-----Original Message-----
From: Spdx-legal@... <Spdx-legal@...> On Behalf Of
Richard Fontana
Sent: Sunday, July 17, 2022 2:36 PM
To: J Lovejoy <opensource@...>
Cc: SPDX-legal <spdx-legal@...>
Subject: Re: Commutativity of SPDX expressions

The order of operations is a different issue, I think. I guess the SPDX spec
assumes, as you say, that commutativity of AND and OR is implicit (like
counterpart operations in propositional logic), but this implicit property was
not obvious to one Fedora contributor.

Richard

On Sun, Jul 17, 2022 at 4:08 PM J Lovejoy <opensource@...> wrote:

Hi Richard,

Annex D explains the order of precedence for the operators and use of
parentheses.
https://spdx.github.io/spdx-spec/SPDX-license-expressions/

I admit, I find the use of parentheses easier to understand overall (than

relying on remembering the order of precedence).

I’m not sure it explicitly states that "MIT AND Apache-2.0" is equivalent to

"Apache-2.0 AND MIT” but I think that’s kind of implicit, no?

I also think this entire annex could use a re-write to make it a bit
more user-friendly (on the topic of improving documentation…)

Jilayne

On Jul 17, 2022, at 12:21 PM, Richard Fontana <rfontana@...>

wrote:

I'm working on some draft documentation for Fedora around use of
SPDX expressions in RPM spec file License: fields. I was surprised
to apparently not see anything in the SPDX spec that says that the
AND and OR operators are commutative. I want to assert that the
expression "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND
MIT". Does the SPDX spec actually take no position on this?

Richard

Hi Richard,

Annex D explains the order of precedence for the operators and use of parentheses. https://spdx.github.io/spdx-spec/SPDX-license-expressions/

I admit, I find the use of parentheses easier to understand overall (than relying on remembering the order of precedence).

I’m not sure it explicitly states that "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT” but I think that’s kind of implicit, no?

I also think this entire annex could use a re-write to make it a bit more user-friendly (on the topic of improving documentation…)

Jilayne

On Jul 17, 2022, at 12:21 PM, Richard Fontana <rfontana@...> wrote:

I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?

Richard

-----Original Message-----
From: J Lovejoy <opensource@...>
Sent: Sunday, July 17, 2022 1:18 PM
To: McCoy Smith <mccoy@...>
Cc: Richard Fontana <rfontana@...>; SPDX-legal <spdx-
legal@...>
Subject: Re: Commutativity of SPDX expressions

Hi McCoy,

I’m wondering if you are trying to adapt SPDX identifiers in a situation not
anticipated. Consider that aim of an SPDX document (as per the SPDX
specification, and thus, using SPDX license ids in the various specification
field, is to communicate licensing, copyright, provenance, etc. information
for a given bundle of software. For example, I sell you Jilaynes-awesome-
software-app and provide an SPDX document for that software product. The
licensing info in this context would be presubaly what I think you are
referring to as the “outbound” license - that is the license under which the
software is used by the recipient.

Let’s say, Jilaynes-awesome-software-app includes some open source
software under various open source licenses, say, MIT and Apache-2.0, and I
also added some of my own (new) code under BSD-3-Clause, that all of this
can be reflected in the appropriate license fields at the package, file, and/or
snippet level.

I think of “inbound”, in relation to open source software, as usually referring
to the license under which contributions are provided to the project. But I
think you might be meaning “inbound” in relation to Jilayne’s-awesome-
software-app - that is, the open source software that I incorporate into my
app under MIT and Apache-2.0. Is that right?

Thanks,
Jilayne

On Jul 17, 2022, at 1:18 PM, McCoy Smith <mccoy@...> wrote:

At the risk of sounding like I’m hijacking this to re-raise my prior issue:
If AND is the operator to be used when having different inbound vs

outbound, then AND may not be commutative, since the order of listing the
licenses may convey information about which license is inbound vs
outbound, and (maybe) which license applies to different parts of the code.

Which militates to me toward a new expression, but I’ve made that point

already.

On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...>

wrote:

I'm working on some draft documentation for Fedora around use of
SPDX expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the
expression "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND
MIT". Does the SPDX spec actually take no position on this?

Richard

On Jul 17, 2022, at 1:18 PM, McCoy Smith <mccoy@...> wrote:

At the risk of sounding like I’m hijacking this to re-raise my prior issue:
If AND is the operator to be used when having different inbound vs outbound, then AND may not be commutative, since the order of listing the licenses may convey information about which license is inbound vs outbound, and (maybe) which license applies to different parts of the code.
Which militates to me toward a new expression, but I’ve made that point already.

