Spdx-legal@lists.spdx.org | Use of exception to communicate legal ambiguity

Home Messages Hashtags Subgroups

Date Date 1 - 7 of 7

Use of exception to communicate legal ambiguity

Richard Fontana #3045 Greetings, Over at Red Hat, we've been gradually increasing our support of the use of "SPDX-License-Identifier:" in source files for various reasons. We've encountered some situations where a traditional project practice might be to insert a GPL license notice at the top of a file, perhaps following a copyright notice, where the contents of the file are of dubious copyrightability, and where there is an important policy (perhaps more significant now than in the past) in avoiding any contribution of support to the idea that such material is, or ought to be, copyrightable. (I'm using "copyrightable" a little loosely here, as we often do in open source, in a way that might also encompass, for example, situations where the contents are strictly speaking likely copyrightable but also likely subject to a noninfringement defense of some sort for essentially all users.) As one example, though not necessarily the most interesting one, think of the default form of a configuration file that might be installed with a particular package. (Such configuration files actually tend not to have license notices, but occasionally they do.) In such situations there may also be significant value in preserving the traditional practice of including the GPL (or other) license notice. Thus for example using a public domain approximation like CC-0 or the Unlicense or what have you is not particularly helpful. We've been thinking one useful approach to take in such cases is to say something like the following: // The content of this file is such that this file may not need a license. // But, if this file does need a license, the license is: // SPDX-License-Identifier: GPL-2.0-or-later At any rate, that's what we're trying to get across. The problem is that the SPDX-License-Identifier expression there by itself does not express the notion of "if needed" or "not sure". Even apart from that, the bare use of GPL-2.0-or-later in this example seems inappropriate from an SPDX standpoint since it does not accurately reflect the legal intent being expressed in the file. NOASSERTION (I gather not normally used with SPDX-License-Identifier: ) does not seem to adequately capture what we're trying to express here. Nor something like the possibly-nonsensical "GPL-2.0-or-later OR NOASSERTION". We were thinking one possibility would be to define an exception (worded similarly to the example statement above) that would express the "not sure/if needed" concept, and could be used with the baseline license identifier using the WITH expression. Imagine if SPDX accepted this as an exception identifier called "If-Needed": SPDX-License-Identifier: GPL-2.0-or-later WITH If-Needed But this sort of identifier would depart from the model that I think SPDX has assumed thus far in recognizing exceptions, which is the FSF-popularized notion of "additional permission" exceptions. (See https://github.com/spdx/spdx-spec/issues/153) Does anyone have any suggestions/reactions to this issue? Richard
More All Messages By This Member
Steve Winslow #3047 Hi Richard, Thanks for sharing this question. I've been mulling it over and don't have a good answer, so here instead are a few disjointed thoughts. My main hesitation with an "If-Needed-exception" (assuming there was specific wording, etc. that it was tied to) is that I'm wondering if that isn't already inherent in any license statement in the first place. If a work of "dubious copyrightability" contains any license notice, MIT or GPL or whatever, that's telling the recipient that they are permitted to use (or copy, or modify, or distribute...) the work under that license. The recipient might determine that the rights granted by that license are not actually necessary, given the nature of the work. The recipient determines that they won't infringe any exclusive rights by making use of the work even without the license. The presence of the license statement doesn't affect this; nor would the presence of a license statement tied to an "if this work needs a license, here it is" notice. So in the example you mentioned, I tend to think that the SPDX license expression is accurately described as: // SPDX-License-Identifier: GPL-2.0-or-later I do take your point, though, that there could be value in capturing the "legal intent being expressed in the file" that a particular file or work might not need a license. So I could be persuaded that I'm wrong here. Steve toggle quoted message Show quoted text On Tue, Nov 23, 2021 at 1:56 PM Richard Fontana <rfontana@...> wrote: Greetings, Over at Red Hat, we've been gradually increasing our support of the use of "SPDX-License-Identifier:" in source files for various reasons. We've encountered some situations where a traditional project practice might be to insert a GPL license notice at the top of a file, perhaps following a copyright notice, where the contents of the file are of dubious copyrightability, and where there is an important policy (perhaps more significant now than in the past) in avoiding any contribution of support to the idea that such material is, or ought to be, copyrightable. (I'm using "copyrightable" a little loosely here, as we often do in open source, in a way that might also encompass, for example, situations where the contents are strictly speaking likely copyrightable but also likely subject to a noninfringement defense of some sort for essentially all users.) As one example, though not necessarily the most interesting one, think of the default form of a configuration file that might be installed with a particular package. (Such configuration files actually tend not to have license notices, but occasionally they do.) In such