Date
1 - 15 of 15
Combined version of LGPL + GPL 3.0
|
Max Mehl
Hi all,
In the scope of REUSE we've noticed [^1] that just providing LPGL-3.0* – as downloaded from SPDX – in a repo does not suffice as it requires its mother license, GPL-3.0*. LGPL could be seen as an exception to GPL, but it's not treated as such by the FSF. Matija and I discussed that with FSF and the different options we have to suit SPDX, REUSE and other downstreams. We found a compromise: there is now an officially acknowledged license text that contains both LGPL-3.0 and GPL-3.0: https://www.gnu.org/licenses/lgpl+gpl.txt Now my request: can we get this combined version into SPDX' license list data, e.g. [^2]? Best, Max [^1]: https://github.com/fsfe/reuse-tool/issues/86 [^2]: https://github.com/spdx/license-list-data/blob/master/text/LGPL-3.0-or-later.txt -- Max Mehl - Programme Manager - Free Software Foundation Europe Contact and information: https://fsfe.org/about/mehl | @mxmehl Become a supporter of software freedom: https://fsfe.org/join |
|
|
|
Philippe Ombredanne
Hey Max,
You wrote: On Wed, Jul 28, 2021 at 11:01 AM Max Mehl <max.mehl@...> wrote: In the scope of REUSE we've noticed [^1] that just providing LPGL-3.0* –Has this been discussed publicly? Now my request: can we get this combined version into SPDX' license listI think that you stated explicitly this is not a new license, just a clarification (optional one?) that providing both texts when referencing LGPL-3* is better. How could one ever handle this sanely in practice? If this is not a new license, why would you need a new license identifier? If this is a new license, or a new previsously unstated requirement of the LGPL 3 it would need some wide open and public discussion IMHO. Some examples of the new and updated clarity issues this brings: Say I stumbled on the text at https://www.gnu.org/licenses/lgpl+gpl.txt in some project... is this project using the LGPL only or the LGPL and the GPL that apply? It is impossible to disambiguate which one applies short of a statement by the authors that they mean the GPL not to apply but that only the LGPL should be considered there and that the GPL text is there only for reference. What if a project contains both GPL3 and LGPL 3-licensed code? They could use the exact same text as above and I would still not be able to disambiguate short of extra statements. Now say the author added a license identifier in the code saying that this is "LGPL-3.0-only"... did they forget to reference the GPL text in the combined text above? Or is this really just LGPL? Or is some part of the code GPL-licensed but not marked as such? I cannot say for sure either and I would not trust that. I still need some more explicit statements to get clarity. IMHO the status of the LGPL as a self standing text or whether it needs to be accompanied by the GPL text has been a jolly mess of ambiguity since the release of the L/GPL3*. I cannot see how the FSF releasing a text that combines two texts makes it any better, to the contrary: it just adds even more ambiguity and confusion. Even more so if there has been no public discussion on the topic. I cannot fathom how this kind of confusion, uncertainty and doubt is helpful to anyone producing or consuming LGPL-licensed code. -- Cordially Philippe Ombredanne |
|
|
|
Max Mehl
Hi Philippe,
(I mistyped the spdx-tech address, fixed here) ~ Philippe Ombredanne [2021-07-28 12:04 +0200]: On Wed, Jul 28, 2021 at 11:01 AM Max Mehl <max.mehl@...> wrote:The ticket in the reuse-tool is public, the discussions with FSF wereIn the scope of REUSE we've noticed [^1] that just providing LPGL-3.0* –Has this been discussed publicly? private with John Sullivan and Donald Robertson. Sorry if this has been unclear. I do not request a new licenseNow my request: can we get this combined version into SPDX' license listI think that you stated explicitly this is not a new license, just a identifier but an amendment of the full text version. LGPL-3.0* requires the GPL-3.0 text, and FSF has officially provided a concatenated version. For SPDX and other downstreams it would just make sense to use the "complete" version IMHO, as it meets users expectations. Some examples of the new and updated clarity issues this brings:The top of the file quite clearly states that this is about the LGPL. But of course, just from this text