Re: update on only/or later etc.


Philippe Ombredanne
 

On Tue, Nov 21, 2017 at 5:28 PM, Wheeler, David A <dwheeler@...> wrote:
J Lovejoy [mailto:opensource@...]:
If this is a potential problem once GPL-2.0 is changed to GPL-2.0-only, then
it is currently a problem.
Yes indeed, that's my point :-).

And perhaps by altering the current identifier (GPL-2.0) to be more explicit
(GPL-2.0-only) we will expose just how often GPL-2.0 has been used
incorrectly.
The tools are currently *required* to be incorrect, because they cannot report
the information they have ("I have GPL-2.0, and I don't know if 'or later'
applies"). Neither the proposed "GPL-2.0-only" nor "GPL-2.0+" correctly
represents the information they have. Tools will have to output *something*,
and whatever they produce will dilute in *practice* the strict meanings of
those license identifiers.
David,

Speaking as the author of a fine license detection engine, I think
this is a red herring.

A license detection result can be: "I am 95% sure this is GPL-2.0-only
but it could be GPL-2.0+: please review me to fill in your
conclusion."

So detection does not have to be binary as in either 100% right or
100% wrong. If a tool can only report red or blue binary results,
that's a possibly fine but weak tool.

For instance scancode-toolkit can cope with ambiguity alright and
surface this for review when it cannot come with a definitive
detection answer. Therefore I have no issue whatsoever to implement
Jilyane's comprehensive proposal and I can always output something on
my side.

So since this can be done by one tool alright this is NOT an issue for
the SPDX spec to worry about and tools should adjust: that's for tools
implementors to cope with ambiguity, not something to specify here.

Please let's keep this spec simple!

--
Cordially
Philippe Ombredanne

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.