Re: remove recommendation re: standard license headers

Neal Gompa

On Sun, Nov 14, 2021 at 9:35 PM Warner Losh <imp@...> wrote:

On Sun, Nov 14, 2021 at 1:41 PM Sebastian Crane <seabass-labrax@...> wrote:

Dear Jilayne,

Now that SPDX ids are used more widely and we know a bit more about
how scanning tools identify license headers in total - I think we can
remove this section altogether. I don't think SPDX needs to make a
statement either way and projects can make their own call, as we've
seen with the Linux kernal and other projects.
I'd completely agree with your appraisal here. Personally, I prefer to
use just the SPDX license headers. I imagine that, in some cases, having
both could be confusing - for example, if someone copied the standard
license header for the GPLv3 "or (at your option) any later version",
but also wrote SPDX-License-Identifier: GPL-3.0-only at the top of the
file. Of course, if anyone does want to use both, the standard license
header text will still be on the SPDX License List website.

Perhaps we should recommend that any policy about the license marking
of files should address this. FreeBSD's policy will likely state that the
actual boiler plate license text in the file is controlling when both are present
and the SPDX-License-Identifier doesn't match the prose grant.
I'd personally rather we didn't even make the *appearance* of a
recommendation that SPDX-License-Identifiers are suitable replacements
for standard license headers. Especially with licenses that declare
*how* you're supposed to leverage a license for your software, this
can be highly problematic.

My personal feeling is that everyone who uses SPDX-License-Identifier
as a replacement for proper license headers is doing a disservice to
themselves, the community at large, and everyone who uses and and
consumes that code. When code travels (e.g. Linux drm/ -> FreeBSD),
it's super-easy for compliance and understanding to be missed because
you've gutted the important information from the code itself. This
also makes it difficult for the spirit and intent of licenses to be
conveyed because you're reducing them to something that they're not:
some checkbox somewhere. Moreover, you've effectively eliminated how
people learn about the licenses the code uses.

Older licenses like BSD and MIT flavors are designed to be short
enough to be embedded in the source. Newer licenses like MPL, GPL, and
ASL are both too large for that, so these licenses have a preferred
method of indicating that code follows those terms. Not following
those adds too much ambiguity and weakens the importance of conveying
the *intent* and *spirit* of these licenses.

If we were to have any recommendation, I would say the
SPDX-License-Identifier is a machine-parseable supplement to the
standard header, not a replacement. This is also how my workplace uses them.

真実はいつも一つ!/ Always, there's only one truth!

Join { to automatically receive all group messages.