it's unclear how the actual code is licensed, but that's a common problem in repos using multiple licenses. That's why SPDX license identifiers make a lot of sense, and also why the REUSE way of storing license texts is so useful. It's very clear if you store the above license text under `LICENSES/LGPL-3.0-or-later.txt` and mark the files with `SPDX-License-Identifier: LGPL-3.0-or-later`. What if a project contains both GPL3 and LGPL 3-licensed code? TheyWell, in the example above, that wouldn't be any problem. You can have both GPL and LGPL licensed code in your repo, and by using SPDX expressions you can even dual-license selected files if you wanted. Again, just by having a LICENSE file things are ambiguous anyway. And what's the alternative for LGPL-3.0? Just using the text that SPDX provides currently is not compliant as the license requires the GPL-3.0 to be present. What changed now is that there is an official upstream combined version, so SPDX should use it. Now say the author added a license identifier in the code saying thatI get your point, and it's also not the most ideal outcome, but as written above I think the situation improved. And of course we need explicit statements, and thanks to the combination of SPDX and REUSE that's a common best practice. Best, Max -- Max Mehl - Programme Manager - Free Software Foundation Europe Contact and information: https://fsfe.org/about/mehl | @mxmehl Become a supporter of software freedom: https://fsfe.org/join |
|
|
|
Karsten Klein
|
|
|
|
J Lovejoy
Hi Max,
toggle quoted message
Show quoted text
Do I understand correctly that FSF still doesn't think of LGPL-3.0 as an exception to GPL-3.0 (even though functionally and structurally it is) and thus wants us all now to identify LGPL-3.0 as a conjunctive license expression, using and? If that is the case, then I don't see what needs to be added to the SPDX License List, as AND works with any two (or more) licenses. What is the implication of just LGPL-3.0 at this point, then? What happens in terms of backward compatibility for everyone already using that identifier? I appreciate you looking into this, but it really would have helped to be involved. As had been discussed here before, LGPL more aptly belongs on the exceptions list to be used with the WITH operator. In any case, any change like this is not inconsequential for existing users of SPDX and all scenarios need to be fully discussed (as we learned last time we made a major change in our identifiers for the FSF). Is this change initiated by REUSE or FSF? Happy to have a chat offline to understand more of the background, if need be, so we can better identify the right path forward. Thanks, Jilayne (have not read other responses yet) On 7/28/21 3:01 AM, Max Mehl wrote:
Hi all, In the scope of REUSE we've noticed [^1] that just providing LPGL-3.0* – as downloaded from SPDX – in a repo does not suffice as it requires its mother license, GPL-3.0*. LGPL could be seen as an exception to GPL, but it's not treated as such by the FSF. Matija and I discussed that with FSF and the different options we have to suit SPDX, REUSE and other downstreams. We found a compromise: there is now an officially acknowledged license text that contains both LGPL-3.0 and GPL-3.0: https://www.gnu.org/licenses/lgpl+gpl.txt Now my request: can we get this combined version into SPDX' license list data, e.g. [^2]? Best, Max [^1]: https://github.com/fsfe/reuse-tool/issues/86 [^2]: https://github.com/spdx/license-list-data/blob/master/text/LGPL-3.0-or-later.txt |
|
|
|
J Lovejoy
On 7/28/21 4:35 AM, Max Mehl wrote:
Hi Philippe,This is a problem. We already went down this road with having back-and-forth conversations with FSF (by way of Richard Stallman and John Sullivan) in 2018 when Richard Stallman wanted us to change the identifiers to be more clear about -only and -or-later. The mode of communication ended up being a mixture of off-list and on-list, which I never was very comfortable with and which made for a lot of extra work. I'm not in favor of repeating that. If there is something that the FSF, REUSE, or any other community wants addressed related to SPDX identifiers, that conversation needs to begin here - on the open mailing list which anyone can join and for which all the archives are available. I have copied John and Don on this email directly so they are aware. I have moved the tech team to bcc - for general awareness, as any such change could impact tooling. Once a conversation is kicked off on this list, we can pull the tech team in at the appropriate time. Thanks, Jilayne |
