Re: remove recommendation re: standard license headers

Home Messages Hashtags Subgroups

#3041

Re: remove recommendation re: standard license headers

Neal Gompa #3041 On Sun, Nov 14, 2021 at 9:35 PM Warner Losh <imp@...> wrote: On Sun, Nov 14, 2021 at 1:41 PM Sebastian Crane <seabass-labrax@...> wrote: Dear Jilayne, Now that SPDX ids are used more widely and we know a bit more about how scanning tools identify license headers in total - I think we can remove this section altogether. I don't think SPDX needs to make a statement either way and projects can make their own call, as we've seen with the Linux kernal and other projects. I'd completely agree with your appraisal here. Personally, I prefer to use just the SPDX license headers. I imagine that, in some cases, having both could be confusing - for example, if someone copied the standard license header for the GPLv3 "or (at your option) any later version", but also wrote SPDX-License-Identifier: GPL-3.0-only at the top of the file. Of course, if anyone does want to use both, the standard license header text will still be on the SPDX License List website. Perhaps we should recommend that any policy about the license marking of files should address this. FreeBSD's policy will likely state that the actual boiler plate license text in the file is controlling when both are present and the SPDX-License-Identifier doesn't match the prose grant. I'd personally rather we didn't even make the appearance of a recommendation that SPDX-License-Identifiers are suitable replacements for standard license headers. Especially with licenses that declare how you're supposed to leverage a license for your software, this can be highly problematic. My personal feeling is that everyone who uses SPDX-License-Identifier as a replacement for proper license headers is doing a disservice to themselves, the community at large, and everyone who uses and and consumes that code. When code travels (e.g. Linux drm/ -> FreeBSD), it's super-easy for compliance and understanding to be missed because you've gutted the important information from the code itself. This also makes it difficult for the spirit and intent of licenses to be conveyed because you're reducing them to something that they're not: some checkbox somewhere. Moreover, you've effectively eliminated how people learn about the licenses the code uses. Older licenses like BSD and MIT flavors are designed to be short enough to be embedded in the source. Newer licenses like MPL, GPL, and ASL are both too large for that, so these licenses have a preferred method of indicating that code follows those terms. Not following those adds too much ambiguity and weakens the importance of conveying the intent and spirit of these licenses. If we were to have any recommendation, I would say the SPDX-License-Identifier is a machine-parseable supplement to the standard header, not a replacement. This is also how my workplace uses them. -- 真実はいつも一つ！/ Always, there's only one truth!
More All Messages By This Member

View All 19 Messages In Topic

#3041

Join {Spdx-legal@lists.spdx.org to automatically receive all group messages.

Home Hashtags Subgroups Terms