Re: update on only/or later etc.


Philippe Ombredanne
 

On Mon, Nov 27, 2017 at 5:55 PM, Wheeler, David A <dwheeler@...> wrote:
No tool can guarantee that always determines if "or any later version" applies.
Certainly not licensee, which is the tool used automatically by GitHub.
Indeed, licensee generally only looks at the LICENSE file - it doesn't even *try*
to parse the README file (which it could only do imperfectly anyway).

Oh, and for many developers, the license output from licensee is the *only*
SPDX data they'll see, because GitHub does that analysis automatically for them
when they view a project (they don't have to run a tool). I'd love to see
licensee improved, but most developers have ZERO interest in all the details
of a SPDX file anyway; they just want the license expression, and that's it.
In many places, the *developers* choose the libraries that will be used;
there are no lawyers to double-check anything.
OK, so GH licensee does not even make a serious attempt at providing
accurate information and instead returns half-baked partial license
information. Despite all the good intentions, I find it quite
irresponsible to then promote this tool globally on a site with such a
viewership.

If this were a C compiler this would akin to say: I will ignore the
function definitions from your header .h files. Once in a while I will
compile a program that may run, though it may not run as you expected.
Often I will crash and now and then I will just destroy your hard
drive. But bear with me and use me anyway, I am "good enough".

I just hope none would use such a tool to further propagate this
half-baked misinformation when better tools exist out there. I am all
for "good enough" but good enough is only good enough when there is at
least __enough of the good__: otherwise this is counterproductive and
dangerous especially when widely promoted.

--
Cordially
Philippe Ombredanne

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.