Re: only/or later and the goals of SPDX
David A. Wheeler
A key part is missing in the description of the original FSF proposal hereNot exactly. In many cases it's clearly licensed under GPLv2.
The issue is that often we don't know if "or any later version" applies.
To address this, we suggested still deprecating the plain identifier butThe proposal, as I understand it, is these license expressions have the following meanings:
1. GPL-2.0 ONLY : GPL version 2.0 only.
2. GPL-2.0+ : GPL version 2 or any later version
3. GPL-2.0 : At least GPL version 2.0 applies. It may or may not be "or any later version". In practice, this is all most tools can report, because all they can report is the presence of this license file (there may not *be* any other information).
It'd be possible to report case #3 in other ways, e.g.:
* GPL-2.0 OR MAYBE GPL-2.0+
* GPL-2.0 AT LEAST
I *do* think it would be very odd to deprecate the license identifier "GPL-2.0", especially since this license is in such active use AND is a basis for many license expressions. The proposal has the advantage that it acknowledges reality - when people or tools report "GPL-2.0", in practice we don't really know if "or later" applies (the SPDX spec, versus practice, sometimes diverge on this point).
I understand SPDX doesn't want to make legal judgments. Which is why itI agree that SPDX should *not* require people and tools to make *false* claims. So we need a way to not *force* people to make claims they don't believe. Interpreting "GPL-2.0" as "GPL version 2 at least, not sure if it 'or later' applies" seems like it gets there for the case under discussion. I'd be happy with other solutions too.
We haven't changed our mind about what we do and don't support here;I disagree with using NOASSERTION in this case; that loses important information. 99% of the time, knowing that it's licensed under the GPL version 2 at least is *more* than good enough. There are cases where I care, of course (e.g., if I'm linking it with Apache 2.0 licensed software). But every legal analysis costs time & money; people only want to invest where they *must* do so. If tools can report "I know GPL-2.0 at least is okay, and later versions might be okay", that'd be best.
I do agree that it'd be great if projects would provide better licensing information. But I'm currently trying to convince people to add licensing statements at *all*, due in part to complete obliviousness. Adding license files of *any* kind is a win right now. Given that starting point, we should not expect perfect licenses any time soon :-).
Thanks for your time!
--- David A. Wheeler