Re: Revisiting the SPDX license representation syntax (Package vs. Program license)
|
RUFFIN, MICHEL (MICHEL) <michel.ruffin@...>
Mark, I do not criticize the boolean system I just want to point out that we are mostly dealing with package level system If I take the example of JBoss in our FOSS DB you get the following (see below)
So the concluded license is just LGPL-2.1 AND(+) a lot of dependencies
Note that “Dual” in our DB: means OR (we are perhaps not totally compliant to the SPDX standard but revision of our DB entries will take times) The thing in blue correspond to links to other FOSS in our DB or Licenses This demonstrates also some of the actual limit of the SPDX standard. When an open source dependency has no link it means that it has been codified with a different name in our DB (because the links are done automatically by the Database).
Food for thoughts Michel
Michel.Ruffin@..., PhD De : Gisi, Mark [mailto:Mark.Gisi@...]
Michel,
You make some good points which I would like to build upon for the upcoming discussion.
>>> Note that it is quite frequent to find SW which is (GPL and LGPL): the standalone code is GPL while the libraries are LGPL
Package Licensing --------------------------- I believe you are referring to a package license here as opposed to a license of linked components (e.g., a program, library or source file). Packages and items found in a package are two different beasts that require different considerations. A package is a “box of stuff” where some stuff may be related by linking while other stuff is not. In addition to the more common stuff (source files, libraries), some other stuff found in a package might include documentation, build scripts, test cases, images, video, config files, and so forth. Unfortunately the concept of a package license is ill-defined and often not representative of all the different things in the package. The Busybox package components are represented by more than 15 different licenses and the Webkit package by more than 30. In the embedded software industry, packages are rummaged through, picked apart and often only a small subset of files (or components) are actually used. I must confess, as an SPDX user, I do not pay much attention to the package Concluded License field. I head straight for the source and library licenses from which the programs I distribute are built from. A Boolean expression (or even a single license identifier) is often not meaningful for many packages today as illustrated by your example above: (GPL and LGPL):
>>> imagine that a part of the software is GPL and another part is BSD but the BSD part is not linked to the GPL part so is not necessary subject to GPL.
Program & Library Licensing ------------------------------------------ Boolean expressions are very useful to describe the licensing of a program or library that is built by linking one or more other files (source and library files). Licensing of any new linked work is a function of the licensing of its parts (directly and indirectly linked). It is less natural (and more dangerous) to use a single Boolean expression (or a single license identifier) to describe the licensing of a collection of *unlinked* components. This is one of the core problems of package licensing today. I illustrate this by building on your example. Consider the following licensing: · Source file SFile1 -> LGPL-2.1+ · Source file SFile2 -> GPL-2.0 · Library file LFile3 -> (MIT AND (LPGL-2.1 OR MPL-1.1)) · Library file LFile4 -> BSD-2-Clause · Program file PFile5 is built (derived) by linking SFile1 and SFile2 -> (LGPL-2.1+ AND GPL-2.0) · Program file PFile6 is built (derived) by linking SFile1 and LFile4 -> (LPGP-2.1+ AND BSD-2-Clause)
It makes perfect sense to determine the distribution obligations of program PFile5 based on one’s legal interpretation of the conjunctive expression (SFile1 + SFile2): (LGPL-2.1+ AND GPL-2.0)
Or the distribution obligations of program PFile6 based on one’s legal interpretation of the conjunctive expression (SFile1 + LFile4): (LPGP-2.1+ AND BSD-2-Clause)
It makes less sense to talk about the collective (group) licensing of files SFile2, LFile3 and PFile6 because they are unrelated (not linked). That is essentially what the package license attempts to achieve today. There are a number of historical reasons why the package license is still relied upon but that topic deserves its own dedicated discussion.
So to your point, if one was to distribute program PFile6, one must apply their legal analysis to the entire expression: (LPGP-2.1+ AND BSD-2-Clause)
You can’t tease it apart because it is a new work created via linking. However, as you have pointed out, one may want to independently use LFile4 subject to the BSD-2-Clause license which can be achieved. The package license is not relevant here.
All in all, Boolean expressions provide an effective way to describe licensing of programs, libraries and source files (linkable distributable components). Package licensing is an ill defined concept. Often a package can be viewed as a box containing a collection of components each *potentially* subject to different licensing terms. We will need to address these differences in the upcoming licensing breakout session.
Best,
Mark Gisi | Wind River | Senior Intellectual Property Manager Tel (510) 749-2016 | Fax (510) 749-4552
From: RUFFIN,
MICHEL (MICHEL) [mailto:michel.ruffin@...]
Sent: Thursday, October 24, 2013 5:53 AM To: Gisi, Mark Cc: Tom Incorvia; SPDX-legal; spdx-tech@... Subject: RE: Revisiting the SPDX license representation syntax
I agree that license decomposition is a hard topic but as a first step perhaps a full decomposition in 70 attributes as Tom suggestion is perhaps too much effort. If you look at the OSI licenses there are a reduce set of attributes (source code availability, document or run-time acknowledgement, license propagations, …)
In your example, I do not see how you can solve the interpretation issue.
At file level it is clear that everything should be licensed under GPL but imagine that a part of the software is GPL and another part is BSD but the BSD part is not linked to the GPL part so is not necessary subject to GPL. A company that wants to sublicense the BSD part would like to know that some of the code is BSD, while a company that do not want to sublicense the BSD part can simplify things by distributing all under GPL.