|
|
|
Max Mehl
Hi Jilayne,
(Taking out -tech as per earlier request) ~ J Lovejoy [2021-07-28 16:36 +0200]: Do I understand correctly that FSF still doesn't think of LGPL-3.0 as anYes, that was a suggestion made by Matija in the discussion we've had. It was turned down by FSF. What is the implication of just LGPL-3.0 at this point, then? WhatWe didn't think this was so controversial to be honest. Again, my point of view is that this improves the situation for users, especially those of REUSE: so far, when adding the LGPL-3.0 license from SPDX to their repo for LGPL-3.0 licensed code, the license text was incomplete as it required the GPL-3.0 license to be present as well. That's unintuitive and would have required special clauses in tooling like REUSE. Now, we have a concatenated version. The license effectively did not change from my perspective, now it's just complete and intuitive. But IANAL. Please note that the official LGPL text by FSF has not been altered. The concatenated version is an alternative format. As had been discussed here before, LGPL more aptly belongs on theAgain, full ack. But my understanding was that SPDX did not want to go this route as the license steward (FSF) does not consider it an exception but a separate license. In any case, any change like this is not inconsequential for existingI cannot speak for FSF, just REUSE and the FSFE, REUSE's coordinator. REUSE obviously does not intent to change SPDX identifiers or cause compliance issues. I, too, dislike the -only/-or-later special cases, which is also why my motivation was to get rid of this special case that two license texts for one license have to be shipped. I am afraid that compliance issues have been caused *before* this change as the downloaded LGPL-3.0 license was not complete. Best, Max -- Max Mehl - Programme Manager - Free Software Foundation Europe Contact and information: https://fsfe.org/about/mehl | @mxmehl Become a supporter of software freedom: https://fsfe.org/join |
|
|
|
J Lovejoy
I meant to add: our next legal call is
Thursday, Aug 5th at 10am mountain time.
toggle quoted message
Show quoted text
Happy to dedicate some time then to this topic, if a live-discussion would help and all interested parties can attend. On 7/28/21 8:53 AM, J Lovejoy wrote:
|
|
|
|
J Lovejoy
Hi Max
On 7/28/21 9:08 AM, Max Mehl wrote:
Do I understand correctly that FSF still doesn't think of LGPL-3.0 as anto clarify: the FSF turned down GPL-3.0* WITH LGPL-3.0* orexception to GPL-3.0 (even though functionally and structurally it is) and thus wants us all now to identify LGPL-3.0 as a conjunctive license expression, using and?Yes, that was a suggestion made by Matija in the discussion we've had. It was turned down by FSF. GPL-3.0* AND LGPL-3.0* (as you understand it, not asking you to speak for the FSF) Having the discussion and getting input from the FSF isn't controversial. It's the order of events and mode of comms that is not ideal. :)What is the implication of just LGPL-3.0 at this point, then? What happens in terms of backward compatibility for everyone already using that identifier? I appreciate you looking into this, but it really would have helped to be involved.We didn't think this was so controversial to be honest. From a practical perspective: the LGPL-3.0 clearly states at the top, "This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below."Again, my point of view is that this improves the situation for users, especially those of REUSE: so far, when adding the LGPL-3.0 license from SPDX to their repo for LGPL-3.0 licensed code, the license text was incomplete as it required the GPL-3.0 license to be present as well. That's unintuitive and would have required special clauses in tooling like REUSE. Now, we have a concatenated version. The license effectively did not change from my perspective, now it's just complete and intuitive. But IANAL. It is not uncommon for legal agreements to reference, by title or URL, another document that is incorporated by such reference. Thus, not actually including the text of GPL-3.0 does not make the LGPL-3.0 incomplete. I have seen, in practice, people