Date   

Meeting tomorrow, Oct. 17

Steve Winslow
 

Hello all,

The next Legal Team meeting will be tomorrow, Thursday, Oct. 17 at 9AM PT / 12PM ET.

I expect the 3.7 release will be complete and live within the next couple of days. So on tomorrow's call, the primary topic will be to focus in on the license inclusion guidelines update that has been in discussion at [1].

As much fun as group writing isn't, on the call let's aim to get specific on what changes are appropriate to make to the inclusion guidelines [2]. Take another read through the issue thread and the current guidelines, and come with thoughts on wording changes that we can start implementing for 3.8.

**Please note** the updated UberConference URL below for the call.

Dial-in info:
Web conference: https://www.uberconference.com/room/SPDXTeam
Optional dial in number: 415-881-1586

Best,
Steve


--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


Invitation: SPDX tech&legal team meeting @ Tue Oct 22, 2019 12pm - 1pm (CDT) (spdx-legal@lists.spdx.org)

Kate Stewart
 

You have been invited to the following event.

SPDX tech&legal team meeting

When
Tue Oct 22, 2019 12pm – 1pm Central Time - Chicago
Where
https://zoom.us/j/663426859 (map)
Calendar
spdx-legal@...
Who
Kate Stewart - organizer
nishak@...
Philippe Ombredanne
iamwillbar@...
rjudge@...
swinslow@...
hutch@...
Robin Gandhi
spdx-tech@...
spdx-legal@...

Agenda:
- review some of the changes being discussed for SPDX 3.0
  - move from mandatory to optional for licensing fields, copyright, etc.
  - revisit CC0 as data license
  - unification of licensing fields across package, file, snippet section.

https://zoom.us/j/663426859
Meeting ID: 663 426 859

 Tuesdays at 17:00 UTC (and best guess for local time - 10:00AM PDT, 11:00 MDT, 12:00PM CDT, 1:00PM EDT, 18:00 WAT, 19:00 CEST).
 Australia +61 2 8015 2088
 Canada +1 647 558 0588
 Germany +49 30 3080 6188
 Japan +81 3 4578 1488
 US Toll-free 877 369 0926
 Find your local number: https://zoom.us/u/ac9KKJWzJT

Going (spdx-legal@...)?   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account spdx-legal@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More.


Meeting today, Oct. 3 -- note changed URL

Steve Winslow
 

Hello all,

The next Legal Team meeting will be today, Thursday, Oct. 3 at 9AM PT / 12PM ET.

On the call, we'll first look at finalizing approvals for whether to include the following issues in the upcoming 3.7 release:

Each of these was previously discussed during a prior legal team call, but we didn't finalize and mark them as "accepted." So I'd like us to review them and confirm whether accepted for 3.7 (and to get folks to then prepare the XML and test files for inclusion!)

If there is time left over, we may continue the conversation on the license inclusion guidelines update that is in process at https://github.com/spdx/license-list-XML/issues/925.

**Please note** the updated UberConference URL below for the call. The old URL may still work also but may be confusing due to UberConference's recent changes.

Dial-in info:
Web conference: https://www.uberconference.com/room/SPDXTeam
Optional dial in number: 415-881-1586

Best,
Steve

--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


SPDX Tools Update

Gary O'Neall
 

I plan on working on an update to the SPDX tools tomorrow, Sunday 29 Sept.  This may impact the availability of the SPDX tools and the license submittal feature.

 

Regards,
Gary

 

-------------------------------------------------

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: gary@...

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.

 


ssh 1.0.0 COPYING text.

Mark D Baushke <mdb@...>
 


Meeting today, Sept. 19 -- note changed URL

Steve Winslow
 

Hello all,

The next Legal Team meeting will be today, Thursday, Sept. 19 at 9AM PT / 12PM ET.

The call will focus on finalizing any updates to go into the 3.7 release anticipated for the end of the month. If there is time left over, we may continue the conversation on the license inclusion guidelines update that is in process at https://github.com/spdx/license-list-XML/issues/925.

**Please note** the updated UberConference URL below for the call. The old URL may still work also but may be confusing due to UberConference's recent changes.

Dial-in info:
Web conference: https://www.uberconference.com/room/SPDXTeam
Optional dial in number: 415-881-1586

Best,
Steve

--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: [spdx-tech] Are there SPDX placeholders?

Steve Winslow
 

I'm not aware of a standardized license expression that would be used _in a short-form source code identifier_ to express these cases.

