|
Re: SPDX-License-Identifier for composite-licensed source files
Kate Stewart
Hi Richard, I suspect the others will comment as well, but I would hope to see "SPDX-License-Identifier: MPL-2.0 AND Apache-2.0" as a summary. The second approach may become ambiguous to scanners as they may try to treat it as an "OR", and I believe that "AND" is truer to the intention here. Kate On Thu, Dec 12, 2019 at 10:30 AM Richard Fontana <rfontana@...> wrote: Suppose you're dealing with the following source file legal notice |
||||||||||||||
|
|
||||||||||||||
|
SPDX-License-Identifier for composite-licensed source files
Richard Fontana
Suppose you're dealing with the following source file legal notice
(example taken from https://www.mozilla.org/en-US/MPL/2.0/permissive-code-into-mpl/, itself adapted from the examples discussed by SFLC in this old paper: https://www.softwarefreedom.org/resources/2007/gpl-non-gpl-collaboration.html): /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * This file incorporates work covered by the following copyright and * permission notice: * * Copyright 2013 Joe Bloggs * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ Is there a recommended approach to translating this to use SPDX-Liense-Identifier strings? One possibility might be: /* Copyright 2013 Joe Bloggs * SPDX-License-Identifier: MPL-2.0 AND Apache-2.0 */ This approach represents all the copyright and license information in the original file without making the legal judgment that is implicit in the original notice (as to the legal effect of one-way compatibility of the Apache License 2.0 with MPL 2.0), beyond possibly what someone might choose to infer from the mere ordering of the conjunctive set of licenses. But it gives the possibly-false impression that Joe Bloggs is the sole or, in some sense, primary copyright owner of the code in the file, which results in part from the absence of a copyright notice for the MPL licensor(s). Another possibility might be: /* SPDX-License-Identifier: MPL-2.0 * This file incorporates work covered by the following copyright notice and license: * Copyright 2013 Joe Bloggs * SPDX-License-Identifier: Apache-2.0 */ This is closer to the original, and provides the same opinion on the licensing consequence of the "incorporation" of the Apache License 2.0 code, but whether that is good or bad I'm not sure. (As I understand it there's a theme in SPDX of attempting to avoid making legal judgments.) But it has a verbosity that I would think goes against the whole spirit of using the SPDX-License-Identifier construct. What's the best practice for source files of this sort, containing code under multiple licenses where there is some notion of code under the more permissive license being subsumed under the more restrictive license of incorporation? Richard |
||||||||||||||
|
|
||||||||||||||
|
meeting tomorrow POSTPONED to next week, Dec 19th / release update
J Lovejoy
Hi all,
Due to some unforeseen circumstances, both Steve and I are not available tomorrow. Given this would be our last meeting for 2019 (unless people wanted to meet on Dec 26th?), I'd like to postpone to next week, Dec 19th. Please adjust your calendars accordingly. Also, we have not had enough help to get through many of the issues in the queue for the next release, which would normally occur at the end of the month. If you use the SPDX License List in anyway, if you are reading this message, PLEASE check the issues in the Github repo and provide any help you can. Thanks, Jilayne SPDX legal team co-lead |
||||||||||||||
|
|
||||||||||||||
|
Re: Request for adding Eclipse Distribution License - v 1.0
Alexios Zavras
We should have a “note” on the BSD-3-Clause license.
-- zvr
From: Spdx-legal@... <Spdx-legal@...>
On Behalf Of CARLIER Aurelien
Sent: Wednesday, 11 December, 2019 08:34 To: spdx-legal@... Cc: Wayne Beaton <wayne.beaton@...>; Philippe Ombredanne <pombredanne@...> Subject: Re: Request for adding Eclipse Distribution License - v 1.0
Hello,
Thank you Wayne and Philippe for giving an answer that quickly J. I agree with the statement.
Maybe it (former suggestion by Wayne) would be mentioned in the "license and exceptions tracking page" not to be requested again (I've checked before sending the email, trying to make things the right way).
Regards, Aurélien
[@@ THALES GROUP INTERNAL @@]
De : Wayne Beaton [mailto:wayne.beaton@...]
