Re: Use of exception to communicate legal ambiguity
Steve Winslow
Hi Richard,
Thanks for sharing this question. I've been mulling it over and don't have a good answer, so here instead are a few disjointed thoughts.
My main hesitation with an "If-Needed-exception" (assuming there was specific wording, etc. that it was tied to) is that I'm wondering if that isn't already inherent in any license statement in the first place.
If a work of "dubious copyrightability" contains any license notice, MIT or GPL or whatever, that's telling the recipient that they are permitted to use (or copy, or modify, or distribute...) the work under that license. The recipient might determine that the rights granted by that license are not actually necessary, given the nature of the work. The recipient determines that they won't infringe any exclusive rights by making use of the work even without the license. The presence of the license statement doesn't affect this; nor would the presence of a license statement tied to an "if this work needs a license, here it is" notice.
So in the example you mentioned, I tend to think that the SPDX license expression is accurately described as:
// SPDX-License-Identifier: GPL-2.0-or-later
I do take your point, though, that there could be value in capturing the "legal intent being expressed in the file" that a particular file or work might not need a license. So I could be persuaded that I'm wrong here.
Steve
On Tue, Nov 23, 2021 at 1:56 PM Richard Fontana <rfontana@...> wrote:
Greetings,
Over at Red Hat, we've been gradually increasing our support of the
use of "SPDX-License-Identifier:" in source files for various reasons.
We've encountered some situations where a traditional project practice
might be to insert a GPL license notice at the top of a file, perhaps
following a copyright notice, where the contents of the file are of
dubious copyrightability, and where there is an important policy
(perhaps more significant now than in the past) in avoiding any
contribution of support to the idea that such material is, or ought to
be, copyrightable. (I'm using "copyrightable" a little loosely here,
as we often do in open source, in a way that might also encompass, for
example, situations where the contents are strictly speaking likely
copyrightable but also likely subject to a noninfringement defense of
some sort for essentially all users.)
As one example, though not necessarily the most interesting one, think
of the default form of a configuration file that might be installed
with a particular package. (Such configuration files actually tend not
to have license notices, but occasionally they do.)
In such situations there may also be significant value in preserving
the traditional practice of including the GPL (or other) license
notice. Thus for example using a public domain approximation like CC-0
or the Unlicense or what have you is not particularly helpful.
We've been thinking one useful approach to take in such cases is to
say something like the following:
// The content of this file is such that this file may not need a license.
// But, if this file does need a license, the license is:
// SPDX-License-Identifier: GPL-2.0-or-later
At any rate, that's what we're trying to get across. The problem is
that the SPDX-License-Identifier expression there by itself does not
express the notion of "if needed" or "not sure". Even apart from that,
the bare use of GPL-2.0-or-later in this example seems inappropriate
from an SPDX standpoint since it does not accurately reflect the legal
intent being expressed in the file.
NOASSERTION (I gather not normally used with SPDX-License-Identifier:
) does not seem to adequately capture what we're trying to express
here. Nor something like the possibly-nonsensical "GPL-2.0-or-later OR
NOASSERTION".
We were thinking one possibility would be to define an exception
(worded similarly to the example statement above) that would express
the "not sure/if needed" concept, and could be used with the baseline
license identifier using the WITH expression. Imagine if SPDX accepted
this as an exception identifier called "If-Needed":
SPDX-License-Identifier: GPL-2.0-or-later WITH If-Needed
But this sort of identifier would depart from the model that I think
SPDX has assumed thus far in recognizing exceptions, which is the
FSF-popularized notion of "additional permission" exceptions. (See
https://github.com/spdx/spdx-spec/issues/153)
Does anyone have any suggestions/reactions to this issue?
Richard