On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...> wrote:

I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?

Richard

On Jul 17, 2022, at 12:21 PM, Richard Fontana <rfontana@...> wrote:

I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?

Richard

On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...> wrote:

I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?

Richard

On Jul 11, 2022, at 11:17 AM, McCoy Smith <mccoy@...> wrote:

On Jul 11, 2022, at 9:51 AM, Alexios Zavras <alexios.zavras@...> wrote:

I think our understanding until now is that the package should have "License-A AND License-B", to denote the presence of these licenses. But conversely, this license expression should NOT be understood to mean that "everything in here is under this expression (combination of licenses)".

Richard's example of taking the license of a set and applying it to every single item shows the error in this approach.

Yes that’s it. I think AND alone could be (and might widely be) misconstrued as to what state is actually being represented.
One solution is for people and tools to correctly understand the SPDX tags and operators.
The other is to convey more information with those tags and operators.
Which is best I don’t know, depends on how well people and tools are interpreting the conveyed information.
This is a bit orthogonal from my initial inquiry, but perhaps my inquiry tests the limits of “just use AND” as the solution?

-- zvr

-----Original Message-----
From: spdx@... <spdx@...> On Behalf Of McCoy Smith
Sent: Monday, 11 July, 2022 19:43
To: spdx@...
Subject: Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

At this risk of opening up a giant can of worms:
Does logical AND for SPDX make sense without more information? Even if a group of files clearly designate a single license at file level, and project identifies each of those licenses with logical AND at project level, you still can have misunderstandings if file level is not interrogated.

On Jul 11, 2022, at 9:21 AM, Richard Fontana <rfontana@...> wrote:
If you take the patch referenced in the LWN article, you could rewrite that as:
SPDX-License-Identifier: GPL-2.0-or-later AND ISC
But then subsequent modifications of the file are going to be assumed
to be licensed under both GPLv2 and ISC, whereas it is likely the
subsequent modifier conceptualized their changes as just being GPLv2.
This reminds me: I've recently been informed of a project that started
using SPDX-License-Identifier: and this has led to a complicated issue
around a desired license change because it appears as though many
contributions to the project were inadvertently made under a
conjunction of two licenses, which was the result of putting a
conjunctive SPDX-License-Identifier statement in a README file. I
don't have the case handy but it was something like, some source files
were BSD-3-Clause, some were Apache-2.0, someone then helpfully put
SPDX-License-Identifier: BSD-3-Clause AND Apache-2.0 in a README file,
and then new source files started mechanically including
SPDX-License-Identifier: BSD-3-Clause AND Apache-2.0.
Richard

On Mon, Jul 11, 2022 at 12:12 PM Richard Fontana <rfontana@...> wrote:

Ah, that is exactly the issue I was asking about a few years ago. The
response on this list was that an SPDX-License-Identifier: statement
consisting of an "AND" expression was good enough as an alternative.
But my view at the time was that this entailed a loss of information
-- you lose the idea that the GPL is in some sense the overarching or
dominant license of some set of code with some subsidiary elements
under distinct licenses.
I'm not sure what I think now. I will say, the norm SFLC was trying
to establish in the wake of the ath5k affair never really caught on.
The 'snippet' solution isn't really practical in many cases because
you won't often be able to precisely identify the boundaries of the
snippet.
Richard

On Mon, Jul 11, 2022 at 12:06 PM McCoy Smith <mccoy@...> wrote:
Back to the original query:
Here’s an example of what I was talking about, albeit inbound BSD
outbound GPL
https://lwn.net/Articles/247806/
I’m suggestion an SPDX tag for what was used there:
This file is based on work under the following copyright and permission notice:

On Jul 11, 2022, at 8:49 AM, McCoy Smith via lists.spdx.org <mccoy=lexpan.law@...> wrote:



On Jul 11, 2022, at 7:58 AM, Warner Losh <imp@...> wrote:

You are right, this isn't the right place for this debate. I can't even parse what you are saying here. copyleft has no legal basis as a term, so I'm not at all sure what you are saying. You are also somewhat misrepresenting what I'm saying and being a bit of a bully about it.
I asked a SPDX specific question. You jumped in with your legal analysis unrelated to the question of whether there was an existing SPDX identifier or should there be a new one. I responded to your off-topic thoughts. That’s bullying?
But since nobody else thought it was a good idea, I think the notion in SPDX is effectively dead unless another use case surfaces that makes sense.
You’ve expressed it’s not a good idea. Is that dispositive? Jilayne had some mechanical/procedural questions about the questions I asked. Don’t think anyone else has weighed in. If I know my mailing lists, not everyone hops in immediately with their thoughts on proposals or questions.
Warner

