|
Mismatches between OSI and SPDX
Max Mehl
Dear all,
In my organisation, we define all licenses approved by OSI as valid Open Source licenses. However, we also increasingly rely on SPDX and therefore also its license list.
Recently, we found several mismatches between OSI’s list of approved licenses [1] and the licenses marked as OSI-approved in SPDX’s list [2]. Certainly, some of these issues are on OSI’s side (e.g., misleading links or wrong SPDX identifiers). But most mismatches are from licenses on SPDX’s list that cannot be found on the OSI website.
I documented my findings for all issues in this gist: https://gist.github.com/mxmehl/1e7a3aed4ff14a8ddfd4aff8ab4de552
Now, I am sure I’m not the first who notices this. Is this a known problem? Is the OSI website incomplete and/or SPDX list incorrect? What can we do to better align both sources?
Thanks for any insights.
Best, Max
[1]: https://opensource.org/licenses/alphabetical [2]: https://github.com/spdx/license-list-data/blob/v3.19/json/licenses.json
-- Max Mehl Open Source Strategy & Governance Enterprise-Team Chief Technology Office (CTO), T.IP E-T-378
DB Systel GmbH Jürgen-Ponto-Platz 1, 60329 Frankfurt/M
Pflichtangaben anzeigen Nähere Informationen zur Datenverarbeitung im DB-Konzern finden Sie hier: https://www.deutschebahn.com/de/konzern/datenschutz |
|
|
|
meeting tomorrow/Thursday
J Lovejoy
Hi all,
Just a reminder of our regular legal team meeting at 9am Pacific time. We'll look at some of the open issues and discuss how to best tackle the many new license submissions we have! See: https://github.com/spdx/license-list-XML/issues?q=is%3Aopen+is%3Aissue+label%3A%22new+license%2Fexception+request%22 We also need to address the Change Proposal re: "ExceptionRef" - see https://github.com/spdx/change-proposal/blob/main/proposals/ExceptionRef.md and discussion at https://github.com/spdx/change-proposal/issues/4 However, given that I am only getting this reminder out now and we should have more notice to people for cross-team awareness, please consider if our final meeting of the year on Dec 22nd would be a good time to discuss, if we should schedule a different time before the end of the year, or if we should put this on hold until January? Thanks, Jilayne |
|
|
|
Re: standardizing opt-out of EU data mining rights?
J Lovejoy
On 11/15/22 12:34 PM, Luis Villa wrote:
JL: to be clear, this proposal is about an improved way to capture "exceptions" that are NOT on the SPDX License List, so relevant to the extent that such a hypothetical additional clause would not end up being eligible for inclusion on the SPDX License List, you could still represent it with an SPDX conformant license expression JL: I don't think it's inconsistent with this, but it is consistent with the prior standing license inclusion guidelines - see previous email |
|
|
|
Re: standardizing opt-out of EU data mining rights?
J Lovejoy
Hi Luis,
While I'm barely getting my head around the many complications related to the reality of AI models and data, let alone the related licensing issues... Let me try to answer some of your questions below as to the SPDX License List and process :) Cheers, Jilayne On 11/10/22 12:58 PM, Luis Villa wrote:
JL: so you are thinking of a clause that would not be a stand-alone license, but made to be used with existing open source licenses? (assuming that is correct...) JL: it could, potentially, be treated as an "exception" (that is, as described on the SPDX License List exceptions page: "exceptions grant an exception to a license condition or additional permissions beyond those granted in a license; they are not stand-alone licenses.") - which would mean, submit like usual, review by SPDX-legal, if accepted under the SPDX inclusion guidelines, then it would get assigned an SPDX id and could be used by way of an SPDX license expression using the operator, WITH JL: it probably would be. This is because the long-standing license inclusion guidelines more-or-less followed the OSD, so we would not accept further restrictions. Since the license inclusion guidelines were updated and loosened a bit a couple years ago, we have not explicitly discussed a revised policy as to exception. JL: well, see above, and the factors in the license inclusion guidelines would still apply
|
|
|
|
Re: standardizing opt-out of EU data mining rights?
