1. Messages
  2. [spdx-tech] A proposal for SPDX Private License Identifiers. Example: .com.amazon.-.ASL-2.0

Re: [spdx-tech] A proposal for SPDX Private License Identifiers. Example: .com.amazon.-.ASL-2.0

Kate Stewart
 



On Tue, Feb 5, 2019 at 2:45 PM Schuberth, Sebastian <sebastian.schuberth@...> wrote:
> In text use:  SPDX-License-ID: LicenseRef-.com.amazon.-.ASL-2.0
>
> Then if someone shipping a SBOM with the information in it
> and wanted to record the license contents as well, they could cut/paste
> into the document.
>
> LicenseID: LicenseRef-.com.amazon.-.ASL-2.0
> LicenseName: Amazon Software License version 2.0
> ExtractedText: <text>
> insert here info
> </text>
>
> and still be able to represent the known state of the source code without
> relying completely on the web sites to stay stable over time.
>
> Thoughts?

Well, my immediate thought was that this combination of dots and dashes looks *very* awkward. Why not just "LicenseRef-com.amazon-ASL-2.0"? That would also go nicely with Philippe's approach to use a "scancode" namespace for ScanCode-specific license findings that have no SPDX identifier: In this case the namespace would be "com.amazon", i.e. the reverse domain just like in a Maven group name, to denote an Amazon-specific license.

Hi Sebastian,
   That's pretty much where we ended up on the call.

LicenseRef-<namespace>-<shortform>

We also ended up discussing where SPDX documents with these LicenseRef's 
could be defined, so others could access without depending on ad hoc vendor web sites.
  
Preliminary discussion ideas is to have SPDX doc of LicenseRef's logged 
at github.com/spdx/namespaces/namespace in addition to other options that
vendors may want to provide. 

Since this is of interest to legal as well as technical,  thinking is to talk about this on the general call on Thursday, if time permits. 

Kate
Join {Spdx-legal@lists.spdx.org to automatically receive all group messages.