From: spdx@... <spdx@...> On Behalf Of Warner
Losh
Sent: Monday, July 11, 2022 7:20 AM
To: spdx@...
Subject: Re: [spdx] Specific SPDX identifier question I didn't see
addressed in the specification
On Mon, Jul 11, 2022 at 8:13 AM McCoy Smith <mccoy@...> wrote:
“The concept you are talking about doesn't exist in law. You can only change the 'outbound' license if the 'inbound' license expressly allows it.”
You have a case citation for that?
Do you have one that does or that refutes the theory that the copyright holder granted you the ability to do certain things, but not to change the license? Without that, you are redistributing copyrighted material without the permission of the copyright holder.
Again, I'm not a lawyer, but I've never encountered this in the last 30 years of doing open source. Downstream additions with a new license always an 'AND' unless the original license granted otherwise.  It's certainly not the 'mainstream' of how open source operates and also goes against the oft-expressed desire to keep SPDX relatively simple.
Warner
From: spdx@... <spdx@...> On Behalf Of Warner
Losh
Sent: Monday, July 11, 2022 7:07 AM
To: spdx@...
Cc: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see
addressed in the specification
On Mon, Jul 11, 2022 at 7:38 AM McCoy Smith <mccoy@...> wrote:
These questions are really off-topic.
If you have questions about interpretation of BSD licenses, you probably ought to ask them of your counsel (or if you’re associated with FreeBSD, their counsel).
There are also a lot of resources, many on-line and free, concerning the interpretation of most of the major open source licenses, including the BSD variants. This one might be instructive for you:
“The so-called new BSD license applied to FreeBSD within the last few years is effectively a statement that you can do anything with the program or its source, but you do not have any warranty and none of the authors has any liability (basically, you cannot sue anybody). *This new BSD license is intended to encourage product commercialization. Any BSD code can be sold or included in proprietary products without any restrictions on the availability of your code or your future behavior.*”
https://docs.freebsd.org/en/articles/bsdl-gpl/
What does that have to do with anything? This is marketing material, not a license nor a grant to "file off" the old license and add your own new one. You are only allowed to add your new one and the old one is quite permissive otherwise.
The concept you are talking about doesn't exist in law. You can only change the 'outbound' license if the 'inbound' license expressly allows it. The BSD license is quite permissive, but it isn't that permissive. So, your desire to express this concept in SPDX doesn't make sense. You are asking the SPDX license expression to cover something that's not a thing. That's my basic point, and so far you've done nothing to refute that.
Warner
From: spdx@... <spdx@...> On Behalf Of Warner
Losh
Sent: Friday, July 1, 2022 2:11 PM
To: spdx@...
Cc: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see
addressed in the specification
On Fri, Jul 1, 2022, 2:17 PM McCoy Smith <mccoy@...> wrote:
Well the example is the reverse: inbound BSD-2-Clause, outbound MIT.
I’m more thinking license identifiers that go with the code (since I think for most folks that’s where they do license attribution/license copy requirements).
But obviously the issue/problem is more generic given that some permissive licenses allow the notice to be in either (or in some cases require in both) the source or documentation.
Are you allowed to do that without it becoming an AND? You can't just change the terms w/o permission like that I'd imagine... And I'm not sure how it would generalize...
Warner
From: spdx@... <spdx@...> On Behalf Of J
Lovejoy
Sent: Friday, July 1, 2022 1:11 PM
To: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see
addressed in the specification
Hi McCoy!
I’m moving the SPDX-general list to BCC and replying to SPDX-legal as that is the right place for this discussion.
Where is this question coming up in terms of context? That is, are you thinking in the context of an SPDX document and capturing  the licensing info for a file that is under MIT originally but then redistributed under BSD-2-Clause? Or are you thinking in the context of using an SPDX license identifiers in the source files?
Thanks,
Jilayne
On Jul 1, 2022, at 12:01 PM, McCoy Smith <mccoy@...> wrote:
I didn’t see this particular topic addressed in the specification (although I’m happy to be correcedt if I missed it), so I thought I’d post and see whether there is a solution that’s commonly used, or if there’s room for a new identifier.
Virtually all so-called “permissive” licenses permit the recipient of code to license out under different terms, as long as all the requirements of the in-bound license are met. In almost all of these permissive licenses those requirement boil down to:
Preserve all existing IP notices (or in some cases, just copyright
notices) Provide a copy of the license (or something to that
effect: retaining “this permission notice” (ICU/Unicode/MIT)  or
“this list of conditions” (BSD) or providing “a copy of this
License” (Apache 2.0))
The rules around element 1 and SPDX are well-described.
With regard to element 2, a fully-compliant but informative notice when there is a change from the in-bound to the out-bound license would look something like this (with the square bracketed part being an example of a way to say this):
SPDX-License-Identifier: MIT
[This file/package/project contains code originally licensed
under:]
SPDX-License-Identifier: BSD-2-Clause
The point being to express that the outbound license is MIT, but in order to fully comply with the requirements of BSD-2-Clause, one must retain “ this list of conditions and the following disclaimer” which including a copy of BSD-2-Clause accomplishes. Without the square bracketed statement above, it seems confusing as to what the license is (or whether, for example, the code is dual-licensed MIT AND BSD-2-Clause.
One way to do this I suppose is to use the LicenseComment: field to include this information, but it seems to me that this is enough of a common situation that there ought to be something more specific to address this situation.
Thoughts? Am I missing something?