Luis Villa
On Thu, Nov 10, 2022 at 5:06 PM Richard Fontana <rfontana@...> wrote: On Thu, Nov 10, 2022 at 3:01 PM Luis Villa <luis@...> wrote: Note that this has gone beyond the hypothetical; for some reason they put the text behind a weird GitHub process-wall so I have not read the text nor seen what they do to make the information machine-readable: |
|
|
|
3.19 License List release
Steve Winslow
Hello all, The version 3.19 release of the license list is now tagged and live at https://spdx.org/licenses. 5 new licenses / exceptions were added to the list: 1. checkmk 2. FSFULLRWD 3. Knuth-CTAN 4. libutil-David-Nugent 5. x11vnc-openssl-exception Unlike most release cycles, for 3.19 the team focused on updates to documentation and reviewing current processes, and spent less time during Legal Team calls reviewing submitted licenses. The new documentation includes more details on XML templating / fields and the license list release process, along with improvements to the FAQs and the SPDX Online Tools' new license request form. The release also included adjustments to markup for many licenses and other minor changes. More details can be found in the release notes at https://github.com/spdx/license-list-XML/releases/tag/v3.19. Thank you as always to the participants in the SPDX Legal community and license request submitters who contributed to this release. For 3.20, I'm anticipating we will have a much longer list of new licenses, in light of the many requests relating to licenses for Fedora packages. Come help us review, approve and add those! See https://lists.spdx.org/g/Spdx-legal/topic/95055362 for more details on some of the current pending requests. Steve |
|
|
|
Re: licenses to review for submission
J Lovejoy
Hi all,
toggle quoted message
Show quoted text
As per our license review protocol, we need 3 SPDX-legal team members to agree to add a license (not counting the submitter). Can we get more people to weigh in on these: https://github.com/spdx/license-list-XML/issues/1608 https://github.com/spdx/license-list-XML/issues/1652 these need 1 more person to weigh in: https://github.com/spdx/license-list-XML/issues/1614 https://github.com/spdx/license-list-XML/issues/1612 https://github.com/spdx/license-list-XML/issues/1611 https://github.com/spdx/license-list-XML/issues/1606 https://github.com/spdx/license-list-XML/issues/1550 (analysis done for this one and is similar to #1551, so view together) https://github.com/spdx/license-list-XML/issues/1551 Thanks! Jilayne On 11/15/22 3:51 PM, J Lovejoy wrote:
Hi all, In light of our discussion on our last call about how to make it easier and faster to get licenses reviewed (and adhere to our 3 “votes” from spdx-legal members for a license to be included), I’m sending a list of license submission issues that have at least one person reviewed below - please have a look and add your thoughts! https://github.com/spdx/license-list-XML/issues/1706 https://github.com/spdx/license-list-XML/issues/1614 https://github.com/spdx/license-list-XML/issues/1612 https://github.com/spdx/license-list-XML/issues/1611 https://github.com/spdx/license-list-XML/issues/1606 https://github.com/spdx/license-list-XML/issues/1550 (analysis done for this one and is similar to #1551, so view together) https://github.com/spdx/license-list-XML/issues/1551 Note - not all of these used the license submission template. Relatedly, I used the new version of that on a couple and although the check boxes are an improvement, I still find it a bit clunky and slow. I am not sure if this is a biased view b/c I have so much historical knowledge, but I do think some of the factors are sort of “n/a” in some cases and you know that from the initial submission. That being said, I’m not sure I have any good ideas as to how to make it shorter or faster… yet…. Thanks! Jilayne |
|
|
|
Cancelling call for Nov. 24
Steve Winslow
Hi all, We're cancelling the SPDX legal team call for tomorrow, Nov. 24 due to the US holiday. Looking forward to picking up again in December. If you have some spare time and just can't get enough license review, feel free to take a look in particular at the licenses that Jilayne sent around last week: https://lists.spdx.org/g/Spdx-legal/message/3276 and weigh in with your thoughts in the relevant issue threads. Best, Steve |
|
|
|
Re: [spdx-tech] FYI - planned downtime for tools.spdx.org
Gary O'Neall
Hi Dick,
SPDX 2.3 should be supported with yesterday’s update to the online tools. I just verified this with one of the example SPDX files.
If you could try again. If it doesn’t work, please submit an issue at https://github.com/spdx/spdx-online-tools/issues with an attached SPDX file to reproduce the problem and I’ll take a look.
Gary
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Tuesday, November 15, 2022 1:45 PM To: 'Gary O'Neall' <gary@...>; Spdx-tech@...; 'SPDX-legal' <spdx-legal@...> Subject: Re: [spdx-tech] FYI - planned downtime for tools.spdx.org
Gary,
Any projections when V 2.3 will be supported by the online tool?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Gary O'Neall
The SPDX online tools should now be available. The online tools have been updated to version 1.0.9. There were several fixes and updates – I’ll update the release information in the SPDX online tools over the next day or two to describe the changes.
If you run into any issues, please submit them at https://github.com/spdx/spdx-online-tools/issues
Thanks,
From: Gary O'Neall <gary@...>
Just FYI – I’m planning to update the software at tools.spdx.org within the next hour or so (around 9AM Pacific time), so the site will be down for just a few minutes if all goes well.
