On Fri, Nov 24, 2017 at 10:33 PM, Wheeler, David A <dwheeler@...> wrote:
David A. Wheeler:I understand your point, but __how many times__ did you ever encounterPhilippe Ombredanne [mailto:pombredanne@...]To answer that question, "it's at least GPL-2.0, and might be more"
this case in the real world?
On my side, I have analyzed 1000+ significant software products,
10,000+ packages and billions of line of code over the last 10 years.
An issue of Apache-2.0 compatibility with the GPL-2.0 has never showed
up: zero cases, not one single time.
I am not saying it does not exist in theory, but in practice this is a
rare case that is exceptional enough and therefore best left aside.
On the other hand, there are many other cases where it's not important.My point is that it is so rare that it is NOT important at all to
track in the license expression spec at all.
This can be dealt with comments, and anything else but not within a
license expression syntax. There are likely tens of other crooked use
cases that cannot be expressed precisely with a license expression,
yet they are too rare to consider.
Are you serious there? Where in the actual real world anyone isMaking this careful decision solely on the few characters of a licenseNot at all. What matters in many circumstances is just being able to show
looking after "being able to show some sort of due diligence" and
consider this enough? That does not sound reasonable. Who does this? I
would have a field day looking as such a codebase.
In many cases, the "usual" situation is to copy & paste code, regardless of license or legality.Where do you get that the "usual" situation is to copy & paste code?
Based on my long experience, copy/paste of snippets is a rare event
and usually account for only a handful of items even in very large
And this even rarer that license or origin was not tracked then. This
is not the norm I have experience with: I ever met only a couple
confused software development team doing serious copy of un-tracked
Now, I could not agree more with you: inaccurate and clear licensingI *heartily* endorse that work, thank you!
But for every license you add,Really, do you have data to back this? Note also we should not care if
"someone creates another project with unclear licensing".
We should care if someone creates another project with unclear
licensing that someone actually uses in the real world.
The hypothetical cases of goofy licensing of unused software are not
The *real* root causes are going to be difficult to fix:I cannot comment on these or I would come out as rude: I have no idea
where these arguments come from and what data could support any of
I guess they are best opinions, but cannot be used as supporting point
for a serious argument.
You can fix a few egregious cases with tickets, and please do.What if this is not a few tickets but a million? This can be
crowed-sourced and distributed with appropriate leverage.
Case in point: the Linux kernel is a large and mature codebase at the
bottom of a vast ecosystem of code that runs on top of Linux.
With the work Kate and I did to help maintainers adopt SPDX ids, we now have:
1. about ~15K'ish files with a proper SPDX id
2. doc and guidance for incoming patches that has been created by some
This is something that is being adopted by thousands of contributors
and will spill on the whole ecosystem. And this will require only
marginal effort going forward and these efforts are distributed on all
committers and contributors. That's leverage to me.
Since when "GPL-2.0-only" and "((GPL-2.0-only or GPL-2.0+) and MIT)"It surely could (NB: it does not yet). that's a minor change.That's not a standard SPDX license expression.
are not valid expressions?
SPDX license expression syntax could add a "confidence" value - but that'sI am not indeed.
Why not just a simple expression that indicates uncertainty of new versions?This is not common enough to warrant such addition until someone can
Oh, I *understand* the proposal very well. The problem is thatIf there is such tool, then it should either be updated or not used at all.
They *CAN* determine if a copy of the GPL-2.0 exists.If I reformulate this: There are tools that do a poor job at providing
proper results. Therefore, the spec should provide a way to support
their lack of feature? This does not make sense to me. They should
instead either adapt or die if they are not fit for the job.
I cannot understand your reasoning here.Why would "GPL-2.0-only" suddenly be meaning anything else that itsThe result: "GPL-2.0-only" WILL NOT mean "2.0 only" no matter how much