Re: [spdx-tech] An example of a super simple SPDX licenses registry, for discussion

Richard Fontana

This sounds appealing to me (if I'm understanding it correctly). From
Red Hat's perspective one of the great impracticalities of SPDX has
been that, after many years of SPDX's existence, its adopted
identifiers still represent only a small portion of the licenses
encountered in much of the the software we encounter in our product
and project development. I think there are a few problematic reasons
for this aside from the fact that curating the SPDX license list is a
lot of work. Use of "LicenseRef" (not to mention something like
NOASSERTION) is a nonstarter for the use cases we are most interested
in. What we've actually done in some cases is use the nonstandard
identifiers created by nexB.

Indeed I recently complained about the use of NOASSERTION in
ClearlyDefined: The issue
that partly inspired this was one involving the former Facebook React
license which is still widely encountered ( ).


On Sun, Mar 10, 2019 at 12:44 PM via Lists.Spdx.Org
<> wrote:

I love the idea of being able to easily represent arbitrary licenses with SPDX identifiers. We use a number of SPDX based license expression tools and all of them require that the leaf nodes in an expression be valid identifiers. Using LicenseRef is cool but essentially defers the identity problem. Namespacing is a common approach to distributing the problem and enabling different communities to evolve at their own pace. This happens very often for us when we encounter novel licenses in some of the many 000s of components we use. Today we have to either say NOASSERTION or spoof up a LicenseRef.

The downside with namespacing is that two namespaces can easily end up with different identifiers for the same license. We'd be incrementally better off but still faced with a logic problem (e.g., are LicenseRef-ns1-Foo and LicenseRef-ns2-Bar the same or different). Since we often use multiple tools, each having its own namespace, make it quite hard to reason about results.

Theoretically there could be a central registry where interested parties could instantly discover names for license texts and register new license texts and give them names. Then a new tool vendor/user, encountering a "new" license would first consult the registry to see if that text has already been allocated a name. Still some gaps but perhaps incrementally better.

IMO the "ideal" here is that there is some automated way of "fingerprinting" license texts such that two parties, given more or less the same text, can independently come up with the same id. At that point you would not need a registry, just a shared algorithm. When/if eventually SPDX does recognize a given license and gives it a formal id, there could be a relatively simple aliasing step where SPDX id "SomeCoolLicense-1.0" is AKA "LicenseRef-43bdf298"

Finally, if the SPDX license list was a) less opinionated as to what can be identified and b) very fast at adding new entries, the bulk of the issue we see would go away.


-----Original Message-----
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Philippe Ombredanne via Lists.Spdx.Org
Sent: Thursday, March 7, 2019 9:44 AM
To: SPDX-legal <spdx-legal@...>
Cc: Spdx-tech@...
Subject: [spdx-tech] An example of a super simple SPDX licenses registry, for discussion


Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode - What's in your code?! -;;sdata=iEQcHYltCN0uba4t1KwF5WvfGmPRB0RSZxGEjQH%2FYd4%3D&amp;reserved=0
AboutCode - Open source for open source -;;sdata=dBq66UPR0wShGDO0SNmM06x0geoU5pABTj1Gjus0%2FsY%3D&amp;reserved=0
nexB Inc. -;;sdata=sGjYB7p6aHw7Ag11XKkodFq%2BbDEeoaZlMmSsUrFbcOM%3D&amp;reserved=0

Richard Fontana
Senior Commercial Counsel
Red Hat, Inc.

Join to automatically receive all group messages.