Within the context of an SPDX document, one can use NOASSERTION to mean several different things that kind of boil down to "I'm not making any statement about what license applies"; and NONE to mean there is no license for the file. See [1]

You could also define a LicenseRef- expression to mean whatever you wanted. [2] has some details about how LicenseRef- expressions work, though again primarily for use in the context of an SPDX document. The REUSE Software spec [3] describes a way to use LicenseRef- expressions together with where to put copies of the corresponding license text.

Regardless, though, if this is code that you are looking to release as part of an open source project, I'd say community expectations are typically that it should have a specified license -- not a "license TBD" notice. If the license is TBD then downstream users, redistributors, etc. won't know what their rights or obligations are. So a project in this situation might want to wait until a license has been selected, and then just start using the corresponding identifier.

Best,
Steve


On Mon, Sep 16, 2019 at 5:19 AM Kate Stewart <kstewart@...> wrote:
+SPDX-legal team for discussion.

Thanks, Kate

On Mon, Sep 16, 2019 at 4:11 AM <michael.kaelbling@...> wrote:
I understand
    // SPDX-License-Identifier: SPDX-ID
But how does the community usually indicate unresolved decisions?

Is (anything starting with) TBD reserved for "to be determined"?

Some unresolved conditions:
- we have not yet decided on a license
    // SPDX-License-Identifier: ((TBD))
- we have narrowed down our choices for a license
    // SPDX-License-Identifier: ((MIT-0 OR MIT) AND ((TBD)))
- we have not yet gotten internal approval for our choice
    // SPDX-License-Identifier: MIT AND ((TBD-pending-internal-approval))
- we have submitted a new license, but the ID has not yet been approved by SPDX.org
    // SPDX-License-Identifer: EUPL-2.0 AND ((TBD-pending-SPDX-registration))



Or does one simply use an ungrammatical expression?

    // SPDX-License-Identifier: * we need to pick a license
    // SPDX-License-Identifier: EUPL-2.0 MODULO SPDX-registration



--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: How to best handle modification notices and notices of origin in SPDX

Matija Šuklje
 

On petek, 06. september 2019 05:35:48 CEST, J Lovejoy wrote:

I really wouldn’t conflate attribution and copyright notices - that seems to lead to a lot of unnecessarily confusion and other energy
FWIW - this reminded me that there are some licenses that require a specific acknowledgment (I’m intentionally not using “attribution” :) in the form of specific text you need to reproduce, such as Apache-1.1, clause 3 - https://www.gnu.org/licenses/identify-licenses-clearly.en.html
Depends on the license (e.g. CC licenses) and jurisdiction (moral rights), I’d say. So if someone really wanted to start a stink, they might use.

But you’re right, this is wider than just attribution, but that seemed the easiest use case/term for it.

When we began to do the review and conversion for the XML format, we began to label licenses that have this. We didn’t necessarily catch all of them or implement a XML tag for this, but the idea was that it would be possible (if someone wanted to do the work, there was enough work at that point that we didn’t proceed down this path at the time). Just thought I’d mention!
That helps with the license( template)s on the SPDX license list, but not all of these are included in the license text (again, see CC licenses, or UFL-1.1).

Regarding going through the XML sources and putting in the tags, I volunteer, so feel free to assign a ticket to me, but don’t have any free cycles until OSSEurope.


cheers,
Matija
--
gsm: tel:+386.41.849.552
www: https://matija.suklje.name
xmpp: matija.suklje@...
sip: matija_suklje@...


Re: [spdx-tech] Are there SPDX placeholders?

Kate Stewart
 

+SPDX-legal team for discussion.

Thanks, Kate

On Mon, Sep 16, 2019 at 4:11 AM <michael.kaelbling@...> wrote:
I understand
    // SPDX-License-Identifier: SPDX-ID
But how does the community usually indicate unresolved decisions?

Is (anything starting with) TBD reserved for "to be determined"?

Some unresolved conditions:
- we have not yet decided on a license
    // SPDX-License-Identifier: ((TBD))
- we have narrowed down our choices for a license
    // SPDX-License-Identifier: ((MIT-0 OR MIT) AND ((TBD)))
- we have not yet gotten internal approval for our choice
    // SPDX-License-Identifier: MIT AND ((TBD-pending-internal-approval))
- we have submitted a new license, but the ID has not yet been approved by SPDX.org
    // SPDX-License-Identifer: EUPL-2.0 AND ((TBD-pending-SPDX-registration))



Or does one simply use an ungrammatical expression?

    // SPDX-License-Identifier: * we need to pick a license
    // SPDX-License-Identifier: EUPL-2.0 MODULO SPDX-registration


Re: [spdx] Adding a new opendata-focus license?

