Re: Is "+" a valid character of a LicenseRef idstring?


Philippe Ombredanne
 

On Wed, Oct 28, 2015 at 10:28 AM, Schuberth, Sebastian
<sebastian.schuberth@...> wrote:

when debugging an issue in the spdx-tools verifier, I noticed the SPDX 2.0
specs seem to be inconsistent on whether "+" is a valid character in a
LicenseRef's idstring, like in LicenseRef-[idstring].
I not see any reason why a + would not be allowed in a reference, and
there is no ambiguity since the + always something attached to an id or
ref string, not some free standing symbol.

But this raises a larger question which I am sure has been
debated in the past:

Using a + is a whart. Licenses that allow the use of other versions do so
explicitly in their texts, the GPL being the most prominent but the EPL
comes to mind too. So there is no such thing as GPL-2.0 or another
version: these are the plain default GPL terms.

If I do nothing special, the GPL version I picked or any other later
version can apply. I need to go the extra mile to state that only this
version applies and no other version. I need to add a specific statement
to that effect. Actually if I only state my code is GPL-licensed without
indicating a version the GPL says that a recipient can pick *any current
or future version*

So to me it is an exception to the GPL-2.0 (or 3) to disallow the use of
other versions. A fairly common exception because it is used in the
kernel and that likely led to this flawed but widely spread approach
to be adopted by Linux distros. And later adopted by SPDX.

Essentially GPL-2.0 and GPL-2.0+ mean exactly the same the thing.
The plus is redundant and confusing. To be truly correct, every
single occurrence of the GPL that does not disallow later versions
should have a plus. It does not make sense to treat the non-default
exceptional case as the default.

Fixing this in SPDX would mean to deprecate + entirely, and add
an exception that would disallow other or future versions such as "only".

Or change the meaning and the text of the GPL-2.0 to be some
notice that states this means the GPL-2.0 applies only and no other
version. And replace the GPL-2.0 id by a GPL-2.0+ id where the text
is the actual full text.

Any thoughts?

PS: I am cross-posting to the legal list as this is ultimately there
that it should
be resolved IMHO.
--
Cordially
Philippe Ombredanne

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.