Greetings,

Over at Red Hat, we've been gradually increasing our support of the
use of "SPDX-License-Identifier:" in source files for various reasons.

We've encountered some situations where a traditional project practice
might be to insert a GPL license notice at the top of a file, perhaps
following a copyright notice, where the contents of the file are of
dubious copyrightability, and where there is an important policy
(perhaps more significant now than in the past) in avoiding any
contribution of support to the idea that such material is, or ought to
be, copyrightable. (I'm using "copyrightable" a little loosely here,
as we often do in open source, in a way that might also encompass, for
example, situations where the contents are strictly speaking likely
copyrightable but also likely subject to a noninfringement defense of
some sort for essentially all users.)

As one example, though not necessarily the most interesting one, think
of the default form of a configuration file that might be installed
with a particular package. (Such configuration files actually tend not
to have license notices, but occasionally they do.)

In such situations there may also be significant value in preserving
the traditional practice of including the GPL (or other) license
notice. Thus for example using a public domain approximation like CC-0
or the Unlicense or what have you is not particularly helpful.

We've been thinking one useful approach to take in such cases is to
say something like the following:

// The content of this file is such that this file may not need a license.
// But, if this file does need a license, the license is:
// SPDX-License-Identifier: GPL-2.0-or-later

At any rate, that's what we're trying to get across. The problem is
that the SPDX-License-Identifier expression there by itself does not
express the notion of "if needed" or "not sure". Even apart from that,
the bare use of GPL-2.0-or-later in this example seems inappropriate
from an SPDX standpoint since it does not accurately reflect the legal
intent being expressed in the file.

NOASSERTION (I gather not normally used with SPDX-License-Identifier:
) does not seem to adequately capture what we're trying to express
here. Nor something like the possibly-nonsensical "GPL-2.0-or-later OR
NOASSERTION".

We were thinking one possibility would be to define an exception
(worded similarly to the example statement above) that would express
the "not sure/if needed" concept, and could be used with the baseline
license identifier using the WITH expression. Imagine if SPDX accepted
this as an exception identifier called "If-Needed":

SPDX-License-Identifier: GPL-2.0-or-later WITH If-Needed

But this sort of identifier would depart from the model that I think
SPDX has assumed thus far in recognizing exceptions, which is the
FSF-popularized notion of "additional permission" exceptions. (See
https://github.com/spdx/spdx-spec/issues/153)

Does anyone have any suggestions/reactions to this issue?

Richard