So first you need to know the relationship between the various components and then apply the company policy
Note that it is quite frequent to find SW which is (GPL and LGPL): the standalone code is GPL while the libraries are LGPL
Michel Michel.Ruffin@..., PhD De : Gisi, Mark [mailto:Mark.Gisi@...]
Hi Michel,
Thanks for sharing your experiences. I agree these are worthy topics. I have had a number of similar conversations with Wind River customers through the years. Although these topics can be discussed in parallel, I agree with Tom in that we can’t move much faster (or further) until we repair the foundation from which these concepts are built upon. Before we can begin discussing common agreed upon obligations (semantics), we need to first accurately represent the licensing terms of source files, libraries and programs (syntactically). For example, consider program X, having the following Boolean license expression:
(GPL-2.0 AND BSD-3-Clause)
Program X was built (derived) by integrating a GPL-2.0 licensed file with a BSD-3-Clause licensed file. Some organizations may interpret this one way (e.g., only GPL-2.0 terms matters); while other organizations may interpret it another way (e.g., both GPL-2.0 and BSD-3-Clause terms need to be considered). The elegance of the Boolean expression approach is it allows one to represent the licensing terms based on the files it was derived from, *independent* of a given organization’s interpretation (i.e., semantics). The irony of the situation is - I could work for one organization, which would require me to make one interpretation, and then a year later I go work for another organization, which would require me to make a different interpretation for the same expression.
One could argue – it is important to come together as a community to reach common interpretations of license obligations. My response would be – yes, I agree but let’s first start with a generally accepted “neutral” syntax as the foundation of that discussion. I do feel a sense of urgency to flush out a correct syntax so that we can move on to some of the topics you have highlighted. I do believe SPDX’s approach is close, it may just require a few adjustments and a formal write up. This will ultimately be determined by the collective thinking of the working group. I hope you can join the discussion.
Thanks, - Mark
Mark Gisi | Wind River | Senior Intellectual Property Manager Tel (510) 749-2016 | Fax (510) 749-4552
From: Tom Incorvia
[mailto:tom.incorvia@...]
Hi Michael,
I am an early contributor to SPDX, but have been quiet lately.
I would recommend that we delay moving into rights and obligations until our foundation in the descriptions is more solid.
I did some looking into this in the early days, and found approximately 70 discrete license obligations / grants / conditions that potentially differed based on 40 different use cases (e.g., binary / source, modified / unmodified, stand-alone / combined, in-line/static-link/dynamic-link/command-line, distributed/hosted, etc.).
There were 2,680 combinations per license.
Despite the large number of combinations, many of the conditions required interpretation (for instance, many licenses are silent on some of the conditions; sometimes silence means something (implicit warranties, etc.), sometimes it means nothing.
In the end, the SPDX team at the time decided to stick with descriptions and keep away from what could be construed to be interpretations.
Our progress has been slow and tedious even on the description side.
I am thinking that we get the description phase more solid before expanding to this new (and valuable level).
Thanks,
Tom
Tom Incorvia Direct: (512) 340-1336 M: (215) 500 8838 [**NEW** as of Oct 2013] From:
spdx-legal-bounces@... [mailto:spdx-legal-bounces@...]
On Behalf Of RUFFIN, MICHEL (MICHEL)
Mark,
I think that we should go further (moving from syntax to semantic). We should decomposed FOSS license in terms of right and obligations (Blackduck call that attributes in its protex tool).
We have a system in Alcatel-Lucent to do that since years for instance we have attributes to say that there is need to - have or not acknowledgement of authors in our documentation - have run-time acknowledgement - have source code available or not - have the obligation of copyright indemnification in case of IP issues - have the necessity to propagate the licences - ….
This decomposition is very usefull to explain licenses rights and obligations to our R&D teams (with our decomposition we cover most of the major OSI certified licenses) . It is not perfect, and need some more work.
Blackduck is doing a more formal decomposition of licenses for instance there is attribute is “does the license request that the source code MUST be available” or “does the license request that the source code MAY be available”; With that system they are allowed to define if two FOSS licenses are compatible or not. But their decomposition is not perfect because it can create conflict that do not really exists.
The creative commons licenses are doing such kind of decomposition also so you do not pick up a license but a set of rights and obligations and create your license.
I think there is a ground here to raise a standard.
Michel Michel.Ruffin@..., PhD De :
spdx-legal-bounces@... [mailto:spdx-legal-bounces@...]
De la part de Gisi, Mark
In the last SPDX Legal meeting we discussed whether the current SPDX license representation syntax is sufficient to represent the licensing terms of most files (e.g., source, library and binary programs). For example, is the combination of the SPDX license list + current binary operands (AND and OR) sufficient to describe the licensing of most programs derived from multiple source and library files, where each is potentially under a different license.
We decided to hold a break out session dedicated to discussing this topic in greater depth. Initially special consideration will be given to representing files that have licenses with special exceptions and programs derived from files licensed under multiple different licenses. Keep in mind, given the high degree to which sharing occurs in the community, composite licensing has become the norm rather than the expectation. This is a good thing – we just need to make sure SPDX can accommodate it.
I will be organizing the break session. If you are interested in participating send me i) your email, ii) a brief description of your interest, and iii) days/times that work best for you. I will try to select a meeting time to accommodate the most participants.
Best, - Mark
Mark Gisi | Wind River | Senior Intellectual Property Manager Tel (510) 749-2016 | Fax (510) 749-455
|
|
|