We've discussed this previously (at my suggestion on behalf of the Eclipse Foundation).
My recollection is that it was decided that SPDX would not add EDL-1.0 or any other licenses based on the BSD-3-Clause template because doing so would set a precedent drawing in literally hundreds of other licenses based on that template.
For Eclipse projects that use EDL-1.0, we just use BSD-3-Clause as the SPDX code.
Wayne
On Tue, Dec 10, 2019 at 12:36 PM CARLIER Aurelien <aurelien.carlier@...> wrote:
-- Wayne Beaton Director of Open Source Projects | Eclipse Foundation, Inc. Intel Deutschland GmbH |
||||||||||||||
|
|
||||||||||||||
|
Re: Request for adding Eclipse Distribution License - v 1.0
CARLIER Aurelien
Hello,
Thank you Wayne and Philippe for giving an answer that quickly J. I agree with the statement.
Maybe it (former suggestion by Wayne) would be mentioned in the "license and exceptions tracking page" not to be requested again (I've checked before sending the email, trying to make things the right way).
Regards, Aurélien
[@@ THALES GROUP INTERNAL @@]
De : Wayne Beaton [mailto:wayne.beaton@...]
We've discussed this previously (at my suggestion on behalf of the Eclipse Foundation).
My recollection is that it was decided that SPDX would not add EDL-1.0 or any other licenses based on the BSD-3-Clause template because doing so would set a precedent drawing in literally hundreds of other licenses based on that template.
For Eclipse projects that use EDL-1.0, we just use BSD-3-Clause as the SPDX code.
Wayne
On Tue, Dec 10, 2019 at 12:36 PM CARLIER Aurelien <aurelien.carlier@...> wrote:
-- Wayne Beaton Director of Open Source Projects | Eclipse Foundation, Inc. |
||||||||||||||
|
|
||||||||||||||
|
Re: Request for adding Eclipse Distribution License - v 1.0
Philippe Ombredanne
Hi Aurelien:
On Tue, Dec 10, 2019 at 6:36 PM CARLIER Aurelien <aurelien.carlier@...> wrote: I would like to request addition of the Eclipse Distribution License in the SPDX license list.As far as I can remember, since this is the same as the BSD-3-Clause license text (using the matching guidelines), it was never added as its own license id. -- Cordially Philippe Ombredanne +1 650 799 0949 | pombredanne@... DejaCode - What's in your code?! - http://www.dejacode.com AboutCode - Open source for open source - https://www.aboutcode.org nexB Inc. - http://www.nexb.com |
||||||||||||||
|
|
||||||||||||||
|
Re: Request for adding Eclipse Distribution License - v 1.0
Wayne Beaton
We've discussed this previously (at my suggestion on behalf of the Eclipse Foundation). My recollection is that it was decided that SPDX would not add EDL-1.0 or any other licenses based on the BSD-3-Clause template because doing so would set a precedent drawing in literally hundreds of other licenses based on that template. For Eclipse projects that use EDL-1.0, we just use BSD-3-Clause as the SPDX code. Wayne On Tue, Dec 10, 2019 at 12:36 PM CARLIER Aurelien <aurelien.carlier@...> wrote:
--
Wayne Beaton Director of Open Source Projects | Eclipse Foundation, Inc. |
||||||||||||||
|
|
||||||||||||||
|
Request for adding Eclipse Distribution License - v 1.0
CARLIER Aurelien
Hello,
I would like to request addition of the Eclipse Distribution License in the SPDX license list. The EDL-1.0 is a variation of the New BSD License (fixing . Here is what I would suggest:
1. License name: Eclipse Distribution License 1.0 2. Proposed Identifier: EDL-1.0 3. URL: https://www.eclipse.org/org/documents/edl-v10.php 4. See attached file. 5. Indicate whether the license is OSI-approved : “The Eclipse Distribution License is an OSI Approved Open Source License by means of the New BSD License.” As said on the license’s full text page 6. This license is used by Eclipse JGIT https://github.com/eclipse/jgit/blob/master/LICENSE with the following text: This program and the accompanying materials are made available under the terms of the Eclipse Distribution License v1.0 which accompanies this distribution, is reproduced below, and is available at http://www.eclipse.org/org/documents/edl-v10.php
Thank you in advance to take this request into account.
