Re: SPDX should take a stronger stance against vanity/promotional licenses
You raise some specific points that highlight some things we have worked on recently, so responding here inline.
On 1/24/23 4:13 PM, Kyle Mitchell wrote:
Richard and I have been working on that given Fedora's recent adoption of SPDX id's for Fedora's license metadata. The "pipe" is not exactly smooth or efficient at this point, but sometimes you need to open the flow and then sort out the plumbing :)If distros are seeing packaged-but-not-identified licenses in numbers to the point of pain, I'd suggest addressing that pain directly. Perhaps by laying a wider pipe from distros' workflows to SPDX's.
We just adopted something along these lines in terms of trying to make it easier for the review process step by needing 2 (instead of 3) SPDX-legal folks to approve. See the update to the Review Process, (1)(ii) https://github.com/spdx/license-list-XML/blob/main/DOCS/request-new-license.mdFrom personal experience, the biggest blocks might actually be the XML schema and just reading through all the process doc. If SPDX had a special track for identification based on calls from popular distros, and the distros could submit plain text terms and have them formatted for inclusion by someone else, would that flush the backlog?
We still simply need more people comfortable with reviewing and commenting, though.
To help with identifying licenses as per above, we have a new label to make it easier to spot these submissions, but have yet to go through all submissions and apply it.
We are also trying to work on better documentation all around, it's coming along and has actually improved a lot recently, but always more to do and not enough hands and time!
I'm glad to hear this as I don't and never have seen those kinds of values as the role of SPDX License List. It should be rather dry.As for motivations, I've sever seen SPDX identification as approval. I don't expect it's ever made a license popular. And I've yet to meet any dev who does.
That being said, there are, even if it's a small percentage, of people who seem to attach some (mis)placed value. I think at times, this drives their submissions. And, going on my subjective memory and experience, it certainly feels like those submissions can end up soaking up more time, as someone from SPDX-legal has to explain that their license is not accepted and why, which can often include explaining some basic facts about SPDX and the SPDX License List, and in doing so, manage the submitter's reaction. This takes valuable time and energy. We have tried in various places that are a "point of entry" to remind people to familiarize themselves with the SPDX landscape before submitting a license, but you know what they say about leading a horse to water...
I'm all ears for any better way to deal with these kinds of submissions (back to Richard's email...)
if we can just get people to help creating the XML files... then yes :)The motivation I've seen and felt comes from where and how the list has been used. Not necessarily as originally intended. I've brought licenses here because package manager metadata warnings are annoying. I take it the distro people might be irked in similar ways. Both probably seem insubstantial, looking over from the other side. But a few kB of XML file in a GitHub repo is pretty cheap cure.