On Sun, Jul 17, 2022 at 2:43 PM McCoy Smith <mccoy@...> wrote:
Rather than getting into further debates about what various licenses do and don't require, or for that matter what copyright law does or doesn't require, I guess I'd turn back to the ath5k example.
Is the license designation they used the same as the AND operator in SPDX? I think it is not (or if AND encompasses it, AND may be interpreted too broadly so as to potentially cause confusion or incorrect assumptions about the license state).
Ath5k license designation is here: https://lwn.net/Articles/247806/
Now, people are free to respond back that the ath5k license designation is legally invalid, but I for one will not stand here and have Richard Fontana's legal skills besmirched!
Each of the individual files retains the original copyright and license, as the original author required. You are required to still abide by the terms in those files (but each individual grant is not the sum of the requirements).
The current kernel.org
Linux ath5k driver is marked as 'MODULE_LICENSE("Dual BSD/GPL");', The kernel.org
version of this driver does not have these changes included. In addition, the OpenBSD folks were none-too-happy with this attempt to strip off the BSD licenses. https://undeadly.org/cgi?action=article&sid=20070829001634
has the details (but Google finds many other instances, I've not chased them all down). LICENSE_MODULE is beyond the scope of SPDX and is up to the Linux Kernel Community what licenses they support and when.
The SPDX matching tool, which implements the SDPX license matching guidelines, would say that there's multiple licenses you must comply with. That means the union of all the licenses which is the meaning of AND in a SPDX-License-Identifier which I believe would be the result for several of the files. I've not run it on the current version of these files, but have obtained that result for other code that has multiple licenses.
I'm not entirely sure, given the contentious history that this makes a good example, though.
> -----Original Message-----
> From: J Lovejoy <opensource@...>
> Sent: Sunday, July 17, 2022 1:18 PM
> To: McCoy Smith <mccoy@...>
> Cc: Richard Fontana <rfontana@...>; SPDX-legal <spdx-
> Subject: Re: Commutativity of SPDX expressions
> Hi McCoy,
> I’m wondering if you are trying to adapt SPDX identifiers in a situation not
> anticipated. Consider that aim of an SPDX document (as per the SPDX
> specification, and thus, using SPDX license ids in the various specification
> field, is to communicate licensing, copyright, provenance, etc. information
> for a given bundle of software. For example, I sell you Jilaynes-awesome-
> software-app and provide an SPDX document for that software product. The
> licensing info in this context would be presubaly what I think you are
> referring to as the “outbound” license - that is the license under which the
> software is used by the recipient.
> Let’s say, Jilaynes-awesome-software-app includes some open source
> software under various open source licenses, say, MIT and Apache-2.0, and I
> also added some of my own (new) code under BSD-3-Clause, that all of this
> can be reflected in the appropriate license fields at the package, file, and/or
> snippet level.
> I think of “inbound”, in relation to open source software, as usually referring
> to the license under which contributions are provided to the project. But I
> think you might be meaning “inbound” in relation to Jilayne’s-awesome-
> software-app - that is, the open source software that I incorporate into my
> app under MIT and Apache-2.0. Is that right?
> > On Jul 17, 2022, at 1:18 PM, McCoy Smith <mccoy@...> wrote:
> > At the risk of sounding like I’m hijacking this to re-raise my prior issue:
> > If AND is the operator to be used when having different inbound vs
> outbound, then AND may not be commutative, since the order of listing the
> licenses may convey information about which license is inbound vs
> outbound, and (maybe) which license applies to different parts of the code.
> > Which militates to me toward a new expression, but I’ve made that point
> >> On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...>
> >> I'm working on some draft documentation for Fedora around use of
> >> SPDX expressions in RPM spec file License: fields. I was surprised to
> >> apparently not see anything in the SPDX spec that says that the AND
> >> and OR operators are commutative. I want to assert that the
> >> expression "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND
> >> MIT". Does the SPDX spec actually take no position on this?
> >> Richard