.0 and CDDL-x.y, then Kate is correct, that “OR” would be the correct license syntax.  Again, it would be preferably for any disjunctive or conjunctive license situations to use the short identifiers and the license expression syntax (“OR” or “AND”) rather than calling it a whole new license name.  

Thanks!!

Jilayne


Hope this helps,
Kate


—— Gephi notice follows  ----
Copyright 2008-2010 Gephi
Authors : Mathieu Bastian <mathieu.bastian@...>
Website : http://www.gephi.org
This file is part of Gephi.
DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
Copyright 2011 Gephi Consortium. All rights reserved.
The contents of this file are subject to the terms of either the GNU
General Public License Version 3 only ("GPL") or the Common
Development and Distribution License("CDDL") (collectively, the
"License"). You may not use this file except in compliance with the
License. You can obtain a copy of the License at
http://gephi.org/about/legal/license-notice/
or /cddl-1.0.txt and /gpl-3.0.txt. See the License for the
specific language governing permissions and limitations under the
License. When distributing the software, include this License Header
Notice in each file and include the License files at
/cddl-1.0.txt and /gpl-3.0.txt. If applicable, add the following below the
License Header, with the fields enclosed by brackets [] replaced by
your own identifying information:
"Portions Copyrighted [year] [name of copyright owner]"
If you wish your version of this file to be governed by only the CDDL
or only the GPL Version 3, indicate your decision by adding
"[Contributor] elects to include this software in this distribution
under the [CDDL or GPL Version 3] license." If you do not indicate a
single choice of license, a recipient has the option to distribute
your version of this file under either the CDDL, the GPL Version 3 or
to extend the choice of license to its licensees as provided above.
However, if you add GPL Version 3 code and therefore, elected the GPL
Version 3 license, then the option applies only if the new code is
made subject to such option by the copyright holder.
Contributor(s):
Portions Copyrighted 2011 Gephi Consortium.

Thanks,
Bob Gobeille
bobg@...


_______________________________________________
Spdx-legal mailing list
Spdx-legal@...
https://lists.spdx.org/mailman/listinfo/spdx-legal
Join Spdx-legal@lists.spdx.org to automatically receive all group messages.