Re: SPDX files as templates

VM (Vicky) Brasseur

I'd rather go inline with my reply, but as Outlook has Opinions™ about the format of replies…then top-posting it is.

I've frequently seen people copy the .txt of the licenses then drop that into a LICENSE file in their repos. I've seen them do similar things with the license texts on the OSI site. It's happening and we can't (and shouldn't) stop that, IMO. We could, perhaps, even find ways to make it easier.

Part of that may include removing names from copyright notices, but I feel we probably should do that anyway. _WE_ know that the copyright line needs to be changed, but most people don't. They know "license text > LICENSE > put in repo > done" if they know anything at all about this stuff. Not to fault them; it's just not something most people teach so folks make assumptions.

The Contributor Covenant Code of Conduct is an example of this sort of thing happening in real life. Project maintainers copy that text, drop it into a file in a repo, then call it a day. They never really read far enough to reach the part where they need to enter an email address where people can report CoC violations. So now we have a lot of CoCs in project repositories…but no way to tell anyone about bad behaviour. That's one way to ensure low CoC report stats, I guess…



VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US

-----Original Message-----
From: <Spdx-legal@...> on behalf of "J Lovejoy via" <>
Reply-To: "opensource@..." <opensource@...>
Date: Tuesday, November 16, 2021 at 10:19
To: SPDX-legal <Spdx-legal@...>
Subject: SPDX files as templates

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.

Hi all,

This is a topic that came up some time ago (I think by way of the Reuse folks) and I’ve been meaning to raise it in a separate thread.

SPDX has a lot of license data by way of the SPDX License List and associated tooling and files. Some people are using that data to grab license text for as a kind of license template (as I understand it, but correct my terminology as need be!) There were some opinions expressed that this is a bad idea - I’m not sure why.

The licenses for the SPDX License List are stored in two formats in the main repo: the XML format which applies some of the matching guidelines and other formatting and a plain .txt file. I believe it is the latter that some people may be using for the above scenario. For example, if someone wants to use the MIT license, for example, why wouldn’t they simply pull it from;;sdata=%2FSkXawBuqCLJwdEKtR9lS1OTYUBEFlKe%2BJWNDA8tPB8%3D&amp;reserved=0 ?

I am wondering if I have the scenario correct or are there other scenarios like this?
And if I’m pointing to where people are pulling the text from (or are other places being used? hopefully not the XML files or scraping the website!)

Relatedly, we have had requests to remove specific names in copyright notices so as to avoid anyone using the wrong notice. From an SPDX matching guidelines perspective, what name exists in the copyright notice does not matter, as that is not “matchable” text for the purposes of matching a license. I would also point out that anyone using the .txt files as a copy of the license for their own code, would *always* need to update the copyright notice - whether it has some other name or simply “author”. In any case, I don’t see this as a reason not to use the .txt files of the license text for other purpose outside of SPDX. And it’s fine for us to change those copyright notices to generic “author” or “name” if that helps.



'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.'

Join { to automatically receive all group messages.