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de>
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928

Hi McCoy!

If I'm following the discussion correctly, I'd agree with Warner here.

If I take code that I received under BSD-2-Clause and I redistribute it under MIT, I'm really redistributing it under MIT subject to the requirements of the original BSD-2-Clause license under which I received it. I'd say that BSD-2-Clause doesn't give me the right to "relicense" the code in the sense of eliminating the inbound requirements and applying a fully different license in its place.

Rather, BSD-2-Clause allows me to redistribute under different terms as long as I also comply with the BSD-2-Clause obligations; and the same would apply to any downstream recipient of the code. In SPDX license expression terms, I'd describe the resulting license as "MIT AND BSD-2-Clause". (And subject of course to Warner's very good point, about whether in any particular case you're using a sufficiently copyrightable amount of the BSD-2-Clause code such that you need a license under applicable copyright laws.)

In terms of how to express this in source code files: I could see a couple of different ways to do so:

1. You could just include a single comment header at the top of the file with "SPDX-License-Identifier: MIT AND BSD-2-Clause"

2. Or if you wanted to be more specific about the particular portions of the code, you could use "SPDX-License-Identifier: MIT" at the top of the file, and then Snippet Tags [0] with "SPDX-License-Identifier: BSD-2-Clause" within the specific marked snippet of code which is subject to that license.

Steve

[0] Newly added in SPDX 2.3; see https://github.com/spdx/spdx-spec/blob/development/v2.3/chapters/file-tags.md#h3-snippet-tags-format-

On Wed, Jul 6, 2022 at 10:08 AM Warner Losh <imp@...> wrote:

On Wed, Jul 6, 2022 at 5:48 AM McCoy Smith <mccoy@...> wrote:

No, that’s not really my issue. I believe the logical operators and the ability to designate file-level licenses in SPDX handle your situation.

I’m talking about using SPDX to provide a copy of the terms of a license which don’t apply, but which nevertheless must be provided per the license itself. As is required in BSD/MIT/Apache (as well as copyleft licenses, but that’s really not applicable to my circumstances since copyleft requires the license terms be provided, *and* be applied)

What makes you think they don't apply? If you have to reproduce the notice, the terms apply. You can't just take code and change the license without the permission of the copyright holders/owners/etc. As an author of BSD code, I for one would strongly and strenuously object to this sort of thing were it done to my code. Either you used enough code that the terms apply (you created a derived work and have to comply) or you didn't (you created a new enough work the terms do not apply and you don't need to comply). If it applies, it is an AND. If it doesn't apply, I'd say it's outside the scope of SPDX. There is no "provide the notice but doesn't comply" option that I'm aware of in copyright law.

So, I don't think legally there's this halfway thing that you are suggesting, but I'm going to let others on the list opine about that as I'm not an attorney. I've just been doing this for the last 30 years and have been FreeBSD's licensing expert for much of that time.

Warner

From: spdx@... <spdx@...> On Behalf Of Shawn Clark
Sent: Tuesday, July 5, 2022 10:48 AM
To: spdx@...
Cc: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification



I have spent a lot of time contemplating the question, but want to confirm I'm thinking about the same thing:



Are you talking about the nature of open source requiring (such as in a requirements.txt) other open source code/components that ultimately mean the terms of several licenses would apply to the top level software package (such as the total python package)? And how to include those identifiers in spdx, either as a requirement of the open source license, or as a pass-through of a license (such as lgpl/gpl)?



