Re: SPDX-License-Identifier for composite-licensed source files

J Lovejoy

On Dec 12, 2019, at 9:48 AM, Kate Stewart <kstewart@...> wrote:

Hi Richard,
    I suspect the others will comment as well,  but 
I would hope to see 
"SPDX-License-Identifier: MPL-2.0 AND Apache-2.0"
as a summary. 

Agree. And also agree with Richard’s comment about avoiding legal interpretations. When you say that the license is “X AND Y” you are saying both licenses apply. Which is the fact for this file. You are not saying  whether those licenses are compatible (or what one does if they are incompatible) - that would be a legal interpretation.  You are merely reporting what is in the file. 

The second approach may become ambiguous to scanners
as they may try to treat it as an "OR",  and I believe that
"AND" is truer to the intention here.

The second approach is also not an SPDX license expression as defined in the spec, so that’s also problematic when used with “SPDX-License-Identifier” (I think)



On Thu, Dec 12, 2019 at 10:30 AM Richard Fontana <rfontana@...> wrote:
Suppose you're dealing with the following source file legal notice
(example taken from,
itself adapted from the examples discussed by SFLC in this old paper:

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at
 * This file incorporates work covered by the following copyright and
 * permission notice:
 *   Copyright 2013 Joe Bloggs
 *   Licensed under the Apache License, Version 2.0 (the "License");
 *   you may not use this file except in compliance with the License.
 *   You may obtain a copy of the License at
 *   Unless required by applicable law or agreed to in writing, software
 *   distributed under the License is distributed on an "AS IS" BASIS,
 *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *   See the License for the specific language governing permissions and
 *   limitations under the License.

Is there a recommended approach to translating this to use
SPDX-Liense-Identifier strings?

One possibility might be:

/* Copyright 2013 Joe Bloggs
 * SPDX-License-Identifier: MPL-2.0 AND Apache-2.0

This approach represents all the copyright and license information in
the original file without making the legal judgment that is implicit
in the original notice (as to the legal effect of one-way
compatibility of the Apache License 2.0 with MPL 2.0), beyond possibly
what someone might choose to infer from the mere ordering of the
conjunctive set of licenses. But it gives the possibly-false
impression that Joe Bloggs is the sole or, in some sense, primary
copyright owner of the code in the file, which results in part from
the absence of a copyright notice for the MPL licensor(s).

Another possibility might be:

/* SPDX-License-Identifier: MPL-2.0
 * This file incorporates work covered by the following copyright
notice and license:
 *   Copyright 2013 Joe Bloggs
 *   SPDX-License-Identifier: Apache-2.0

This is closer to the original, and provides the same opinion on the
licensing consequence of the "incorporation" of the Apache License 2.0
code, but whether that is good or bad I'm not sure. (As I understand
it there's a theme in SPDX of attempting to avoid making legal
judgments.) But it has a verbosity that I would think goes against the
whole spirit of using the SPDX-License-Identifier construct.

What's the best practice for source files of this sort, containing
code under multiple licenses where there is some notion of code under
the more permissive license being subsumed under the more restrictive
license of incorporation?


Join to automatically receive all group messages.