include the text of both in the COPYING and COPYING.LGPL files - which has made me take pause wondering - are some files under one and some under another or is it really just LGPL-3.0? Having an SPDX identifier in the actual files denoting "LGPL-3.0*" takes care of any confusion there. That's pretty much right. I don't recall if we ever really asked FSF directly, to be honest!Please note that the official LGPL text by FSF has not been altered. The concatenated version is an alternative format.As had been discussed here before, LGPL more aptly belongs on the exceptions list to be used with the WITH operator.Again, full ack. But my understanding was that SPDX did not want to go this route as the license steward (FSF) does not consider it an exception but a separate license. By compliance issues, do you mean compliance with the REUSE spec?In any case, any change like this is not inconsequential for existing users of SPDX and all scenarios need to be fully discussed (as we learned last time we made a major change in our identifiers for the FSF). Is this change initiated by REUSE or FSF?I cannot speak for FSF, just REUSE and the FSFE, REUSE's coordinator. REUSE obviously does not intent to change SPDX identifiers or cause compliance issues. I, too, dislike the -only/-or-later special cases, which is also why my motivation was to get rid of this special case that two license texts for one license have to be shipped. I am afraid that compliance issues have been caused *before* this change as the downloaded LGPL-3.0 license was not complete. I guess the other point here is that - in my mind, using REUSE, as a spec to provide license info, etc., should require SPDX and FSF to make some kind of change. That seems a bit backwards. In any case, I think it's good to have the discussion with all interested parties, even if we got to it in a 'round about way. ;) Thanks, Jilayne Best, Max |
|
|
|
Max Mehl
~ J Lovejoy [2021-07-28 17:34 +0200]:
On 7/28/21 9:08 AM, Max Mehl wrote:From my understanding, they did not want to treat LGPL-3.0 as anDo I understand correctly that FSF still doesn't think of LGPL-3.0 as anto clarify: the FSF turned down GPL-3.0* WITH LGPL-3.0* orexception to GPL-3.0 (even though functionally and structurally it is)Yes, that was a suggestion made by Matija in the discussion we've had. exception to GPL-3.0. So they turned down "GPL-3.0* WITH LGPL-3.0*". "GPL-3.0 AND LGPL-3.0" as well as "GPL-3.0 OR LGPL-3.0" is no problem in the REUSE space. You'd have both license texts in LICENSES/ which is what is missing if you just mark files as LGPL-3.0. That's interesting. If this was the case, the whole problem would notNow, we have a concatenated version. The license effectively did notFrom a practical perspective: the LGPL-3.0 clearly states at the top, exist. However, in the issue I've shared this was identified as a problem by multiple persons. I have seen, in practice, people include the text of both in the COPYINGAck that this method could create confusion. However, with the combination of a concatenated version under "LICENSES/LGPL-3.0-only.txt" and "SPDX-License-Identifier: LGPL-3.0-only" in the file header, I cannot see any practical confusion. Sure, the full GPL text is present in the LGPL...txt file, but given its file name and the SPDX tag, it should be obvious what's meant. Our understanding was that SPDX was unhappy with the current situationI am afraid that compliance issues have been caused *before* this changeBy compliance issues, do you mean compliance with the REUSE spec? but did not succeed in making the FSF change their treatment of LGPL in either direction (exception or concatenation). That is why we went the short informal route. I acknowledge that this was not perfect given the backlash that comes up here. In any case, I think it's good to have the discussion with allSure, that's also why I propose it here ;) My availability in August will be close to zero though, but perhaps Matija can chime in who was present in the call and a leading force behind this anyway :) Best, Max -- Max Mehl - Programme Manager - Free Software Foundation Europe Contact and information: https://fsfe.org/about/mehl | @mxmehl Become a supporter of software freedom: https://fsfe.org/join |
|
|
|
Jonas Smedegaard
Quoting Max Mehl (2021-07-28 17:56:41)
~ J Lovejoy [2021-07-28 17:34 +0200]:