Re: Combined version of LGPL + GPL 3.0

Philippe Ombredanne

Dear Sebastian, Max:

On Wed, Jul 28, 2021 at 7:03 PM Sebastian <seabass-labrax@...> wrote:

- Users of REUSE would simply need to download LGPL-3.0 via the REUSE
tool. The tool fetches the SPDX License List's text, including with
the optional sections. As a result, no further action would be needed
to comply with the LGPL's condition that the GPL be included.
That's the source of the issue. License texts in SPDX have never been
designed to be used as a reference for attribution. This is
unfortunately commonly done but ends up more often than not with
garbled text because of the extra adornments, templating, commentaries
or placeholders present in SPDX texts.
MO, this should be clarified on the SPDX web site to avoid this trap.

The problem is simply that REUSE should not reuse the SPDX texts but
instead use its own reference texts. For instance, on my side we
maintain our own reference texts in ScanCode and AttributeCode for
attribution, and these texts have been cleaned from SPDX adornments,
comments, placeholders and similar.

Alternatively SPDX could add a new reference text for each tracked
license (when it differs from the existing text) which would be a
useful public service and would avoid the confusion we have today.
There you could have an LGPL+GPL thing, best combined with some extra
statement to clarify what the GPL text means here. And REUSE could
then use this alright

- License scanning tools following the SPDX License Matching Guidelines
would not be affected: as the entire GPL section is surrounded by
<optional> tags, existing occurrences of the LGPL text would still be
matched as LGPL, as has been the case thus far.
If you have a file that contains only the full text of the LGPL and
the full text of the GPL there is no way to disambiguate, matching
guidelines or not. This would throw off matching tools in a trap that
would entice them to return misleading results (possibly skipping
entirely the GPL) when using SPDX guidelines. Not sure we want this.

No tool could determine if we have these licenses:
- the LGPL with GPL text included for use in LGPL, e.g. a GPL with an
LGPL exception
- the LGPL AND the GPL separately, e.g. GPL with an LGPL exception AND a GPL

You need an extra statement, declaration, or notice to this effect.

You cannot even use an SPDX expression for this for now.
How could you sanely express something such as: "the text below is a
combination of the LGPL and GPL texts, but the license we meant to
document here is really only the LGPL. We included the GPL text
because it is included by reference in the LGPL and should be included
for redistribution".

In hindsight the LGPL is a bad FOSS license text design since one must
include another text but the license does not include it by default.
It helps nobody: not the software authors, not the users, not
redistributors, nobody. It just requires extra busy work from everyone
involved and is a source of head scratching and doubt at best. It
could have been because programmers felt it was OK to "import" a
license text in another license text .... but a license text is not
software code. We have to deal with this mess, let's not make it
worse. I feel that the only sane thing at this stage would be to
requalify the LGPL-3.0 correctly as an exception to the GPL because
this is it.

Philippe Ombredanne
license texts janitor

Join { to automatically receive all group messages.