I have thoughts on the topic but wanted to confirm before I ramble on about it 😁 I may be off the rails here.



Cheers!

-Shawn Clark

Michigan Attorney, P79081









On Fri, Jul 1, 2022, 4:17 PM McCoy Smith <mccoy@...> wrote:

Well the example is the reverse: inbound BSD-2-Clause, outbound MIT.

I’m more thinking license identifiers that go with the code (since I think for most folks that’s where they do license attribution/license copy requirements).

But obviously the issue/problem is more generic given that some permissive licenses allow the notice to be in either (or in some cases require in both) the source or documentation.



From: spdx@... <spdx@...> On Behalf Of J Lovejoy
Sent: Friday, July 1, 2022 1:11 PM
To: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification



Hi McCoy!



I’m moving the SPDX-general list to BCC and replying to SPDX-legal as that is the right place for this discussion.



Where is this question coming up in terms of context? That is, are you thinking in the context of an SPDX document and capturing the licensing info for a file that is under MIT originally but then redistributed under BSD-2-Clause? Or are you thinking in the context of using an SPDX license identifiers in the source files?



Thanks,

Jilayne



On Jul 1, 2022, at 12:01 PM, McCoy Smith <mccoy@...> wrote:



I didn’t see this particular topic addressed in the specification (although I’m happy to be correcedt if I missed it), so I thought I’d post and see whether there is a solution that’s commonly used, or if there’s room for a new identifier.



Virtually all so-called “permissive” licenses permit the recipient of code to license out under different terms, as long as all the requirements of the in-bound license are met. In almost all of these permissive licenses those requirement boil down to:

Preserve all existing IP notices (or in some cases, just copyright notices)
Provide a copy of the license (or something to that effect: retaining “this permission notice” (ICU/Unicode/MIT) or “this list of conditions” (BSD) or providing “a copy of this License” (Apache 2.0))



The rules around element 1 and SPDX are well-described.

With regard to element 2, a fully-compliant but informative notice when there is a change from the in-bound to the out-bound license would look something like this (with the square bracketed part being an example of a way to say this):



SPDX-License-Identifier: MIT

[This file/package/project contains code originally licensed under:]

SPDX-License-Identifier: BSD-2-Clause



The point being to express that the outbound license is MIT, but in order to fully comply with the requirements of BSD-2-Clause, one must retain “ this list of conditions and the following disclaimer” which including a copy of BSD-2-Clause accomplishes. Without the square bracketed statement above, it seems confusing as to what the license is (or whether, for example, the code is dual-licensed MIT AND BSD-2-Clause.


One way to do this I suppose is to use the LicenseComment: field to include this information, but it seems to me that this is enough of a common situation that there ought to be something more specific to address this situation.



Thoughts? Am I missing something?

On Jul 1, 2022, at 12:01 PM, McCoy Smith <mccoy@...> wrote:

I didn’t see this particular topic addressed in the specification (although I’m happy to be correcedt if I missed it), so I thought I’d post and see whether there is a solution that’s commonly used, or if there’s room for a new identifier.

 

Virtually all so-called “permissive” licenses permit the recipient of code to license out under different terms, as long as all the requirements of the in-bound license are met. In almost all of these permissive licenses those requirement boil down to:

1. Preserve all existing IP notices (or in some cases, just copyright notices)
2. Provide a copy of the license (or something to that effect: retaining “this permission notice” (ICU/Unicode/MIT)  or “this list of conditions” (BSD) or providing “a copy of this License” (Apache 2.0))

 

The rules around element 1 and SPDX are well-described.

With regard to element 2, a fully-compliant but informative notice when there is a change from the in-bound to the out-bound license would look something like this (with the square bracketed part being an example of a way to say this):

 

SPDX-License-Identifier: MIT

[This file/package/project contains code originally licensed under:]

SPDX-License-Identifier: BSD-2-Clause

 

The point being to express that the outbound license is MIT, but in order to fully comply with the requirements of BSD-2-Clause, one must retain “ this list of conditions and the following disclaimer” which including a copy of BSD-2-Clause accomplishes. Without the square bracketed statement above, it seems confusing as to what the license is (or whether, for example, the code is dual-licensed MIT AND BSD-2-Clause.

One way to do this I suppose is to use the LicenseComment: field to include this information, but it seems to me that this is enough of a common situation that there ought to be something more specific to address this situation.

 

Thoughts? Am I missing something?