|
Re: Question about license matching with SPDX templates
Steve Winslow
Hi Peter, Thanks for raising this (and glad the license templates have been useful for you!) Your email is timely, as we actually discussed a related point (though not specific to CC-BY-4.0) during the Legal Team call on this past Thursday. Currently, I don't think there is a matching guideline that covers the scenario you're describing. But the general sense from the call was that there should be one. Something like, "if a line in a license consists of solely 1 or more dash, hyphen, underscore or equal-sign characters, ignore it for matching purposes." That isn't precise wording, but that's the concept that seemed to make sense. Would definitely need to get input from the SPDX tech team and tool developers before this became official, of course. You can see some more discussion at [0] and [1] for where this arose and is being addressed. Feel free to weigh in there as well! Finally, for CC-BY-4.0 specifically (and some of the other CC licenses for which CC has published plain-text versions), it's a good point that they don't have the equal-sign lines. They likely should be included as optional text in the XML template [2] and appear in the "test text" file [3] for that and other comparable CC licenses. Best, Steve On Sat, Oct 29, 2022 at 7:11 PM <pmonks+spdx@...> wrote: G'day SPDX gurus, |
|
|
|
Question about license matching with SPDX templates
G'day SPDX gurus,
I'm working on a little license matching project [1] leveraging the (great!) SPDX text templates [2], but have noticed that some canonical license texts (e.g. CC-BY-4.0 [3]) don't match the template since they contain a number of horizontal rules (a sequence of '=' characters, in this case). I don't see these in the CC-BY-4.0 text template [4], which means my code doesn't find a match. Is there a matching guideline [5] or other text processing I'm missing for this case? Thanks in advance, Peter [1] https://github.com/pmonks/lice-comb [2] https://github.com/spdx/license-list-data/tree/master/template [3] https://creativecommons.org/licenses/by/4.0/legalcode.txt [4] https://github.com/spdx/license-list-data/blob/master/template/CC-BY-4.0.template.txt [5] https://spdx.dev/license-list/matching-guidelines/ |
|
|
|
[openchain] Linux Foundation – Building Trust in Software Supply Chains - How OpenChain by the Linux Foundation and other projects enable a trusted supply chain for open source software
Dear all,
toggle quoted message
Show quoted text
Today, I saw this plop into my inbox and thought that it would also be of interest to many of the SPDX Legal Team members. The Open Source Way is both an entertaining and educational podcast, and given its open source licensing slant, I had suspected that Shane would feature on it at some point! :-) Best wishes, Sebastian From: Shane Coughlan <scoughlan@...> Sent: 27 October 2022 14:24:41 BST To: OpenChain Main <main@...> Subject: [openchain] Linux Foundation – Building Trust in Software Supply Chains - How OpenChain by the Linux Foundation and other projects enable a trusted supply chain for open source software Karsten invited me to join “The Open Source Way” podcast over at SAP to explain what we do and how it impacts the supply chain and large market. |
|
|
|
call at top of the hour
J Lovejoy
Hi folks,
We have a regular SPDX-legal call at the top of the hour (noon, Eastern time) at https://meet.jit.si/SPDXLegalMeeting We'll have a look at whatever needs attention to close out our "documentation release" - some items that we need to address include: - updates to the SPDX License Submission online tool. I have a PR for this and Gary is helping me with testing on Friday, but I wanted to check that I have all the changes and would like feedback on one additional thing - FAQs - plan for getting all the new changes into a PR, I also noted a formatting item that I wanted to share with the group! - any further feedback on Steve's PR to Add documentation on XML templates and fields #1677 - review of what's left on our "list" for Documentation tasks Also note, Alexios submitted a Change Proposal for adding "ExceptionRef-" to the spec. You can review the Change Proposal itself here: https://github.com/spdx/change-proposal/blob/main/proposals/ExceptionRef.md and comment here: https://github.com/spdx/change-proposal/issues/4 While we won't have time to discuss this on today's call, please do comment and we will consider if a wider discussion would be appropriate on the next legal team call. Thanks! Jilayne |
|
|
|
Re: Introduction + question about CC0/confidentiality in SPDX 2.2
J Lovejoy
Hi Anna,
toggle quoted message
Show quoted text
