Re: Revisiting the SPDX license representation syntax


Philippe Ombredanne
 

On Tue, Oct 22, 2013 at 6:01 PM, Gisi, Mark <Mark.Gisi@...> wrote:
In the last SPDX Legal meeting we discussed whether the current SPDX license
representation syntax is sufficient to represent the licensing terms of most
files (e.g., source, library and binary programs). For example, is the
combination of the SPDX license list + current binary operands (AND and OR)
sufficient to describe the licensing of most programs derived from multiple
source and library files, where each is potentially under a different
license.
Let me bring my 2 cents to the discussion. A while back I wrote down
this little language to compose licenses. The point was to :
- make this easy enough for humans and machines to read, write and understand.
- have a terse yet expressive way to represent actual licensing in one
statement, eventually expressing the complex licenses composition of
whole packages.
- support factual licenses statements as well as interpretations such
as selection from a choice, the fact that some license may apply that
were not asserted originally, etc.

PS: For most of it there is nothing new there, SPDX does it alright.
PPS: Some of this may not mesh entirely well with the current SPDX
licenses list state (such as expressing "or later versions"
generically or how we deal with exceptions).

Here are the basic examples updated to SPDX:

* lgpl-2.0 : a single license applies.

* apache-2.0 lgpl-2.0 : All the licenses listed apply,
space-separated list. (AND is implied as the default operator,
CONJUNCTION)

* mit & lgpl-2.0 : All licenses listed apply, ampersand-separated
list. (explicit AND, CONJUNCTION)

* mit | gpl-2.0 : a license choice: either one of the licenses can
apply, the choice does not have to be made and can be passed
downstream. (CHOICE, OR)

* mit ? gpl-2.0 : a disjunctive license choice of mit or gpl-2.0.
A choice must be made. (CHOICE, EXCLUSIVE OR, DISJUNCTION)

* gpl-2.0 ^ classpath : a license exception or supplemental terms:
here, the classpath exception to the gpl-2.0. nb: here we have a
slight change with the SPDX license list, where the exception would be
just the exception and not the whole gpl-and-classpath taken together
as one license.(EXTRA TERMS, EXCEPTION)

* gpl-1.0 + : this license version or a later version applies:
i.e. gpl-1.0 or later. nb: here the plus sign is not part of the
license id, but part of the syntax which is also different from SPDX
(OR LATER version)

* (apache-1.1 mit gpl-2.0) : a grouping of licenses. This is
useful for explicit grouping in complex statements, rather than
relying only on eventual operators precedence (GROUP)

* ftl [ftl ? gpl-2.0]: a license selection expressed with
brackets: here I picked ftl from the disjunctive choice of ftl or gpl.
(SELECTION using brackets)

* apache-2.0 {mit bsd-3-clause lgpl-3.0} : I think that the
primary license is overall apache-2.0 and that other secondary license
apply. This is handy to express composite licenses at a package level.
(PRIMARY and SECONDARY using braces)

* gpl-2.0 < mit: I think that the license that applies here is
gpl-2.0, despite being asserted originally as MIT-licensed (possibly
because of linking, dependencies, code reuse or else).
(INTERPRETATION, INTERACTION)

* gpl-2.0 ! commercial : I think that the gpl applies and that the
commercial the license id CANNOT apply. Negations are usually
aberrations with conflicting terms but I see vendors releasing dual
GPL/proprietary making this type of interpretation in supplemental
terms often enough. Some proprietary licenses state the opposite
explicitly too: this is commercial and cannot be gpl. This rarely of a
practical use but may be needed for completeness (NOT, NEGATION)


And more complex examples:
* apache-1.1 ( mit | gpl-2.0) : apache AND mit or gpl using a
grouping of licenses choice.

* mpl-1.1 [gpl-2.0 | lgpl-2.1 | mpl-1.1 ]: I picked mpl-1.1 from
the choice of mpl, lgpl or gpl.

* gpl-2.0 < (mpl-1.1 [gpl-2.0 ? lgpl-2.1 ? mpl-1.1 ]): I think
gpl-2.0 applies here despite a selection of mpl-1.1 from a disjunctive
choice.

* apache 1.1 & bsd-3-clause & (openssl ^ gpl-exception) : apache
AND bsd AND (openssl with a gpl-exception taken together) apply.

* gpl-2.0 [gpl-2.0 ^ gpl-2.0-with-classpath-exception | cddl-1.0]
: I picked gpl-2.0 from a choice of gpl with classpath exception or
cddl.

* proprietary & {mit bsd-3-clause apache-2.0
gpl-2.0-with-bison-exception}: My primary license is proprietary with
MIT, BSD, GPL with bison exception and Apache-licensed code as
secondary

* lgpl-2.0 [lgpl +] : I picked the v2 of the lgpl out of a choice
of any LGPL versions.

* gpl-2.0 < (gpl-2.0 | mpl-1.1): I think that the license that
applies here is only gpl-2.0, despite being asserted originally as
choice of gpl or mpl may be because this code is running in kernel
space.


I hope this helps fueling the discussion.
Cheers

--
Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode Enterprise at http://www.dejacode.com | What's in your software? (sm)
nexB Inc. at http://www.nexb.com

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.