On Tue, 2018-12-11 at 19:09 -0800, Bradley M. Kuhn wrote:

Michael Dolan wrote earlier today:

Where would you insert this to create correct SPDX data for
Linux"? What is the current "SPDX data for Linux" that is
incorrect?

How do you describe the license of someone's copyrighted material who
has granted the KES additional permission using SPDX syntax without
"KES-Exception"?

It's still legally and accurately describable as the actual licence
absent the WITH, surely ... that's the point of additional permissions:
they're strippable.

Just a quick click-around tour of cregit (which you linked to
earlier, Mike):

* Assuming cregit's accurate -- I found lots of code that I could
lift from there and label as "GPL-2.0-only WITH KES-Exception".

Adding some 15 minute shell scripting against Linux's Git tree
showed:

* Many files that currently say: "SPDX-License-Identifier: GPL-
2.0" at the top, where both `git blame` and cregit report that
most contributors have actually licensed "WITH KES-Exception",
not just GPL-2.0.

I really don't think we should ever advocate that people do the above
because it's really not safe and thus the licence tags you've derived
aren't reliable.

Cregit, being token based, is certainly one of our best tools, but it's
not definitive: Thomas Gleixner used it as one of the tools to help
derive licences in the kernel in the recent several month long SPDX
addition exercise. The reason it took so long is because there's a lot
of painstaking research involved in licence determination because no
one tool does it all. There's even more research involved in author
determination.

Git blame should never be relied on for copyright attribution because
it works at the line level not the token level, so, for example, the
original author of a line gets replaced by a person who does a later
whitespace or other cosmetic change, which produces a completely
incorrect idea of the authorship of a file.

James