Welcome! You have interpreted the CC0-1.0 designation and comment regarding confidentiality correctly. (Note, it is now section 6.2 in version 2.3 of the spec: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/ ) There was much discussion on this in the very, very early days of SPDX which probably can be found in early email archives or meeting minutes. I haven't dug around, but from my memory of those discussion: The vision of SPDX is "to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability." This was born out of the reality of various entities asking for and passing around software bill of materials information in different format, often not sharing that information upstream or downstream. The ultimate ideal scenario would be if SPDX documents accompanied software throughout the supply chain. It was important that the standard be open, but also that people could not create an SPDX document and then assert some rights or control upon that information. Thus, CC0-1.0 and the accompanying explanation was chosen to alleviate that concern and signal the desire of an open exchange of this information. At the same time, we wanted to recognize the reality that some entities may feel that the information contained in an SPDX document could expose confidential information and thus may not want everything to be openly available. Not sure if there's something to discuss here, but happy to have you join any and all of the SPDX legal calls! Cheers, Jilayne On 10/26/22 8:26 AM, Haipola, Anna
(Nokia - FI/Espoo) wrote:
|
|
|
|
Won't be able to attend the Oct. 27th meeting
Dear all,
I'm continuing with my travels tomorrow, and thus must unfortunately send my regrets for the SPDX Legal Team meeting. Hope to see you next month! Best wishes, Sebastian |
|
|
|
Introduction + question about CC0/confidentiality in SPDX 2.2
Haipola, Anna (Nokia - FI/Espoo)
Hi all,
I have recently joined the SPDX legal mailing list and wanted to give a short introduction. My name is Anna Haipola and I am a Legal Counsel supporting the Open Source Program Office at Nokia. I am based in Espoo, Finland. I attended my first external event related to open source software last week at the OSPOlogy.live workshop in Stockholm, and it was truly inspiring to meet professionals working with the same topics in other organizations. I look forward to more collaboration.
The reason why I wanted to get in touch with the SPDX legal team was that I had a question related to the section 2.2.2 of the SPDX Specification (version 2.2). SPDX-Metadata is subject to the terms of the Creative Commons CC0 1.0 Universal license. Section 2.2.2 further states: “This approach avoids intellectual property and related restrictions over the SPDX file, however individuals can still contract with each other to restrict release of specific collections of SPDX files (which map to software bill of materials) and the identification of the supplier of SPDX files.”
I was unsure whether this meant that even though the data related to the SPDX fields can be distributed freely under CC0, collections of SPDX files could be protected under confidentiality clauses agreed upon between the SPDX document creator and the recipient. I would be happy to discuss this matter in one of the upcoming Legal Team meetings. I will be joining tomorrow’s meeting, so happy to provide some more details on this proposed agenda item there if there is time.
Looking forward to meeting you tomorrow.
Kind regards,
____________________________________________
Anna Haipola CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is privileged or confidential,
Please consider the environment before printing this e-mail.
|
|
|
|
Change Proposal: ExceptionRef-
J Lovejoy
Please see our first Change Proposal submission from Alexios here: https://github.com/spdx/change-proposal/blob/main/proposals/ExceptionRef.md
This is a cross-team issue for tech and legal teams. Please indicate your vote for moving this forward or not in the issue here: https://github.com/spdx/change-proposal/issues/4 Thanks! Jilayne |
|
|
|
FAQs updates
J Lovejoy
Hi All,
As per our discussion about collaboratively updating the License List FAQ, I created this Google doc, so multiple people can make changes/additions at the same time and review before we move this to a PR in Github. Please try to use/retain the markup formatting :) Thanks, Jilayne |
|
|
|
meeting tomorrow (Thursday)
J Lovejoy
Hi all,
We have our regularly scheduled meeting tomorrow at 10 am mountain time (aka 9am Pacific time / noon eastern time). As we draw close to the end of this release cycle, let’s take an honest look at what we will accomplish for the documentation goals. Please review: https://github.com/spdx/license-list-XML/issues?q=is%3Aopen+is%3Aissue+label%3Adocumentation and consider what you can contribute. Thanks, Jilayne |
|
|
|
Re: [Fedora-legal-list] Is the Monkey's Audio license "good"?
On Thu, Oct 6, 2022 at 2:51 PM Peter Lemenkov <lemenkov@...> wrote:
If at all possible, I'd like to have encoding too... -- 真実はいつも一つ!/ Always, there's only one truth! |
|
|
|
Is the Monkey's Audio license "good"?
