Re: update on only/or later etc.
Philippe Ombredanne:
a SPDX license file *also* cannot capture all the nuances.
The correct question is, "is this model adequate for its uses?"
In most cases people want to know, "is this package legal to use?".
To answer that question, "it's at least GPL-2.0, and might be more"
s important information, and I think it's information that the SPDX
license expression should include.
greatly increases the number of cases where an unnecessary review must occur.
Every unnecessary review is a significant increase in time and money.
In many cases, it's *NOT* necessary to make a decision, but in some cases it is.
If organizations can do the analysis *ONLY* when they need to,
they'd save a lot of time and money... and that is greatly aided by
having SPDX license expressions able to indicate this information.
The problem is that the SPDX license expressions don't allow tools to report
more than the 2 answers within a license expression. So the tool doesn't have
to give a binary answer, but SPDX forces the tools to do so when they output
SDPX license expressions.
For most people, that's the ONLY thing that matters. I suspect at most 0.1% of
SPDX users use SPDX files, everyone else ONLY uses SDPX license expressions.
The percentage of SPDX users who use SPDX files may not be that high :-).
and for many detailed analyses that's a good thing.
But that's less helpful for sharing compared to a standard format.
Specs need to be as simple as possible... but no simpler.
There's also the long-term damage this decision will cause.
In practice, I expect failing to add this capability is going to make
"GPL-2.0-only" mean the same thing as "I saw a GPL-2.0 and I don't
know if 'other later' applies" - and as a result "GPL-2.0-only" will
NOT mean "GPL-2.0-only" as intended. The case of "I see a license
and no other information" is relatively common, and is *important*
for determining what is legal to do.
--- David A. Wheeler
I think there is no contention there at all.Respectfully: There *IS* contention. I'm contending.
A summary (e.g. a license expression) cannot ever capture all the nuancesSure, but all summaries, and all models, omit something. Indeed,
of the details.... This is a lossy "compression" by construction...
a SPDX license file *also* cannot capture all the nuances.
The correct question is, "is this model adequate for its uses?"
In most cases people want to know, "is this package legal to use?".
To answer that question, "it's at least GPL-2.0, and might be more"
s important information, and I think it's information that the SPDX
license expression should include.
Speaking as the author of a fine license detection engine, I think this is aThis inability to indicate the "in-between" state within a license expression
red herring.
A license detection result can be: "I am 95% sure this is GPL-2.0-only but it
could be GPL-2.0+: please review me to fill in your conclusion."
greatly increases the number of cases where an unnecessary review must occur.
Every unnecessary review is a significant increase in time and money.
In many cases, it's *NOT* necessary to make a decision, but in some cases it is.
If organizations can do the analysis *ONLY* when they need to,
they'd save a lot of time and money... and that is greatly aided by
having SPDX license expressions able to indicate this information.
So detection does not have to be binary as in either 100% right or 100%But that's what I'm saying. Most tools CAN provide more than 2 answers.
wrong. If a tool can only report red or blue binary results, that's a possibly
fine but weak tool.
The problem is that the SPDX license expressions don't allow tools to report
more than the 2 answers within a license expression. So the tool doesn't have
to give a binary answer, but SPDX forces the tools to do so when they output
SDPX license expressions.
For instance scancode-toolkit can cope with ambiguity alright and surfaceBut it CANNOT surface this information via SPDX license expressions.
this for review when it cannot come with a definitive detection answer.
For most people, that's the ONLY thing that matters. I suspect at most 0.1% of
SPDX users use SPDX files, everyone else ONLY uses SDPX license expressions.
The percentage of SPDX users who use SPDX files may not be that high :-).
Therefore I have no issue whatsoever to implement Jilyane's comprehensiveYou can always output something nonstandard that cannot be shared, sure,
proposal and I can always output something on my side.
and for many detailed analyses that's a good thing.
But that's less helpful for sharing compared to a standard format.
So since this can be done by one tool alright this is NOT an issue for theWell, empty specs are the simplest possible :-).
SPDX spec to worry about and tools should adjust: that's for tools
implementors to cope with ambiguity, not something to specify here.
Please let's keep this spec simple!
Specs need to be as simple as possible... but no simpler.
There's also the long-term damage this decision will cause.
In practice, I expect failing to add this capability is going to make
"GPL-2.0-only" mean the same thing as "I saw a GPL-2.0 and I don't
know if 'other later' applies" - and as a result "GPL-2.0-only" will
NOT mean "GPL-2.0-only" as intended. The case of "I see a license
and no other information" is relatively common, and is *important*
for determining what is legal to do.
--- David A. Wheeler