1. Spdx-Legal
  2. Messages

Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

Shawn Clark
 

I have spent a lot of time contemplating the question, but want to confirm I'm thinking about the same thing:

Are you talking about the nature of open source requiring (such as in a requirements.txt) other open source code/components that ultimately mean the terms of several licenses would apply to the top level software package (such as the total python package)? And how to include those identifiers in spdx, either as a requirement of the open source license, or as a pass-through of a license (such as lgpl/gpl)?

I have thoughts on the topic but wanted to confirm before I ramble on about it šŸ˜ I may be off the rails here.

Cheers!
-Shawn Clark
Michigan Attorney, P79081




On Fri, Jul 1, 2022, 4:17 PM McCoy Smith <mccoy@...> wrote:

Well the example is the reverse: inbound BSD-2-Clause, outbound MIT.

Iā€™m more thinking license identifiers that go with the code (since I think for most folks thatā€™s where they do license attribution/license copy requirements).

But obviously the issue/problem is more generic given that some permissive licenses allow the notice to be in either (or in some cases require in both) the source or documentation.

Ā 

From: spdx@... <spdx@...> On Behalf Of J Lovejoy
Sent: Friday, July 1, 2022 1:11 PM
To: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

Ā 

Hi McCoy!

Ā 

Iā€™m moving the SPDX-general list to BCC and replying to SPDX-legal as that is the right place for this discussion.

Ā 

Where is this question coming up in terms of context? That is, are you thinking in the context of an SPDX document and capturing Ā the licensing info for a file that is under MIT originally but then redistributed under BSD-2-Clause? Or are you thinking in the context of using an SPDX license identifiers in the source files?

Ā 

Thanks,

Jilayne



On Jul 1, 2022, at 12:01 PM, McCoy Smith <mccoy@...> wrote:

Ā 

I didnā€™t see this particular topic addressed in the specification (although Iā€™m happy to be correcedt if I missed it), so I thought Iā€™d post and see whether there is a solution thatā€™s commonly used, or if thereā€™s room for a new identifier.

Ā 

Virtually all so-called ā€œpermissiveā€ licenses permit the recipient of code to license out under different terms, as long as all the requirements of the in-bound license are met. In almost all of these permissive licenses those requirement boil down to:

  1. Preserve all existing IP notices (or in some cases, just copyright notices)
  2. Provide a copy of the license (or something to that effect: retaining ā€œthis permission noticeā€ (ICU/Unicode/MIT)Ā  or ā€œthis list of conditionsā€ (BSD) or providing ā€œa copy of this Licenseā€ (Apache 2.0))

Ā 

The rules around element 1 and SPDX are well-described.

With regard to element 2, a fully-compliant but informative notice when there is a change from the in-bound to the out-bound license would look something like this (with the square bracketed part being an example of a way to say this):

Ā 

SPDX-License-Identifier: MIT

[This file/package/project contains code originally licensed under:]

SPDX-License-Identifier: BSD-2-Clause

Ā 

The point being to express that the outbound license is MIT, but in order to fully comply with the requirements of BSD-2-Clause, one must retain ā€œĀ this list of conditions and the following disclaimerā€ which including a copy of BSD-2-Clause accomplishes. Without the square bracketed statement above, it seems confusing as to what the license is (or whether, for example, the code is dual-licensed MIT AND BSD-2-Clause.


One way to do this I suppose is to use the LicenseComment: field to include this information, but it seems to me that this is enough of a common situation that there ought to be something more specific to address this situation.

Ā 

Thoughts? Am I missing something?

Ā 
Join Spdx-legal@lists.spdx.org to automatically receive all group messages.