Re: Is "+" a valid character of a LicenseRef idstring?


Philippe Ombredanne
 

On Tue, Nov 3, 2015 at 3:45 AM, Wheeler, David A <dwheeler@...> wrote:
Philippe Ombredanne wrote:
[...]
You say:
GPL-2.0 ==> implies GPL 2.0 only
GPL-2.0+ ==> implies GPL 2.0 or later
That's not just what I say. That's what the spec says, and has
clearly stated since circa 2010.
This would have been a useful argument to raise in 2010 (when SPDX was
drafted). But this group doesn't exist to create a new spec where
none has existed. For more than 5 years SPDX has consistently stated
that "GPL-2.0" means ONLY GPL-2.0 and nothing else. This builds on
previous history of Fedora and Debian, who also use "+" this way,
e.g., see: https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing
David:
I know this as I was part of it and that does not make it more right ...
FWIW, I have been around SPDX for quite a while ;).
See "A Short History of SPDX": https://spdx.org/about-spdx/what-is-spdx

While I know you're focusing on the GPL, there are many other
licenses, and most licenses do NOT have a "this or later version"
clause;
The focus is not only on the GPL:
well over 25% of the SPDX licenses DO HAVE a "this or later version"
clause. Here are some examples:

- Most of the FSF licenses: The GPL and LGPL and all their versions.
But also the AGPL, the GFDL, etc.
- all the Mozilla-like license: NPLs, MPLs and all the MPL derivatives
such as SPL, CPAL, Erlang, RPL, APSL, Gsoap, ZIMBRA, SISL, etc.
- most of the Creative Common licenses,
- The Eclipse licenses and the CPLs,
- the CDDLs,
- the PHP license,
- OpenLDAP, Latex/LPPL, LPL, Condor, CATOSL, RPSL, CECILL, etc.

For all SPDX licenses allowing other versions, the bare identifier means
"or later version", except for the L/GPL where this means "only the
current version" unless you create an expression with a "+".

So the decision procedure to use a plus or not is roughly like this:

If licensing allows to use "other license versions":
- If and only if GPL or LGPL, add a + to the license identifier.
"other license versions" is NOT implied.

- Otherwise, if this not GPL or LGPL, do NOT add a +.
"other license versions" is implied if the license allows such thing.
Do this ONLY for any versions of these two licenses. Do not apply
this approach to other FSF licenses such AGPL, GFDL and others.

- Except if you are a Linux packager for Debian or Fedora and their
derivatives, because then you may use the + for other FSF
licenses beyond the L/GPL. The + is already used with GFDL,
AGPL, etc. Do not use a plus for non-FSF licenses that
have an "or later" clause.

If licensing does NOT allow to use "other license versions":
- If and only if LGPL or LGPL, use the bare license identifier.
"no other license version" is implied by a bare id.

- Except if you are a Linux packager because you apply
the same approach for other FSF licenses.

- If this is another license, then?
"other license version" IS implied in a bare id here.
SPDX does not help you there, and you could create an
exception.This is a rare case anyway.

having the default be what's common in MOST licenses is
actually sensible.
This is exactly my point. The common sense and default usage for L/GPL
is ". And Linux distros and SPDX have made the default "or later"
exceptional and the less common "only" exception the default.

So how to resolve this situation?

In the grand scheme of things, "only" and "or later" are minute
technicalities that the large majority of software users do not care
for. The licenses requirements are essentially the same and
"later or not later" is not the question.
Only a few licensing mavens care about this and they know how to deal
with it.

But SPDX is likely stuck with this inconsistent legacy and yes this is
hard to escape without creating more mess. It does not mean that we
cannot try to clarify and improve things.

First we need to distinguish two types of licenses allowing
"other versions":

a. FSF licenses such as the A/L/GPL. These are the only licenses were a
plus + convention has been used by Linux distros and SPDX with some
consistency.

b. Non-FSF licenses. I cannot find cases where the plus + convention
has been used in the wild or with SPDX for these.


Some ways out could include:

Option 1. Do mostly nothing.
---------
Keep the status quo and clarify the current ambiguities:
We document the procedure I described above and move on.
We accept this is a mess and make it a documented mess.
This is an OK option. And requires little or no work.


Option 2. Change the meaning of every bare license id that allow
"or later" to mean "this version only". FSF or not FSF.
--------
No change of license ids is needed, only the SPDX full names and notes
need to be updated the same way the full name of the GPL-2.0 is:
"GNU General Public License v2.0 only"

And we explain that to express the default case of "or later" you always
need to create an expression with a +. This would provide a consistent and
homogeneous treatment of all SPDX licenses.
This is not the way Linux distros have used non-FSF licenses.
And this would change the meaning of any non-FSF licenses that have been
used without a plus until now.
This is not really an OK option. And requires quite some work.


Option 3. Reinstate/un-deprecate the "+" to use it as part of the
identifier when needed only for FSF licenses and deprecate the
usage of the + in license expressions.
--------
Here and ONLY for FSF licenses, we deprecate GPL-2.0 and related
identifiers and replace them with new ids such as GPL-2.0-only and
AGPL-3.0-only. We reinstate the GPL-2.0+ or create similar identifiers
(e.g. AGPL-3.0+) that become the default.

Note that we could also consider keeping multiple ids as "aliases" for
FSF licenses instead of deprecating the GPL-2.0 bare ids.

And we deprecate the use of the plus in license expressions
now no longer needed.

For the cases of non-FSF licenses supporting "or later" and if you
want to restrict usage to "only this version", we add a new exception
such as "No other version" or "only this version", rarely needed.

This approach would be compatible with the past and the present and
consistent with the ways the plus is used in Debian and Fedora distros
for FSF licenses beyond the L/GPL:

- GPL-2.0+ always means/meant "or later".
- GPL-2.0 and GPL-2.0-only always means/meant "only".

And tools that parse SPDX expressions can look up the license ids
with + first or handle the deprecated + without ambiguities.

It is still inconsistent with the general default meaning of "GPL 2.0".
So when you migrate to SPDX, any places where you used "GPL 2.0"
with the general default meaning of "or later" you need to map this to
GPL-2.0+.

This is an OK option. And requires some work.

--
Cordially
Philippe Ombredanne

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.