situations there may also be significant value in preserving the traditional practice of including the GPL (or other) license notice. Thus for example using a public domain approximation like CC-0 or the Unlicense or what have you is not particularly helpful. We've been thinking one useful approach to take in such cases is to say something like the following: // The content of this file is such that this file may not need a license. // But, if this file does need a license, the license is: // SPDX-License-Identifier: GPL-2.0-or-later At any rate, that's what we're trying to get across. The problem is that the SPDX-License-Identifier expression there by itself does not express the notion of "if needed" or "not sure". Even apart from that, the bare use of GPL-2.0-or-later in this example seems inappropriate from an SPDX standpoint since it does not accurately reflect the legal intent being expressed in the file. NOASSERTION (I gather not normally used with SPDX-License-Identifier: ) does not seem to adequately capture what we're trying to express here. Nor something like the possibly-nonsensical "GPL-2.0-or-later OR NOASSERTION". We were thinking one possibility would be to define an exception (worded similarly to the example statement above) that would express the "not sure/if needed" concept, and could be used with the baseline license identifier using the WITH expression. Imagine if SPDX accepted this as an exception identifier called "If-Needed": SPDX-License-Identifier: GPL-2.0-or-later WITH If-Needed But this sort of identifier would depart from the model that I think SPDX has assumed thus far in recognizing exceptions, which is the FSF-popularized notion of "additional permission" exceptions. (See https://github.com/spdx/spdx-spec/issues/153) Does anyone have any suggestions/reactions to this issue? Richard
More All Messages By This Member
Max Mehl #3049 ~ Steve Winslow [2021-11-24 20:14 +0100]: If a work of "dubious copyrightability" contains any license notice, MIT or GPL or whatever, that's telling the recipient that they are permitted to use (or copy, or modify, or distribute...) the work under that license. The recipient might determine that the rights granted by that license are not actually necessary, given the nature of the work. The recipient determines that they won't infringe any exclusive rights by making use of the work even without the license. The presence of the license statement doesn't affect this; nor would the presence of a license statement tied to an "if this work needs a license, here it is" notice. So in the example you mentioned, I tend to think that the SPDX license expression is accurately described as: // SPDX-License-Identifier: GPL-2.0-or-later IANAL, but my sentiments exactly. Of course I can patch a AGPL* license (plus copyright holder) on top of a file with `print("hello world")` being its only content. In all legislations I know the file would not be copyrightable, and everyone could just copy the file and (re)use it without any restrictions. No harm done. My plea is to make things as simple as possible for developers without excessive legal knowledge or a helpful legal department as support. If a developer, for the sake of simplicity, distributes all files in their project under AGPL*, even the non-copyrightable, so be it. If a re-user of this project thinks the license is a problem, they can make the estimation whether they, in their legislation, can change the license or not. I do not see how a "If-Needed" exception can make a positive difference here, because the question whether the file is copyrightable or not still is up to the re-user. FWIW, here are two REUSE FAQ items on this topic (without many details). Would you share this position? https://reuse.software/faq/#what-is-copyrightable Best, Max -- Max Mehl - Programme Manager - Free Software Foundation Europe Contact and information: https://fsfe.org/about/mehl \| @mxmehl Become a supporter of software freedom: https://fsfe.org/join
More All Messages By This Member
Alexios Zavras #3050 From a completely different perspective, ignoring whether the copyrightability of a file is decided by the producer or the consumer, I don't like using the exception syntax from a purely technical point. Yes, you can add a pseudo-exception to GPL-2.0-or-later and produce "GPL-2.0-or-later WITH If-Needed". How do you do this in cases where it is not a single license? Case like: GPL-2.0-only OR BSD-3-Clause GPL-3.0-or-later WITH GCC-exception-3.1 We don't (until now) apply exceptions to combinations nor do we have two exceptions... -- zvr toggle quoted message Show quoted text -----Original Message----- From: Spdx-legal@... <Spdx-legal@...> On Behalf Of Max Mehl Sent: Thursday, 25 November, 2021 10:37 To: Richard Fontana <rfontana@...> Cc: SPDX-legal <spdx-legal@...> Subject: Re: Use of exception to communicate legal ambiguity ~ Steve Winslow [2021-11-24 20:14 +0100]: If a work of "dubious copyrightability" contains any license notice, MIT or GPL or whatever, that's telling the recipient that they are permitted to use (or copy, or modify, or distribute...) the work under that license. The recipient might determine that the rights granted by that license are not actually necessary, given the nature of the work. The recipient determines that they won't infringe any exclusive rights by making use of the work even without the license. The presence of the license statement doesn't affect this; nor would the presence of a license statement tied to an "if this work needs a license, here it is" notice. So in the example you mentioned, I tend to think that the SPDX license expression is accurately described as: // SPDX-License-Identifier: GPL-2.0-or-later IANAL, but my sentiments exactly. Of course I can patch a AGPL* license (plus copyright holder) on top of a file with `print("hello world")` being its only