Gary
------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: gary@... CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
|
|
|
|
licenses to review for submission
J Lovejoy
Hi all,
In light of our discussion on our last call about how to make it easier and faster to get licenses reviewed (and adhere to our 3 “votes” from spdx-legal members for a license to be included), I’m sending a list of license submission issues that have at least one person reviewed below - please have a look and add your thoughts! https://github.com/spdx/license-list-XML/issues/1706 https://github.com/spdx/license-list-XML/issues/1614 https://github.com/spdx/license-list-XML/issues/1612 https://github.com/spdx/license-list-XML/issues/1611 https://github.com/spdx/license-list-XML/issues/1606 https://github.com/spdx/license-list-XML/issues/1550 (analysis done for this one and is similar to #1551, so view together) https://github.com/spdx/license-list-XML/issues/1551 Note - not all of these used the license submission template. Relatedly, I used the new version of that on a couple and although the check boxes are an improvement, I still find it a bit clunky and slow. I am not sure if this is a biased view b/c I have so much historical knowledge, but I do think some of the factors are sort of “n/a” in some cases and you know that from the initial submission. That being said, I’m not sure I have any good ideas as to how to make it shorter or faster… yet…. Thanks! Jilayne |
|
|
|
Re: standardizing opt-out of EU data mining rights?
Luis Villa
Thanks for the links, Richard. I'll try to follow up there though of course welcome further discussion here as well. On Thu, Nov 10, 2022 at 5:06 PM Richard Fontana <rfontana@...> wrote: On Thu, Nov 10, 2022 at 3:01 PM Luis Villa <luis@...> wrote: |
|
|
|
Re: FYI - planned downtime for tools.spdx.org
Gary O'Neall
The SPDX online tools should now be available. The online tools have been updated to version 1.0.9. There were several fixes and updates – I’ll update the release information in the SPDX online tools over the next day or two to describe the changes.
If you run into any issues, please submit them at https://github.com/spdx/spdx-online-tools/issues
Thanks,
From: Gary O'Neall <gary@...>
Sent: Tuesday, November 15, 2022 8:04 AM To: 'Spdx-tech@...' <Spdx-tech@...>; 'SPDX-legal' <spdx-legal@...> Subject: FYI - planned downtime for tools.spdx.org
Just FYI – I’m planning to update the software at tools.spdx.org within the next hour or so (around 9AM Pacific time), so the site will be down for just a few minutes if all goes well.
Gary
------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: gary@... CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
|
|
|
|
FYI - planned downtime for tools.spdx.org
Gary O'Neall
Just FYI – I’m planning to update the software at tools.spdx.org within the next hour or so (around 9AM Pacific time), so the site will be down for just a few minutes if all goes well.
Gary
------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: gary@... CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
|
|
|
|
Re: standardizing opt-out of EU data mining rights?
Richard Fontana
On Thu, Nov 10, 2022 at 3:01 PM Luis Villa <luis@...> wrote:
[...] (1) Would SPDX be an appropriate mechanism for representing that opt-out clause in a machine-readable way, eg via a short identifier + WITH?Recent exchange that is possibly slightly related to those questions: https://github.com/spdx/change-proposal/issues/4#issuecomment-1283004681 https://github.com/spdx/change-proposal/issues/4#issuecomment-1304842184 Basically, I believe SPDX has locked itself into a model of what an "exception" is that is based on normative FSF doctrine built up around FSF-authorized GPL exceptions, but which does not fully reflect how standardized license terms actually get supplemented by other terms in the real world with the GPL and other FOSS licenses (in some cases by removing permissions, and in some cases where it is not actually clear whether permissions are being removed). I think this is inconsistent with SPDX's professed mission of focusing on "just the facts". I think Steve's view is that indeed generalizing the concept of what an exception is would break some expectations around models and tooling. - Richard |
|
|
|
standardizing opt-out of EU data mining rights?
