Re: only/or later and the goals of SPDX


David A. Wheeler
 

John Sullivan:
A key part is missing in the description of the original FSF proposal here
though -- which is deprecating the existing GPL-2.0 and similar "plain"
identifiers for GNU licenses so that the identifiers used always indicate
whether the version is "only" or "any later".

As I understand it, people had concerns with deprecating the plain
identifiers because of situations where they (for example) find a copy of
GPLv2, but no clear statement about whether the program is actually
licensed under its terms.
Not exactly. In many cases it's clearly licensed under GPLv2.
The issue is that often we don't know if "or any later version" applies.

To address this, we suggested still deprecating the plain identifier but
adding an ambiguous/unclear identifier that still indicates a copy of the GPL
was found but does not mislead observers into thinking that there are
sufficiently clear licensing statements along with it.
The proposal, as I understand it, is these license expressions have the following meanings:
1. GPL-2.0 ONLY : GPL version 2.0 only.
2. GPL-2.0+ : GPL version 2 or any later version
3. GPL-2.0 : At least GPL version 2.0 applies. It may or may not be "or any later version". In practice, this is all most tools can report, because all they can report is the presence of this license file (there may not *be* any other information).

It'd be possible to report case #3 in other ways, e.g.:
* GPL-2.0 OR MAYBE GPL-2.0+
* GPL-2.0?
* GPL-2.0 AT LEAST
I *do* think it would be very odd to deprecate the license identifier "GPL-2.0", especially since this license is in such active use AND is a basis for many license expressions. The proposal has the advantage that it acknowledges reality - when people or tools report "GPL-2.0", in practice we don't really know if "or later" applies (the SPDX spec, versus practice, sometimes diverge on this point).

I understand SPDX doesn't want to make legal judgments. Which is why it
should indicate when there is uncertainty.
I agree that SPDX should *not* require people and tools to make *false* claims. So we need a way to not *force* people to make claims they don't believe. Interpreting "GPL-2.0" as "GPL version 2 at least, not sure if it 'or later' applies" seems like it gets there for the case under discussion. I'd be happy with other solutions too.

...
We haven't changed our mind about what we do and don't support here;
and I think we'd be open to other ways to indicate ambiguity/uncertainty,
including possibly using NOASSERTION.
I disagree with using NOASSERTION in this case; that loses important information. 99% of the time, knowing that it's licensed under the GPL version 2 at least is *more* than good enough. There are cases where I care, of course (e.g., if I'm linking it with Apache 2.0 licensed software). But every legal analysis costs time & money; people only want to invest where they *must* do so. If tools can report "I know GPL-2.0 at least is okay, and later versions might be okay", that'd be best.

I do agree that it'd be great if projects would provide better licensing information. But I'm currently trying to convince people to add licensing statements at *all*, due in part to complete obliviousness. Adding license files of *any* kind is a win right now. Given that starting point, we should not expect perfect licenses any time soon :-).

Thanks for your time!

--- David A. Wheeler

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.