Regards, Aurélien
[@@ THALES GROUP INTERNAL @@]
|
||||||||||||||
|
|
||||||||||||||
|
Re: New License/Exception Request: CAL-1.0 and CAL-1.0-with-exception
Steve Winslow
Hi Van, thanks for submitting this. I've copied it over to an issue in the SPDX license-list-XML repo, so that comments and input can be aggregated there -- see https://github.com/spdx/license-list-XML/issues/953 Best, Steve On Thu, Dec 5, 2019 at 1:30 AM Lindberg, Van <VLindberg@...> wrote:
|
||||||||||||||
|
|
||||||||||||||
|
New License/Exception Request: CAL-1.0 and CAL-1.0-with-exception
Lindberg, Van <VLindberg@...>
Hello,
I have received a preliminary positive report from OSI’s license committee on the Cryptographic Autonomy License v.1.0, or “CAL”. The CAL also includes a built-in “Combined Works Exception” that seems like it would fit with your exception grammar. 1. 1. Provide a proposed Full Name for the license or exception:
2.
Cryptographic Autonomy License, v1.0, or
3.
4. 2. Provide a proposed Short Identifier. 5. CAL-1.0 or CAL-1.0-with-exception 6. 7. 3. Provide a functioning url reference to the license or exception text, either from the author or a community recognized source. 8. https://docs.google.com/document/d/1-eD9EH6i3wdSXgG4XJbF-a0cSSknOERjYzlVonOwAQ0/edit?usp=sharing 9. 10. 4. Create and attach a text file with the license or exception text from the url provided in #3. 11. Attached. 12.
13.
5. Indicate whether the license is OSI-approved (see: http://www.opensource.org/licenses/alphabetical) or whether it
has been submitted for approval to the OSI and is currently under review. 14. 6. Provide a short explanation regarding the need for this license or exception to be included on the SPDX License List, including identifying at least one program that uses this license. 15. I expect this will be approved by the OSI shortly. As soon as it is approved, Holochain will be moving to use it.
*** Notice from Dykema Gossett PLLC: This Internet message may contain information that is privileged, confidential, and exempt from disclosure. It is intended for use only by the person to whom it is addressed. If you have received this in error, please (1) do not forward or use this information in any way; and (2) contact me immediately. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message. |
||||||||||||||
|
|
||||||||||||||
|
Minutes from 3 Dec joint tech/legal meeting
Gary O'Neall
Minutes from today’s joint legal / technical has been posted to joint tech/legal call here: https://wiki.spdx.org/view/Technical_Team/Minutes/2019-12-03
Gary
------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: gary@... CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
|
||||||||||||||
|
|
||||||||||||||
|
Invitation: SPDX joint legal/tech team meeting @ Tue Dec 3, 2019 1pm - 2pm (EST) (spdx-legal@lists.spdx.org)
Steve Winslow
|
||||||||||||||
|
|
||||||||||||||
|
No SPDX Legal team meeting this Thursday
Steve Winslow
This week's SPDX legal team meeting will be cancelled due to the US holiday on Thursday. You should receive a calendar cancellation sent to this list shortly. We will likely be holding a joint legal / tech team call to discuss SPDX 3.0 spec changes and related matters on Tuesday, Dec. 3 at 1PM Eastern US time / 10AM Pacific. We'll circulate an invite for that call after the time is confirmed. Best, Steve |
||||||||||||||
|
|
||||||||||||||
|
SPDX Legal team meeting now
Steve Winslow
This week's legal team meeting is beginning momentarily, apologies for the very late notice... UberConference: https://www.uberconference.com/room/SPDXTeam Optional dial in number: 415-881-1586 |
||||||||||||||
|
|
||||||||||||||
|
Meeting today, Oct. 31
Steve Winslow
Hello all, The next Legal
Team meeting will be today, Thursday, Oct. 31 at 9AM PT / 12PM ET. The agenda will include: 1) update from the joint legal/tech meeting last week 2) discussing a couple of long-pending issues ([1], [2] below) that should be addressed in 3.8 3) continuing discussion of updates to license inclusion guidelines **Please
