Re: remove recommendation re: standard license headers
top-posting as I'm not sure I can keep up with the various comments, but a bit of background:toggle quoted messageShow quoted text
- the first idea of using the identifiers in source files from outside the main SPDX community came by way of a developer in Germany who wrote a blog post about it and sent me the link (I still don't really know who this person was) - that was 2011
- I believe U-boot was the first project that began actually using them - I'd guess that was shortly thereafter, 2021, say. U-boot made the decision to remove the GPL "standard header" and just use the SPDX identifiers, which seemed rather daring at the time, but this was their choice.
Since then, many more project have adopted this manor of communicating the license. The SPDX project does not need to provide recommendations either way - projects will make their own determination, as they should.
* For anyone who has done scans and audits of source code to determine the license - this is absolutely helpful. (and if you haven't done scans and audits of source code to determine licensing - count yourself as lucky!)
There are really very few licenses that provide a "standard header" - meaning a delineated instruction of text to include in the source file. (Apache-2.0 and the L/GPL family being the most used/common).
Even in the case of the short licenses (e.g., BSD, MIT) that are assumed to have the full text in the file - I have heard complaints that this is wasted text/space from developers and I have seen *plenty* of "short hand" license notices that were not even clear, for example, "this file is licensed under a BSD-style license" <groan>
From a broader legal perspective - consider that the license (or agreement, more generally) often does not directly accompany the things (software) you are consuming. It is quite often there is a reference (express or even implied) and the actual text is elsewhere. That's fine and it's no different here.
On 11/24/21 9:42 PM, Neal Gompa wrote:
On Tue, Nov 23, 2021 at 11:12 AM Warner Losh <imp@...> wrote:On Tue, Nov 23, 2021 at 3:47 AM Richard Purdie <richard.purdie@...> wrote:On Mon, 2021-11-22 at 22:41 -0500, Neal Gompa wrote:I'd personally rather we didn't even make the *appearance* of a recommendation that SPDX-License-Identifiers are suitable replacements for standard license headers. Especially with licenses that declare *how* you're supposed to leverage a license for your software, this can be highly problematic. My personal feeling is that everyone who uses SPDX-License-Identifier as a replacement for proper license headers is doing a disservice to themselves, the community at large, and everyone who uses and and consumes that code. When code travels (e.g. Linux drm/ -> FreeBSD), it's super-easy for compliance and understanding to be missed because you've gutted the important information from the code itself. This also makes it difficult for the spirit and intent of licenses to be conveyed because you're reducing them to something that they're not: some checkbox somewhere. Moreover, you've effectively eliminated how people learn about the licenses the code uses.If this was attempted some number of years ago, I'm not sure it would have been appropriate but things evolve. Through the efforts of SPDX and others, I think it is now very clear what these identifiers mean and how they can be used. It makes the situation so much clearer to have a definitive short statement rather than multiple copies of license text which are often subtly different from each other or where people have avoided any license text at all as it was too verbose/painful. I say this as someone who helped adding the original license fields to openembedded, trawling through tons of source code where it was often unclear and ambiguous what license things were under. I'd strongly disagree it is a disservice and stand by the decision to tidy up code headers in various projects, some of which I've helped with. Yes you do need to be careful in changing things but the resulting readability and usability improvements are very much worthwhile.I'll point out that the variations are an enormous pain in the ass for FreeBSD and create more uncertainty and compliance issues not less. If I don't reproduce every single license in the tree, verbatim, is that a material breach of the license? Is the 'voices in Bill Paul's head' evidence of insanity of Bill Paul this making his grant of license improper because insane people can't enter into legal agreements? All of this is with the standard 'boiler plate' language.Well, insanity question aside (because at some level, all of our sanity will need to be questioned because we deal with this ;) ), if you don't reproduce them (variations and all), you risk breaching the licenses. Because those notices in the headers are an expression of intent in themselves.I've also studied Unix history and noticed something interesting. In all CSRG's code inside of SCCS, they had something like %License% for all the files, to be replaced on release automatically. Even CSRG didn't want to slavishly copy the license text around, but used that hack to impose uniformity without burdening the CSRG staff. :)And those notices were carried *everywhere* that code was copied. :) Because the truth is, those notices *need* to be reproduced when informing people of the code *at the minimum*. No notice means the licensing doesn't exist for most people (including lawyers I've talked to over beverages before...). -- 真実はいつも一つ！/ Always, there's only one truth!