Bastien
 

Dear Patrice-Emmanuel,

"Patrice-Emmanuel SCHMITZ via Lists.Spdx.Org"
<pe.schmitz=googlemail.com@...> writes:

The French law (CRPA - D323-2-1) states that public administrations
may only use two "data" licenses for public sector information
(without initiating an exception process):

1° Licence ouverte de réutilisation d'informations publiques ;

2° Open Database License (which has the SPDX identifier ODbL-1.0)
Yes, this is correct, provided that "public sector information" is
understood as "public sector data". For public sector source code,
public agencies are allowed to use other open source licenses, as
stated here (in french): https://www.data.gouv.fr/fr/licences

Is your Etalab "Open License" corresponding to the first one?
Yes.

Has it a working value in both French and English?
Yes.

Thanks,

--
Bastien Guerry


Re: [spdx] Adding a new opendata-focus license?

Patrice-Emmanuel SCHMITZ
 

A question for Bastien:
The French law (CRPA - D323-2-1) states that public administrations may only use two "data" licenses for public sector information (without initiating an exception process):

1° Licence ouverte de réutilisation d'informations publiques ;

2° Open Database License (which has the SPDX identifier ODbL-1.0)

Is your Etalab "Open License" corresponding to the first one? 
Has it a working value in both French and English?
Thanks, 
Patrice

Le ven. 6 sept. 2019 à 05:04, J Lovejoy <opensource@...> a écrit :
Hi Bastien,

The process for requesting a new license be added to the SPDX License List is documented here: https://github.com/spdx/license-list-XML/blob/master/CONTRIBUTING.md (and happy to get your feedback on the documentation of the process!)

By the way - It looks like you sent this to the general mailing list, not the legal mailing list, as this got caught up in our filter. I have released it (obviously), but you might want to make sure you are actually on the legal mailing list here: https://lists.spdx.org/g/spdx-legal (and I’m replying to both lists, but bcc the general list, as we try to keep specific topics to the specific lists)

Thanks!

Jilayne
SPDX legal team co-lead

On Sep 4, 2019, at 2:57 AM, Bastien <bastien.guerry@...> wrote:

Dear all,

I'm working for Etalab, the mission for promoting and coordinating
Open Data publications in the french public sector.

The most commonly used license for french open data is the "Open
License", published and maintained by Etalab.  Roughly speaking, it is
equivalent to a CC-by 4.0.  You can read it here:

https://www.etalab.gouv.fr/wp-content/uploads/2018/11/open-licence.pdf

What is the process to ask and get a SPDX identifier for this license?

I am sorry if the question has been raised before, I have been on this
list since a few months only.

Thanks in advance for any answer!

Cheers,

--
Bastien Guerry






--
Patrice-Emmanuel Schmitz
pe.schmitz@...
tel. + 32 478 50 40 65


Re: [spdx] Adding a new opendata-focus license?

Bastien
 

Hi Jilayne,

thanks for following up!

"J Lovejoy" <opensource@...> writes:

The process for requesting a new license be added to the SPDX License
List is documented here: https://github.com/spdx/license-list-XML/
blob/master/CONTRIBUTING.md (and happy to get your feedback on the
documentation of the process!)
Yes, I went through this process - I'll see if I have useful feedback
on the documentation, but things looked clear to me.

By the way - It looks like you sent this to the general mailing list,
not the legal mailing list, as this got caught up in our filter. I
have released it (obviously), but you might want to make sure you are
actually on the legal mailing list here: https://lists.spdx.org/g/
spdx-legal (and I’m replying to both lists, but bcc the general list,
as we try to keep specific topics to the specific lists)
I think I'm correctly subscribed to both mailing lists.

Thanks!

--
Bastien Guerry


Re: How to best handle modification notices and notices of origin in SPDX

J Lovejoy
 

better late, than never...

On Aug 22, 2019, at 8:34 AM, Matija ?uklje <matija@...> wrote:

On Sunday 28 July 2019 22:16:34 CEST
garysourceauditor@... wrote:
[G.O.] First a disclaimer - I have not implemented this specific
use case in an SPDX document, but here is one approach: For the
origin package, create a package definition (you can use
FilesAnalyzed=False to keep the required fields to a minimum).
Create a relationship between the modified file and the origin
with a relationship type FileModified and a comment indicating
what was changed.

I can see how this could work in the sense where we are using
packages. But it also seems like quite a tooling-heavy approach.

If I understand you correctly, this would imply you have an
inventory of all the packages used with corresponding SPDX files,
and then this inventory (or build system) could be used to track
the relationships and modification status.