note** the updated UberConference URL below for the call. Dial-in info: Web conference: https://www.uberconference.com/room/SPDXTeam
Optional dial in number: 415-881-1586 Best, Steve [1] GFDL / "no invariant sections": https://github.com/spdx/license-list-XML/issues/686 [2] OFL / reserved font name: https://github.com/spdx/license-list-XML/issues/724 Steve Winslow Director of Strategic Programs The Linux Foundation |
||||||||||||||
|
|
||||||||||||||
|
Advice/guidance/input from the SPDX community for Arch Linux
Santiago Torres Arias <santiago@...>
Hi,
The Arch Linux community recently started a discussion around adopting SPDX license identifiers to simplify/improve their license handling: https://lists.archlinux.org/pipermail/arch-dev-public/2019-October/029695.html I imagine that the SPDX community may be interested in chiming in if there are any known pitfalls on doing so, or general advice around it. Cheers! -Santiago. |
||||||||||||||
|
|
||||||||||||||
|
Updates to SPDX 3.0 Proposal
William Bartholomew
I have added a new section at the bottom of this document that maps the fields to profiles, I've incorporated nearly all of the original proposal content into that table: I'd appreciate your input on these mappings and the other comments. One important comment is that "mandatory" means mandatory if you have adopted that profile, otherwise it is optional. Regards, William Bartholomew |
||||||||||||||
|
|
||||||||||||||
|
Re: [spdx-tech] Advice/guidance/input from the SPDX community for Arch Linux
William Bartholomew
My feedback (and feel free to pass this onto their list) would be to ensure they adopt SPDX Expressions (https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60) rather than accepting a single SPDX license id (which is often overly simplistic) or an array (which is ambiguous as to whether it means AND or OR). There are a number of parsers out there for this format. Regards, William Bartholomew On Tue, Oct 22, 2019 at 12:33 PM Santiago Torres Arias <santiago@...> wrote: Hi, |
||||||||||||||
|
|
||||||||||||||
|
3.7 License List release
Steve Winslow
Hello all, The version 3.7 release of the license list is now tagged and live at https://spdx.org/licenses. Along with documentation updates and markup tweaks, 6 new licenses and exceptions were added to the list: * etalab-2.0 * MulanPSL-1.0 * OGL-Canada-2.0 * SSH-OpenSSH * SSH-short * UCL-1.0 A couple particular shout-outs for other contributions beyond these licenses: * Thank you to Jilayne and Gary for debugging an issue with the license list publisher, which was occasionally causing "optional text" markup to not display as optional on the website version. * Thank you to Kyle Mitchell for contributing a script to easily enable testing a single license XML file at a time, rather than re-testing the entire set — this has significantly improved the XML creation and testing process. The release notes can be found at https://github.com/spdx/license-list-XML/releases/tag/v3.7 And with that, time to turn to the pending issues for 3.8 :) |
||||||||||||||
|
|
||||||||||||||
|
Reminder: Joint SPDX tech & legal call - in 1 hour.
Kate Stewart
Hi all, Just a reminder we'll be having a joint legal & tech call for this month, in an hour from now. Agenda: - review some of the changes being discussed for SPDX 3.0 with focus on: - move from mandatory to optional for licensing fields, copyright, etc. - revisit CC0 as data license - unification of licensing fields across package, file, snippet section. Participation Information: https://zoom.us/j/663426859 Meeting ID: 663 426 859 Tuesdays at 17:00 UTC (and best guess for local time - 10:00AM PDT, 11:00 MDT, 12:00PM CDT, 1:00PM EDT, 18:00 WAT, 19:00 CEST). Australia +61 2 8015 2088 Canada +1 647 558 0588 Germany +49 30 3080 6188 Japan +81 3 4578 1488 US Toll-free 877 369 0926 Find your local number: https://zoom.us/u/ac9KKJWzJT |
||||||||||||||
|
|
