Re: for discussion: when can people start using short ids?


Steve Winslow
 

I'd mostly echo Gary's comments here. #1 is the option that enables someone to be sure that the ID they're using should validate with then-current tooling. #2 is workable for folks who don't care about validating immediately. #3 should be avoided because the IDs can end up changing as we work out nuances during the templating process.

Jilayne, to your original question, I think it could be worth SPDX having clearer guidance on this.

Ria, yes, I'd say there's two reasons why there is a quarterly release cycle:

* The License List's version number is relevant for SPDX Documents, so that a given SPDX Document can be validated against a particular version number. See https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#67-license-list-version-field for the data field. The spec doesn't mandate a quarterly release, but I think we've landed on that as a reasonable cadence for SPDX Document users as well as other downstream users.

* Yes, there's a fair bit of manual effort in actually publishing the release. Gary was handling this originally, and I've taken over it for the past few years. This is an area which could probably be much more automated, and I'd be happy to discuss with folks who would be willing to help with building and maintaining that automation  :)

Best,
Steve

On Tue, Sep 6, 2022 at 10:40 AM Ria Schalnat (HPE) <ria.schalnat@...> wrote:
Just out of curiosity - why is the release cycle for new licenses quarterly?  Is there significant work in a release of new licenses (assuming that this isn't tied to other more material updates like the spec itself).

Thanks,


Ria Farrell Schalnat

Open Source Program Manager
Hewlett Packard Enterprise
ria.schalnat@...



-----Original Message-----
From: Spdx-legal@... <Spdx-legal@...> On Behalf Of Gary O'Neall
Sent: Monday, September 5, 2022 1:59 PM
To: 'J Lovejoy' <opensource@...>; 'SPDX-legal' <spdx-legal@...>
Subject: Re: for discussion: when can people start using short ids?

My vote is for #1 - The SPDX tools only uses the released license lists.  If someone uses an ID before it is released, it may not pass validation.

I'm OK with #2 with the understanding that other tools may not understand the license ID's until the release.

I'm very much not in favor of #3, - before merging, you may find issues in the CI checks for the license XML (e.g. the text matches an existing license).

Gary

> -----Original Message-----
> From: Spdx-legal@... <Spdx-legal@...> On Behalf
> Of J Lovejoy
> Sent: Monday, September 5, 2022 1:03 PM
> To: SPDX-legal <spdx-legal@...>
> Subject: for discussion: when can people start using short ids?
>
> Hi all,
>
> From our last call, the subject of  'when can people start using short
> ids? ‘ came up. This has been asked before on individual license
> submissions and we have answered informally, but it might be helpful
> to have a more official stance and document it somewhere.
>
> The options I can see are and my thoughts on each:
>
> 1) Once the new license and id appear on the SPDX License List after
> the next release
> JL:  this can require a long wait, as our release cycle is quarterly.
> Personally, I think this is too long for many people who are motivated
> to start using the short id (which is often why they have submitted a
> license to SPDX to begin
> with)
>
> 2) Once the PR for the new license has been merged
> JL:  This makes a lot of sense, as once a PR has been merged, it’s
> HIGHLY unlikely that something would change after that; it’s
> ostensibly waiting in the queue to become part of the official next
> release. Downside, is that creating the files can take some time; on
> the other hand, if the submitter is really in a hurry, they have the
> ability to create the files themselves, and then it’s just a matter of an SPDX-legal person merging it.
>
> 3) Once the license submission has been noted as accepted in the Issue
> and all the fields have been sorted using our new decision template
> JL: This would be the earliest point in time, which might be nice for
> the submitter, although it sort of frustrates any motivation for the
> submitter to help with creating the PR. It would also mean more care
> taken before marking a license as accepted, especially as relates to
> choosing a short id (not necessarily a bad thing).  We have
> occasionally realized things after the Issue is marked as accepted, in
> the making of the files for the PR, so this is the risk here.
>
>
> Cheers,
> Jilayne
>
>












Join Spdx-legal@lists.spdx.org to automatically receive all group messages.