Luis Villa
Hi, all- [Starting here, though I realize SPDX cannot be a complete answer to this problem. Also not on spdx-ai because it isn't about AI models/data, but happy to move discussion or cc if that makes sense.] As you all have probably seen, one area of interesting research in machine learning right now is training models on source code in order to generate more source code. Whether or not this is legal in the US is somewhat unclear, but in the EU there appears to be more clarity: data mining is legal, but a licensor can opt out.[1] The W3C has done some work on how to implement this opt out in the digital space[2] but as you would imagine it is optimized for the web environment, not source code. So there is, as of yet, no standardized way for source code authors to express their desire to opt-out of data mining, as is their right under EU law. So, some questions/thinking out loud about what role SPDX might play in such an opt-out scheme. Presume, for purposes of discussion, that someone else writes a standardized data mining opt-out clause, tailored for use with open source software, that a developer could attempt to apply to their project. (1) Would SPDX be an appropriate mechanism for representing that opt-out clause in a machine-readable way, eg via a short identifier + WITH? (2) This would be, to the best of my knowledge, the first proposed Exception that removes permissions[3] rather than granting new permissions. Would that be acceptable to SPDX? Would that break any implicit or explicit expectations of the specifications or tooling? (3) Because this is a restriction for a specific use case it might not be OSD-compliant, or might not be GPLv2-compliant. Without trying to answer here whether it is OSD-compliant, what requirements would SPDX want to see met? Would OSI review/approval be necessary? "Mere" deployment/usage in the wild? Other? This is not a purely hypothetical question, for what it is worth - people in the AI community (specifically, part of the BigCode project[3]) are actively trying to figure this out right now, and I'd like to be able to build a bridge there if this group thinks it would be appropriate. Thanks- Luis [1] some more details: https://felixreda.eu/2021/07/github-copilot-is-not-infringing-your-copyright/ |
|
|
|
meeting on Thursday
J Lovejoy
Hi all,
We have our regular meeting Thursday at noon Eastern time. The US set back the clocks this past weekend, so we should be back to the usual time intervals. As we move into the next release cycle, we have 32 new license requests earmarked for 3.20 - see https://github.com/spdx/license-list-XML/issues?q=is%3Aopen+is%3Aissue+milestone%3A3.20+label%3A%22new+license%2Fexception+request%22 I think it’d be good to discuss ideas on any streamlining of both the review of the licenses; and the creation of the XML and TXT files for those accepted! Thanks, Jilayne |
|
|
|
FAQs update
J Lovejoy
Hi all,
I deviated slightly from the plan as discussed at our last call regarding updating the FAQs. I went ahead and made a PR here: https://github.com/spdx/license-list-XML/pull/1692 as working in the Google doc was getting a bit unwieldy. Steve - can you merge that so people can then iterate there? Feel free to add comments or additional PRs to that content via Github. I have kept FAQs that are not in the pull request in the Google doc here: https://docs.google.com/document/d/1VhqW3WgG0T2rDdPP-7lx9VbLVU3RAykOy9ZjZOS664I/edit for questions that still need an answer or need further editing. Feel free to contribute there in terms of answering or adding more questions. Thanks! Jilayne |
|
|
|
Re: Unicode
Nathan Willis
With the colossal caveat that I am only a **consumer of** Unicode's deliverables, I could speak briefly to the concern at point #3:
This is certainly inconvenient, but the Unicode site does host quite a few items with practical application, but which aren't under the "DATA FILES" and "SOFTWARE" hierarchies spelled out in "B" of the TOU. Namely, there is the whole "Unicode® Technical Site" at the entry point https://unicode.org/main.html ... which is different from the "Unicode site" at the entry point https://home.unicode.org/ Some of that "Technical Site" material covers projects and committees; there are also older documents, proposals, some data tables, things called "annexes" that I'm never 100% sure I understand the status of, and so on. My guess would be that there is a lot of legacy material from the organization's history that simply doesn't have a clear-cut, select-a-license-from-the-dropdown option. Fortunately, a lot of that material is mostly needed as references, but I can certainly see how occasions would arise where quoting from it is necessary to squash a bug. I've had people attach screenshots from really old Unicode docs in discussion threads. So I wouldn't attempt to weigh in on the other issues (certainly keeping the text up-to-date sounds vital), but merely dropping the license from SPDX would likely affect (a few) projects downstream. Nate -- |
|
|
|
Unicode
Dear all,
I'm wondering why https://spdx.org/licenses/Unicode-TOU.html is (still) part of the license list. Could it be deprecated? 1. First of all, the current text of the "Unicode® Copyright and Terms of Use" is quite different from the text which is referenced at https://spdx.org/licenses/Unicode-TOU.html (SPDX License Diff is very helpful to show the differences - thanks again to Alan Tse). 2. Sec. C.3 of the current version refers to the "Unicode Data Files and Software License": "Further specifications of rights and restrictions pertaining to the use of the Unicode DATA FILES and SOFTWARE can be found in the Unicode Data Files and Software License." The "Unicode Data Files and Software License" (https://www.unicode.org/license.txt) is similar but not identical to "https://spdx.org/licenses/Unicode-DFS-2016.html". 3. To me it seems that the "Unicode® Copyright and Terms of Use" are more or less ToU for a website and all redistributables are under "Unicode-DFS". 4. Unicode modifies the "year" within the copyright notice from year to year. The "Unicode Data Files and Software License" provides as follows: "this copyright and permission notice appear with all copies of the Data Files or Software" Would this require to identify in which year the data and/or software was copied from the Unicode website to use the license text with the correct year? Would it be sufficient to use the most recent version of the license text? Should this be reflected in the SPDX identifier? Is there anybody with more background information who can give some assistance? Best regards, Till |
|
|
|
Re: Question about license matching with SPDX templates
Thank you very much Steve. I’ll take a read through those resources and see how my code needs updating.
Thanks again! Peter |
|
|