Hello,
I recently read a thread about someone asking about adding the Monkey's Audio codec to openSUSE and it having an odd license[1], and I was thinking of bringing this to Fedora as well. However, the license[2] is confusing, and I'm not sure if it necessarily qualifies under Fedora's definition of good open source software[3]. If it is, what kind of license tag should be used, or should a new one be made for it? I'm leaning toward a new license tag, given that the terms look "special". Thanks in advance and best regards, Neal [1]: https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/OR32LIUGQUZMXB6GQLUK62MD6VQTO2CR/ [2]: https://www.monkeysaudio.com/license.html [3]: https://docs.fedoraproject.org/en-US/legal/license-approval/#_allowed_licenses -- 真実はいつも一つ!/ Always, there's only one truth! |
|
|
|
Legal Team call starting shortly
Steve Winslow
Hi all, Sending a quick reminder that the SPDX Legal Team call will be starting shortly (at the top of the hour). We'll be focusing on the open documentation tasks for 3.19, to confirm on who is taking the lead on the different tasks and to agree on what we're likely to get accomplished prior to the next release (end of October). Thanks, Steve |
|
|
|
Re: for discussion: license inclusion guidelines
Russ Allbery
"Steve Winslow" <swinslow@...> writes:
I expect we'd want to be a bit specific about what we mean by "isDebian Developer here. The contrib archive area has the same license inclusion criteria as main. The distinguishing factor for contrib is that the packages are allowed to depend on non-free software (either via package dependencies or via downloading it from elsewhere; often packages in contrib are installers that download the actual software from some web site). contrib doesn't have its own separate licensing rules. You are correct that non-free does not count as included in Debian. Formally, inside the project, it is not part of our distribution. (This is also true of contrib, but since it has the same licensing rules for main it doesn't really matter for this discussion.) -- Russ Allbery (eagle@...) <https://www.eyrie.org/~eagle/> |
|
|
|
Re: for discussion: license inclusion guidelines
J Lovejoy
Thanks Richard, that’s helpful to point out! That and Steve’s point re: Debian Main makes me think we’d need to be somewhat specific for each distro that would trigger a lighter-weight review. More to ponder….
toggle quoted message
Show quoted text
And Steve - agreed re: Change Proposal, I’ll add that to my list of things to do and send a link to that once I’ve come up with something concrete! Jilayne On Sep 15, 2022, at 10:08 PM, Richard Fontana <rfontana@...> wrote: |
|
|
|
Re: for discussion: license inclusion guidelines
Richard Fontana
On Wed, Sep 7, 2022 at 2:17 PM Steve Winslow <swinslow@...> wrote:
In contrast to Debian, Fedora does not have separate official/project-administered package repositories with different license inclusion criteria. Fedora has an explanation here that may be helpful: https://docs.fedoraproject.org/en-US/legal/license-approval/ To summarize, there are different categories of material to which different license standards are applied: - The general "allowed" category -- licenses here are determined by Fedora to be FOSS through a sort of common law-like approach (Fedora has no DFSG/FSD/OSD counterpart of its own) - "Allowed-documentation" -- licenses approved only for documentation. The intent here is that the licenses are libre, i.e., equivalent in permissiveness/restrictiveness to software-oriented FOSS licenses, except that a few licenses (already recognized by SPDX) are treated as allowed-documentation for historical reasons even though they can't seriously be considered to meet all the standards of the licenses in the allowed category - "Allowed-content" -- licenses approved only for "content" which basically means something that can't be considered software, documentation, or fonts. These have to be FOSS except they can prohibit modification and have a "no patent licenses" provision. - "Allowed-firmware" -- licenses approved only for binary firmware files that meet certain technical operating system-related criteria; these licenses need not be FOSS but only certain kinds of non-FOSS terms are permitted. - "Allowed-fonts" -- licenses approved only for fonts. These licenses must meet the standards for FOSS except that they can have a "Sun RPC" clause (i.e. a prohibition on resale/distribution in isolation, which is for some reason commonly found in pseudo-FOSS font licenses). The main community authorities on FOSS definitional norms (FSF, OSI, Debian) have all implicitly taken the position that these kinds of clauses do not preclude a classification of a font license as FOSS, but to varying degrees and with a large dose of historical inconsistency have taken the view that they are generally not acceptable in a FOSS software license. Fedora is simply being more transparent that there are relaxed community standards for font licenses in this one respect. So I think Fedora has made an effort to ensure that the licenses in the "allowed", "allowed-documentation" and "allowed-fonts" categories substantially comply with widely-held community open source definitions. That can't be said of all licenses in the allowed-content (probably) and allowed-firmware (definitely) categories. However, I wonder if the fact that these generally non-FOSS licenses are determined to meet the license criteria of a distro that is basically conceptualized as a free software community distro ought to justify the lighter-weight review Jilayne speaks of. Richard |
|
|
|
Re: for discussion: license inclusion guidelines
Phil Odence <phil.odence@...>
All makes sense to me. Good idea.
