Re: remove recommendation re: standard license headers


J Lovejoy
 

top-posting as I'm not sure I can keep up with the various comments, but a bit of background:
- the first idea of using the identifiers in source files from outside the main SPDX community came by way of a developer in Germany who wrote a blog post about it and sent me the link (I still don't really know who this person was) - that was 2011
- I believe U-boot was the first project that began actually using them - I'd guess that was shortly thereafter, 2021, say. U-boot made the decision to remove the GPL "standard header" and just use the SPDX identifiers, which seemed rather daring at the time, but this was their choice.

Since then, many more project have adopted this manor of communicating the license. The SPDX project does not need to provide recommendations either way - projects will make their own determination, as they should.


* For anyone who has done scans and audits of source code to determine the license - this is absolutely helpful. (and if you haven't done scans and audits of source code to determine licensing - count yourself as lucky!)

There are really very few licenses that provide a "standard header" - meaning a delineated instruction of text to include in the source file. (Apache-2.0 and the L/GPL family being the most used/common).

Even in the case of the short licenses  (e.g., BSD, MIT) that are assumed to have the full text in the file - I have heard complaints that this is wasted text/space from developers and I have seen *plenty* of "short hand" license notices that were not even clear, for example, "this file is licensed under a BSD-style license" <groan>

From a broader legal perspective - consider that the license (or agreement, more generally) often does not directly accompany the things (software) you are consuming. It is quite often there is a reference (express or even implied) and the actual text is elsewhere. That's fine and it's no different here.


J.




On 11/24/21 9:42 PM, Neal Gompa wrote:

On Tue, Nov 23, 2021 at 11:12 AM Warner Losh <imp@...> wrote:


On Tue, Nov 23, 2021 at 3:47 AM Richard Purdie <richard.purdie@...> wrote:
On Mon, 2021-11-22 at 22:41 -0500, Neal Gompa wrote:
I'd personally rather we didn't even make the *appearance* of a
recommendation that SPDX-License-Identifiers are suitable replacements
for standard license headers. Especially with licenses that declare
*how* you're supposed to leverage a license for your software, this
can be highly problematic.

My personal feeling is that everyone who uses SPDX-License-Identifier
as a replacement for proper license headers is doing a disservice to
themselves, the community at large, and everyone who uses and and
consumes that code. When code travels (e.g. Linux drm/ -> FreeBSD),
it's super-easy for compliance and understanding to be missed because
you've gutted the important information from the code itself. This
also makes it difficult for the spirit and intent of licenses to be
conveyed because you're reducing them to something that they're not:
some checkbox somewhere. Moreover, you've effectively eliminated how
people learn about the licenses the code uses.
If this was attempted some number of years ago, I'm not sure it would have been
appropriate but things evolve. Through the efforts of SPDX and others, I think
it is now very clear what these identifiers mean and how they can be used. It
makes the situation so much clearer to have a definitive short statement rather
than multiple copies of license text which are often subtly different from each
other or where people have avoided any license text at all as it was too
verbose/painful.

I say this as someone who helped adding the original license fields to
openembedded, trawling through tons of source code where it was often unclear
and ambiguous what license things were under. I'd strongly disagree it is a
disservice and stand by the decision to tidy up code headers in various
projects, some of which I've helped with. Yes you do need to be careful in
changing things but the resulting readability and usability improvements are
very much worthwhile.

I'll point out that the variations are an enormous pain in the ass for FreeBSD
and create more uncertainty and compliance issues not less. If I don't reproduce
every single license in the tree, verbatim, is that a material breach of the license?
Is the 'voices in Bill Paul's head' evidence of insanity of Bill Paul this making his
grant of license improper because insane people can't enter into legal
agreements? All of this is with the standard 'boiler plate' language.

Well, insanity question aside (because at some level, all of our
sanity will need to be questioned because we deal with this ;) ), if
you don't reproduce them (variations and all), you risk breaching the
licenses. Because those notices in the headers are an expression of
intent in themselves.

I've also studied Unix history and noticed something interesting. In all CSRG's code
inside of SCCS, they had something like %License% for all the files, to be replaced
on release automatically. Even CSRG didn't want to slavishly copy the license text
around, but used that hack to impose uniformity without burdening the CSRG staff. :)

And those notices were carried *everywhere* that code was copied. :)

Because the truth is, those notices *need* to be reproduced when
informing people of the code *at the minimum*. No notice means the
licensing doesn't exist for most people (including lawyers I've talked
to over beverages before...).





--
真実はいつも一つ!/ Always, there's only one truth!






Join Spdx-legal@lists.spdx.org to automatically receive all group messages.