Re: SPDX should take a stronger stance against vanity/promotional licenses

J Lovejoy

Hi Kyle,

You raise some specific points that highlight some things we have worked on recently, so responding here inline.


On 1/24/23 4:13 PM, Kyle Mitchell wrote:
If distros are seeing packaged-but-not-identified licenses
in numbers to the point of pain, I'd suggest addressing that
pain directly.  Perhaps by laying a wider pipe from distros'
workflows to SPDX's.
Richard and I have been working on that given Fedora's recent adoption of SPDX id's for Fedora's license metadata. The "pipe" is not exactly smooth or efficient at this point, but sometimes you need to open the flow and then sort out the plumbing :)

From personal experience, the biggest blocks might actually
be the XML schema and just reading through all the process
doc.  If SPDX had a special track for identification based
on calls from popular distros, and the distros could submit
plain text terms and have them formatted for inclusion by
someone else, would that flush the backlog?
We just adopted something along these lines in terms of trying to make it easier for the review process step by needing 2 (instead of 3) SPDX-legal folks to approve. See the update to the Review Process, (1)(ii)
We still simply need more people comfortable with reviewing and commenting, though.

To help with identifying licenses as per above, we have a new label to make it easier to spot these submissions, but have yet to go through all submissions and apply it.

We are also trying to work on better documentation all around, it's coming along and has actually improved a lot recently, but always more to do and not enough hands and time!

As for motivations, I've sever seen SPDX identification as
approval.  I don't expect it's ever made a license popular.
And I've yet to meet any dev who does.  
I'm glad to hear this as I don't and never have seen those kinds of values as the role of SPDX License List. It should be rather dry.

That being said, there are, even if it's a small percentage, of people who seem to attach some (mis)placed value. I think at times, this drives their submissions. And, going on my subjective memory and experience, it certainly feels like those submissions can end up soaking up more time, as someone from SPDX-legal has to explain that their license is not accepted and why, which can often include explaining some basic facts about SPDX and the SPDX License List, and in doing so, manage the submitter's reaction. This takes valuable time and energy. We have tried in various places that are a "point of entry" to remind people to familiarize themselves with the SPDX landscape before submitting a license, but you know what they say about leading a horse to water...

I'm all ears for any better way to deal with these kinds of submissions (back to Richard's email...)

The motivation I've seen and felt comes from where and how
the list has been used.  Not necessarily as originally
intended.  I've brought licenses here because package
manager metadata warnings are annoying.  I take it the
distro people might be irked in similar ways.  Both probably
seem insubstantial, looking over from the other side.  But a
few kB of XML file in a GitHub repo is pretty cheap cure.

if we can just get people to help creating the XML files... then yes :)

Join { to automatically receive all group messages.