From:
Spdx-legal@... <Spdx-legal@...> on behalf of Steve Winslow <swinslow@...> Jilayne -- yes, I'd be open to a lighter-weight or streamlined approach to approving licenses submitted from use in distros such as Debian and Fedora.
In these cases we have greater confidence that those communities have done the work to vet certain of the license inclusion principles. In particular the first and most important "Other Factor" re: "substantially complies with open source definitions"; and its inclusion in the distro likely demonstrates the "substantial use" factor for SPDX purposes.
I expect we'd want to be a bit specific about what we mean by "is included in the distro". For instance, for Debian I'd think `main` would be covered, `non-free` would not, and I don't know for `contrib`. I don't know how Fedora divides things up...
I could see a Change Proposal being appropriate here. Modifying the License Inclusion Principles is a pretty substantive policy change and not something we want to undertake lightly or frequently.
Karsten -- you're welcome to put together and share a formal Change Proposal for your concept if you would like. Speaking personally, I would not be in favor of making that change to a sort of two-tiered license list. If you do want to discuss it further on the mailing list, I'd ask if you could please discuss it in a separate thread, so that we're not diverting from Jilayne's original question here regarding Debian / Fedora. Thanks!
Steve
On Tue, Sep 6, 2022 at 1:49 AM Karsten Klein <karsten.klein@...> wrote:
|
|
|
|
Legal Team call starting shortly
Steve Winslow
Hi all, just a quick reminder that the SPDX Legal Team call will be starting shortly. We'll be focusing on the following topics: * quick look at #1603 - x11vnc-openssl-exception * discuss release process, cadence and documentation: release process notes and #1568 and #1569 * review other documentation tasks for 3.19 Thanks, Steve |
|
|
|
Re: for discussion: license inclusion guidelines
Steve Winslow
Jilayne -- yes, I'd be open to a lighter-weight or streamlined approach to approving licenses submitted from use in distros such as Debian and Fedora. In these cases we have greater confidence that those communities have done the work to vet certain of the license inclusion principles. In particular the first and most important "Other Factor" re: "substantially complies with open source definitions"; and its inclusion in the distro likely demonstrates the "substantial use" factor for SPDX purposes. I expect we'd want to be a bit specific about what we mean by "is included in the distro". For instance, for Debian I'd think `main` would be covered, `non-free` would not, and I don't know for `contrib`. I don't know how Fedora divides things up... I could see a Change Proposal being appropriate here. Modifying the License Inclusion Principles is a pretty substantive policy change and not something we want to undertake lightly or frequently. Karsten -- you're welcome to put together and share a formal Change Proposal for your concept if you would like. Speaking personally, I would not be in favor of making that change to a sort of two-tiered license list. If you do want to discuss it further on the mailing list, I'd ask if you could please discuss it in a separate thread, so that we're not diverting from Jilayne's original question here regarding Debian / Fedora. Thanks! Steve On Tue, Sep 6, 2022 at 1:49 AM Karsten Klein <karsten.klein@...> wrote: Hi Jilayne, |
|
|
|
Re: for discussion: when can people start using short ids?
Steve Winslow
I'd mostly echo Gary's comments here. #1 is the option that enables someone to be sure that the ID they're using should validate with then-current tooling. #2 is workable for folks who don't care about validating immediately. #3 should be avoided because the IDs can end up changing as we work out nuances during the templating process. Jilayne, to your original question, I think it could be worth SPDX having clearer guidance on this. Ria, yes, I'd say there's two reasons why there is a quarterly release cycle: * The License List's version number is relevant for SPDX Documents, so that a given SPDX Document can be validated against a particular version number. See https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#67-license-list-version-field for the data field. The spec doesn't mandate a quarterly release, but I think we've landed on that as a reasonable cadence for SPDX Document users as well as other downstream users. * Yes, there's a fair bit of manual effort in actually publishing the release. Gary was handling this originally, and I've taken over it for the past few years. This is an area which could probably be much more automated, and I'd be happy to discuss with folks who would be willing to help with building and maintaining that automation :) Best, Steve On Tue, Sep 6, 2022 at 10:40 AM Ria Schalnat (HPE) <ria.schalnat@...> wrote: Just out of curiosity - why is the release cycle for new licenses quarterly? Is there significant work in a release of new licenses (assuming that this isn't tied to other more material updates like the spec itself). |
|
|