content. In all legislations I know the file would not be copyrightable, and everyone could just copy the file and (re)use it without any restrictions. No harm done. My plea is to make things as simple as possible for developers without excessive legal knowledge or a helpful legal department as support. If a developer, for the sake of simplicity, distributes all files in their project under AGPL*, even the non-copyrightable, so be it. If a re-user of this project thinks the license is a problem, they can make the estimation whether they, in their legislation, can change the license or not. I do not see how a "If-Needed" exception can make a positive difference here, because the question whether the file is copyrightable or not still is up to the re-user. FWIW, here are two REUSE FAQ items on this topic (without many details). Would you share this position? https://reuse.software/faq/#what-is-copyrightable Best, Max -- Max Mehl - Programme Manager - Free Software Foundation Europe Contact and information: https://fsfe.org/about/mehl \| @mxmehl Become a supporter of software freedom: https://fsfe.org/join Intel Deutschland GmbH Registered Address: Am Campeon 10, 85579 Neubiberg, Germany Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de> Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva Chairperson of the Supervisory Board: Nicole Lau Registered Office: Munich Commercial Register: Amtsgericht Muenchen HRB 186928
More All Messages By This Member
Luis Villa #3051 On Tue, Nov 23, 2021 at 1:56 PM Richard Fontana <rfontana@...> wrote: Greetings, Over at Red Hat, we've been gradually increasing our support of the use of "SPDX-License-Identifier:" in source files for various reasons. We've encountered some situations where a traditional project practice might be to insert a GPL license notice at the top of a file, perhaps following a copyright notice, where the contents of the file are of dubious copyrightability, and where there is an important policy (perhaps more significant now than in the past) in avoiding any contribution of support to the idea that such material is, or ought to be, copyrightable. (I'm using "copyrightable" a little loosely here, as we often do in open source, in a way that might also encompass, for example, situations where the contents are strictly speaking likely copyrightable but also likely subject to a noninfringement defense of some sort for essentially all users.) As one example, though not necessarily the most interesting one, think of the default form of a configuration file that might be installed with a particular package. (Such configuration files actually tend not to have license notices, but occasionally they do.) In such situations there may also be significant value in preserving the traditional practice of including the GPL (or other) license notice. Thus for example using a public domain approximation like CC-0 or the Unlicense or what have you is not particularly helpful. We've been thinking one useful approach to take in such cases is to say something like the following: // The content of this file is such that this file may not need a license. // But, if this file does need a license, the license is: // SPDX-License-Identifier: GPL-2.0-or-later At any rate, that's what we're trying to get across. The problem is that the SPDX-License-Identifier expression there by itself does not express the notion of "if needed" or "not sure". Even apart from that, the bare use of GPL-2.0-or-later in this example seems inappropriate from an SPDX standpoint since it does not accurately reflect the legal intent being expressed in the file. NOASSERTION (I gather not normally used with SPDX-License-Identifier: ) does not seem to adequately capture what we're trying to express here. Nor something like the possibly-nonsensical "GPL-2.0-or-later OR NOASSERTION". It seems to me that the core problem here is that there is an assertion being made— that an evaluation has been made and that the results of the evaluation is that it is public-domain-like. I’m reminded of the original form (pre-CC0) of CC’s public domain approach (SPDX: CC-PDDC), where the ‘licensor’ could assert that “to the best of [their] knowledge, the work of authorship identified is in the public domain”, and CC’s later experiment with the Public Domain Mark, which avoids license language in favor of a rights “statement”; lots of relevant SPDX-y discussion here: https://github.com/spdx/license-list-XML/issues/988 I think you really want (in this example) something like “GPL-2.0-or-later OR CC-PDM-1.0”, which conveys the ambiguous nature of the assessment and allows a policy engine to say “we trust upstream attempts to do self-analysis of CC-PDM” or “hell no, our risk tolerance can’t accept the vagaries of self-defined public domain and so we must fall back to the other license”. Unfortunately, since part of what you’re after is brevity and simplicity, and CC (not unwisely) sought precision, I don’t think the actually text of CC-PDM gets you where you want to be even if it is logically/legally the correct approach. Luis
More All Messages By This Member
