Re: Use of exception to communicate legal ambiguity

Michael Dolan

Hi Richard, one initial thought that comes to mind is there are many projects with a single LICENSE file in the main repository directory. That's despite many of the files in the repository potentially being uncopyrightable for the reasons you describe. 

Would it even be desirable to have developers going through a repository and declaring which files are subject to copyright / not subject to copyright? How could I trust that developer's (or lawyer's) review? Was that developer the original contributor? Did they make their own determination based on a potentially flawed understanding of copyright law? Which jurisdiction's copyright laws was that determination based on? Consider Oracle vs Google.

I'll throw in another potential twist. A file at a point in time may lack anything substantive subject to copyright, but someone in the future could contribute something to that file subject to copyright - and may not know to change the short identifier. 

Perhaps you can simply combine the SPDX short identifier with a comment if there's a particular reason for this? If you include the word 'license' in the comment, many of the scanners will pick it up. E.g. "A license short identifier is provided in the case the contents of this file are ever deemed subject to copyright." The scanners would presumably pick this up and flag it.

Mike Dolan
The Linux Foundation
Office: +1.330.460.3250   Cell: +1.440.552.5322

On Sat, Nov 27, 2021 at 11:26 PM Luis Villa <luis@...> wrote:
On Tue, Nov 23, 2021 at 1:56 PM Richard Fontana <rfontana@...> wrote:

Over at Red Hat, we've been gradually increasing our support of the
use of "SPDX-License-Identifier:" in source files for various reasons.

We've encountered some situations where a traditional project practice
might be to insert a GPL license notice at the top of a file, perhaps
following a copyright notice, where the contents of the file are of
dubious copyrightability, and where there is an important policy
(perhaps more significant now than in the past) in avoiding any
contribution of support to the idea that such material is, or ought to
be, copyrightable. (I'm using "copyrightable" a little loosely here,
as we often do in open source, in a way that might also encompass, for
example, situations where the contents are strictly speaking likely
copyrightable but also likely subject to a noninfringement defense of
some sort for essentially all users.)

As one example, though not necessarily the most interesting one, think
of the default form of a configuration file that might be installed
with a particular package. (Such configuration files actually tend not
to have license notices, but occasionally they do.)

In such situations there may also be significant value in preserving
the traditional practice of including the GPL (or other) license
notice. Thus for example using a public domain approximation like CC-0
or the Unlicense or what have you is not particularly helpful.

We've been thinking one useful approach to take in such cases is to
say something like the following:

// The content of this file is such that this file may not need a license.
// But, if this file does need a license, the license is:
// SPDX-License-Identifier: GPL-2.0-or-later

At any rate, that's what we're trying to get across. The problem is
that the SPDX-License-Identifier expression there by itself does not
express the notion of "if needed" or "not sure". Even apart from that,
the bare use of GPL-2.0-or-later in this example seems inappropriate
from an SPDX standpoint since it does not accurately reflect the legal
intent being expressed in the file.

NOASSERTION (I gather not normally used with SPDX-License-Identifier:
) does not seem to adequately capture what we're trying to express
here. Nor something like the possibly-nonsensical "GPL-2.0-or-later OR

It seems to me that the core problem here is that there is an assertion being made— that an evaluation has been made and that the results of the evaluation is that it is public-domain-like.

I’m reminded of the original form (pre-CC0) of CC’s public domain approach (SPDX: CC-PDDC), where the ‘licensor’ could assert that “to the best of [their] knowledge, the work of authorship identified is in the public domain”, and CC’s later experiment with the Public Domain Mark, which avoids license language in favor of a rights “statement”; lots of relevant SPDX-y discussion here: 

I think you really want (in this example) something like “GPL-2.0-or-later OR CC-PDM-1.0”, which conveys the ambiguous nature of the assessment and allows a policy engine to say “we trust upstream attempts to do self-analysis of CC-PDM” or “hell no, our risk tolerance can’t accept the vagaries of self-defined public domain and so we must fall back to the other license”. Unfortunately, since part of what you’re after is brevity and simplicity, and CC (not unwisely) sought precision, I don’t think the actually text of CC-PDM gets you where you want to be even if it is logically/legally the correct approach.


Join to automatically receive all group messages.