BTW, if we’re talking about small single-file situations (e.g.
CSS, JS, fonts, images), it seems quite a hassle. Imagine doing
this for every single placeholder image.

In any case, there is still the attribution/provenance question
open.

The hack I currently have in mind is to misuse the SPDX-
FileCopyrightText tag in REUSE, but would very much like to depend
on something better.
https://github.com/fsfe/reuse-docs/issues/43


I really wouldn’t conflate attribution and copyright notices - that seems to lead to a lot of unnecessarily confusion and other energy

FWIW - this reminded me that there are some licenses that require a specific acknowledgment (I’m intentionally not using “attribution” :) in the form of specific text you need to reproduce, such as Apache-1.1, clause 3 - https://www.gnu.org/licenses/identify-licenses-clearly.en.html  

When we began to do the review and conversion for the XML format, we began to label licenses that have this. We didn’t necessarily catch all of them or implement a XML tag for this, but the idea was that it would be possible (if someone wanted to do the work, there was enough work at that point that we didn’t proceed down this path at the time).  Just thought I’d mention!

Jilayne




Re: [spdx] Adding a new opendata-focus license?

J Lovejoy
 

Good catch Steve! I should have looked there first before replying.

(carry on as usual, all, don’t mind me!)

On Sep 5, 2019, at 9:11 PM, Steve Winslow <swinslow@...> wrote:

Hi Bastien — I see also that you did submit an issue for this license, at https://github.com/spdx/license-list-XML/issues/923. Glad you found the entry point and thanks for the responses to my questions in that thread  =)

As Jilayne noted, the CONTRIBUTING file describes the next steps. Members of the SPDX community can review and weigh in on whether the license should be added to the list. If it is, then the subsequent step would be to prepare an XML file in the license list format (and a corresponding test text file) for the license.

The legal team holds calls every other Thursday — the next one will be September 19. You can feel free to join if you would like. 

Best,
Steve


On Thu, Sep 5, 2019 at 11:04 PM J Lovejoy <opensource@...> wrote:
Hi Bastien,

The process for requesting a new license be added to the SPDX License List is documented here: https://github.com/spdx/license-list-XML/blob/master/CONTRIBUTING.md (and happy to get your feedback on the documentation of the process!)

By the way - It looks like you sent this to the general mailing list, not the legal mailing list, as this got caught up in our filter. I have released it (obviously), but you might want to make sure you are actually on the legal mailing list here: https://lists.spdx.org/g/spdx-legal (and I’m replying to both lists, but bcc the general list, as we try to keep specific topics to the specific lists)

Thanks!

Jilayne
SPDX legal team co-lead

On Sep 4, 2019, at 2:57 AM, Bastien <bastien.guerry@...> wrote:

Dear all,

I'm working for Etalab, the mission for promoting and coordinating
Open Data publications in the french public sector.

The most commonly used license for french open data is the "Open
License", published and maintained by Etalab.  Roughly speaking, it is
equivalent to a CC-by 4.0.  You can read it here:

https://www.etalab.gouv.fr/wp-content/uploads/2018/11/open-licence.pdf

What is the process to ask and get a SPDX identifier for this license?

I am sorry if the question has been raised before, I have been on this
list since a few months only.

Thanks in advance for any answer!

Cheers,

--
Bastien Guerry






--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: [spdx] Adding a new opendata-focus license?

Steve Winslow
 

Hi Bastien — I see also that you did submit an issue for this license, at https://github.com/spdx/license-list-XML/issues/923. Glad you found the entry point and thanks for the responses to my questions in that thread  =)

As Jilayne noted, the CONTRIBUTING file describes the next steps. Members of the SPDX community can review and weigh in on whether the license should be added to the list. If it is, then the subsequent step would be to prepare an XML file in the license list format (and a corresponding test text file) for the license.

The legal team holds calls every other Thursday — the next one will be September 19. You can feel free to join if you would like. 

Best,
Steve


On Thu, Sep 5, 2019 at 11:04 PM J Lovejoy <opensource@...> wrote:
Hi Bastien,

The process for requesting a new license be added to the SPDX License List is documented here: https://github.com/spdx/license-list-XML/blob/master/CONTRIBUTING.md (and happy to get your feedback on the documentation of the process!)

By the way - It looks like you sent this to the general mailing list, not the legal mailing list, as this got caught up in our filter. I have released it (obviously), but you might want to make sure you are actually on the legal mailing list here: https://lists.spdx.org/g/spdx-legal (and I’m replying to both lists, but bcc the general list, as we try to keep specific topics to the specific lists)

Thanks!

