Re: [spdx-tech] An example of a super simple SPDX licenses registry, for discussion


Jeff McAffer <Jeff.McAffer@...>
 

I love the idea of being able to easily represent arbitrary licenses with SPDX identifiers. We use a number of SPDX based license expression tools and all of them require that the leaf nodes in an expression be valid identifiers. Using LicenseRef is cool but essentially defers the identity problem. Namespacing is a common approach to distributing the problem and enabling different communities to evolve at their own pace. This happens very often for us when we encounter novel licenses in some of the many 000s of components we use. Today we have to either say NOASSERTION or spoof up a LicenseRef.

The downside with namespacing is that two namespaces can easily end up with different identifiers for the same license. We'd be incrementally better off but still faced with a logic problem (e.g., are LicenseRef-ns1-Foo and LicenseRef-ns2-Bar the same or different). Since we often use multiple tools, each having its own namespace, make it quite hard to reason about results.

Theoretically there could be a central registry where interested parties could instantly discover names for license texts and register new license texts and give them names. Then a new tool vendor/user, encountering a "new" license would first consult the registry to see if that text has already been allocated a name. Still some gaps but perhaps incrementally better.

IMO the "ideal" here is that there is some automated way of "fingerprinting" license texts such that two parties, given more or less the same text, can independently come up with the same id. At that point you would not need a registry, just a shared algorithm. When/if eventually SPDX does recognize a given license and gives it a formal id, there could be a relatively simple aliasing step where SPDX id "SomeCoolLicense-1.0" is AKA "LicenseRef-43bdf298"

Finally, if the SPDX license list was a) less opinionated as to what can be identified and b) very fast at adding new entries, the bulk of the issue we see would go away.

Jeff

-----Original Message-----
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Philippe Ombredanne via Lists.Spdx.Org
Sent: Thursday, March 7, 2019 9:44 AM
To: SPDX-legal <spdx-legal@...>
Cc: Spdx-tech@...
Subject: [spdx-tech] An example of a super simple SPDX licenses registry, for discussion

See https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FnexB%2Fspdx-license-namespaces-registry%2F&;data=02%7C01%7CJeff.McAffer%40microsoft.com%7Cd58f7f9edbbe4e4ee95d08d6a3249aba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636875774948859901&amp;sdata=Gcu7ZaKsKtp%2BfMyorZpkfTKDQpm0zDg%2BxdkjOYD4bag%3D&amp;reserved=0
and https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FnexB%2Fspdx-license-namespaces-registry%2Fpull%2F1&;data=02%7C01%7CJeff.McAffer%40microsoft.com%7Cd58f7f9edbbe4e4ee95d08d6a3249aba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636875774948859901&amp;sdata=GXODPG2zqT2uiVCI1Z84ZNQG85QpfEjcvvsA9oZQp5U%3D&amp;reserved=0

--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode - What's in your code?! - https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dejacode.com&;data=02%7C01%7CJeff.McAffer%40microsoft.com%7Cd58f7f9edbbe4e4ee95d08d6a3249aba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636875774948859901&amp;sdata=iEQcHYltCN0uba4t1KwF5WvfGmPRB0RSZxGEjQH%2FYd4%3D&amp;reserved=0
AboutCode - Open source for open source - https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.aboutcode.org&;data=02%7C01%7CJeff.McAffer%40microsoft.com%7Cd58f7f9edbbe4e4ee95d08d6a3249aba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636875774948859901&amp;sdata=dBq66UPR0wShGDO0SNmM06x0geoU5pABTj1Gjus0%2FsY%3D&amp;reserved=0
nexB Inc. - https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nexb.com&;data=02%7C01%7CJeff.McAffer%40microsoft.com%7Cd58f7f9edbbe4e4ee95d08d6a3249aba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636875774948859901&amp;sdata=sGjYB7p6aHw7Ag11XKkodFq%2BbDEeoaZlMmSsUrFbcOM%3D&amp;reserved=0

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.