Re: Commutativity of SPDX expressions

Warner Losh

Please define "INBOUND" and "OUTBOUND" licenses. None of the open source licenses indexed by SPDX grant permission to relicense the derived work, so any work including them either is solely the original license, or an AND of the project's license and the original license (to the extent the project creates a derived work). This is a clear case for "AND" where both licenses must be complied with. SPDX expressions do not have additional , secondary meanings, like what is the preferred license, what license do we accept changes for this derived work under, etc. All those secondary meanings would, if any, would need to be spelled out explicitly by the project wishing for them to apply for that project. For example, if a project takes MIT licensed code and creates a derived work they wish to license as GPL, they must list the license as GPL AND MIT because their desire to license under the GPL does not override the MIT license nor the IP of the original author. To say that the GPL is a proper-superset of the MIT license would be taking a legal position that's more aggressive than has been taken in the past, and I don't think that the SPDX project wants to be in the position of creating a matrix that says what is a superset of what so you can 'reduce' the complexity of the SPDX-License-Expression using some set of rules.

As for "AND": IThe standard says the following:

'If required to simultaneously comply with two or more licenses, use the conjunctive binary "AND"..."

Since each license is given equal weight in this construct, I'd say that AND is commutative where A AND B == B AND A. The standard has no verbage to the contrary to suggest one is controlling when there's a conflict, for example. Nor any of the other problems that might result from them being non-commutative. The standard is not explicit that it is commutative, but common usage for AND is. In the absence of a more specific definition, common usage would dictate interpretation should this be litigated. I'll let the better legal minds here, though, chime in as to whether or not the SPDX standard, as written, would need any correction to its language to address this potential ambiguity.


On Sun, Jul 17, 2022 at 1:18 PM McCoy Smith <mccoy@...> wrote:
At the risk of sounding like I’m hijacking this to re-raise my prior issue:
If AND is the operator to be used when having different inbound vs outbound, then AND may not be commutative, since the order of listing the licenses may convey information about which license is inbound vs outbound, and (maybe) which license applies to different parts of the code.
Which militates to me toward a new expression, but I’ve made that point already.

> On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...> wrote:
> I'm working on some draft documentation for Fedora around use of SPDX
> expressions in RPM spec file License: fields. I was surprised to
> apparently not see anything in the SPDX spec that says that the AND
> and OR operators are commutative. I want to assert that the expression
> "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
> SPDX spec actually take no position on this?
> Richard

Join { to automatically receive all group messages.