Jilayne
SPDX legal team co-lead

On Sep 4, 2019, at 2:57 AM, Bastien <bastien.guerry@...> wrote:

Dear all,

I'm working for Etalab, the mission for promoting and coordinating
Open Data publications in the french public sector.

The most commonly used license for french open data is the "Open
License", published and maintained by Etalab.  Roughly speaking, it is
equivalent to a CC-by 4.0.  You can read it here:

https://www.etalab.gouv.fr/wp-content/uploads/2018/11/open-licence.pdf

What is the process to ask and get a SPDX identifier for this license?

I am sorry if the question has been raised before, I have been on this
list since a few months only.

Thanks in advance for any answer!

Cheers,

--
Bastien Guerry




--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: [spdx] Adding a new opendata-focus license?

J Lovejoy
 

Hi Bastien,

The process for requesting a new license be added to the SPDX License List is documented here: https://github.com/spdx/license-list-XML/blob/master/CONTRIBUTING.md (and happy to get your feedback on the documentation of the process!)

By the way - It looks like you sent this to the general mailing list, not the legal mailing list, as this got caught up in our filter. I have released it (obviously), but you might want to make sure you are actually on the legal mailing list here: https://lists.spdx.org/g/spdx-legal (and I’m replying to both lists, but bcc the general list, as we try to keep specific topics to the specific lists)

Thanks!

Jilayne
SPDX legal team co-lead

On Sep 4, 2019, at 2:57 AM, Bastien <bastien.guerry@...> wrote:

Dear all,

I'm working for Etalab, the mission for promoting and coordinating
Open Data publications in the french public sector.

The most commonly used license for french open data is the "Open
License", published and maintained by Etalab.  Roughly speaking, it is
equivalent to a CC-by 4.0.  You can read it here:

https://www.etalab.gouv.fr/wp-content/uploads/2018/11/open-licence.pdf

What is the process to ask and get a SPDX identifier for this license?

I am sorry if the question has been raised before, I have been on this
list since a few months only.

Thanks in advance for any answer!

Cheers,

--
Bastien Guerry





license inclusion guidelines

J Lovejoy
 

Hi all,

A few months ago we began a project to update the license inclusion principles (as well as some other documentation updates in terms of both substance and location).

Specifically, currently the license inclusion guidelines are posted here: https://spdx.org/spdx-license-list/license-list-overview These were written around 2013 and we recently recognized a need to update them. (We also had decided we ought to move them to the Github repo, but that is somewhat tangentially to the substantive question here.)

We have made a first draft of changes based on discussions on the calls https://wiki.spdx.org/view/Legal_Team/Minutes/2019-05-02 You can see that initial iteration here: https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md

We recognized there would need to be further iterations. In particular, we have had recent submissions that are arguably not substantive open source licenses (e.g., Commons Clause, Polyform licenses) - should these be included on the SPDX License List and if so, then how does the inclusion principles need to change and where do we draw the line?

Can you please comment on the Github issue here: https://github.com/spdx/license-list-XML/issues/925 , so we can iterate on this and then come to a final, new set of inclusion principles.

Thanks,
Jilayne


Re: Meeting tomorrow, Sept. 5

Steve Winslow
 

Hi folks -- for the Legal Team call in about 50 minutes, it looks like UberConference has up and changed their user interface.... and also their URL scheme for joining calls  :)

For the call, try using the following link instead: https://www.uberconference.com/room/SPDXTeam
And either way, the dial-in number should (hopefully) still work: +1 415-881-1586

On Wed, Sep 4, 2019 at 8:01 PM Steve Winslow via Lists.Spdx.Org <swinslow=linuxfoundation.org@...> wrote:
Hello all,

The next Legal Team meeting will be tomorrow, Thursday, Sept. 5 at 9AM PT / 12PM ET (following the General Meeting one hour earlier).

Dial-in info:
Web conference: http://uberconference.com/SPDXTeam
Optional dial in number: 415-881-1586

Best,
Steve

--
Steve Winslow
Director of Strategic Programs
The Linux Foundation



--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


Meeting tomorrow, Sept. 5

Steve Winslow
 

Hello all,

The next Legal Team meeting will be tomorrow, Thursday, Sept. 5 at 9AM PT / 12PM ET (following the General Meeting one hour earlier).

Dial-in info:
Web conference: http://uberconference.com/SPDXTeam
Optional dial in number: 415-881-1586

Best,
Steve

--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


#spdx https://groups.io/static/tos #spdx

Pnx Rujiphan
 

601 - 620 of 3278