Michael Dolan #3052 Hi Richard, one initial thought that comes to mind is there are many projects with a single LICENSE file in the main repository directory. That's despite many of the files in the repository potentially being uncopyrightable for the reasons you describe. Would it even be desirable to have developers going through a repository and declaring which files are subject to copyright / not subject to copyright? How could I trust that developer's (or lawyer's) review? Was that developer the original contributor? Did they make their own determination based on a potentially flawed understanding of copyright law? Which jurisdiction's copyright laws was that determination based on? Consider Oracle vs Google. I'll throw in another potential twist. A file at a point in time may lack anything substantive subject to copyright, but someone in the future could contribute something to that file subject to copyright - and may not know to change the short identifier. Perhaps you can simply combine the SPDX short identifier with a comment if there's a particular reason for this? If you include the word 'license' in the comment, many of the scanners will pick it up. E.g. "A license short identifier is provided in the case the contents of this file are ever deemed subject to copyright." The scanners would presumably pick this up and flag it. --- Mike Dolan The Linux Foundation Office: +1.330.460.3250 Cell: +1.440.552.5322 mdolan@... --- toggle quoted message Show quoted text On Sat, Nov 27, 2021 at 11:26 PM Luis Villa <luis@...> wrote: On Tue, Nov 23, 2021 at 1:56 PM Richard Fontana <rfontana@...> wrote: Greetings, Over at Red Hat, we've been gradually increasing our support of the use of "SPDX-License-Identifier:" in source files for various reasons. We've encountered some situations where a traditional project practice might be to insert a GPL license notice at the top of a file, perhaps following a copyright notice, where the contents of the file are of dubious copyrightability, and where there is an important policy (perhaps more significant now than in the past) in avoiding any contribution of support to the idea that such material is, or ought to be, copyrightable. (I'm using "copyrightable" a little loosely here, as we often do in open source, in a way that might also encompass, for example, situations where the contents are strictly speaking likely copyrightable but also likely subject to a noninfringement defense of some sort for essentially all users.) As one example, though not necessarily the most interesting one, think of the default form of a configuration file that might be installed with a particular package. (Such configuration files actually tend not to have license notices, but occasionally they do.) In such situations there may also be significant value in preserving the traditional practice of including the GPL (or other) license notice. Thus for example using a public domain approximation like CC-0 or the Unlicense or what have you is not particularly helpful. We've been thinking one useful approach to take in such cases is to say something like the following: // The content of this file is such that this file may not need a license. // But, if this file does need a license, the license is: // SPDX-License-Identifier: GPL-2.0-or-later At any rate, that's what we're trying to get across. The problem is that the SPDX-License-Identifier expression there by itself does not express the notion of "if needed" or "not sure". Even apart from that, the bare use of GPL-2.0-or-later in this example seems inappropriate from an SPDX standpoint since it does not accurately reflect the legal intent being expressed in the file. NOASSERTION (I gather not normally used with SPDX-License-Identifier: ) does not seem to adequately capture what we're trying to express here. Nor something like the possibly-nonsensical "GPL-2.0-or-later OR NOASSERTION". It seems to me that the core problem here is that there is an assertion being made— that an evaluation has been made and that the results of the evaluation is that it is public-domain-like. I’m reminded of the original form (pre-CC0) of CC’s public domain approach (SPDX: CC-PDDC), where the ‘licensor’ could assert that “to the best of [their] knowledge, the work of authorship identified is in the public domain”, and CC’s later experiment with the Public Domain Mark, which avoids license language in favor of a rights “statement”; lots of relevant SPDX-y discussion here: https://github.com/spdx/license-list-XML/issues/988 I think you really want (in this example) something like “GPL-2.0-or-later OR CC-PDM-1.0”, which conveys the ambiguous nature of the assessment and allows a policy engine to say “we trust upstream attempts to do self-analysis of CC-PDM” or “hell no, our risk tolerance can’t accept the vagaries of self-defined public domain and so we must fall back to the other license”. Unfortunately, since part of what you’re after is brevity and simplicity, and CC (not unwisely) sought precision, I don’t think the actually text of CC-PDM gets you where you want to be even if it is logically/legally the correct approach. Luis
More All Messages By This Member
Matija Šuklje #3059 Die 28. 11. 21 et hora 05:26 Luis Villa scripsit: I think you really want (in this example) something like “GPL-2.0-or-later OR CC-PDM-1.0”, which conveys the ambiguous nature of the assessment and allows a policy engine to say “we trust upstream attempts to do self-analysis of CC-PDM” or “hell no, our risk tolerance can’t accept the vagaries of self-defined public domain and so we must fall back to the other license”. Unfortunately, since part of what you’re after is brevity and simplicity, and CC (not unwisely) sought precision, I don’t think the actually text of CC-PDM gets you where you want to be even if it is logically/legally the correct approach. I was thinking in the same lines of a ($“pd” OR $license) solution. It does make things more complicated than just $license, but if there is actual need for it, it’s the solution I think makes sense. As for any need for this, I have been involved in a use case where I was explicitly asked to clarify to downstream whether the project license applies to config files and had to send a written statement about it. I realise those are edge cases though, so the solution should not be something that messes up the standard way forward. cheers, Matija -- gsm: tel:+386.41.849.552 www: https://matija.suklje.name xmpp: matija.suklje@... sip: matija_suklje@...
More All Messages By This Member

1 - 7 of 7

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms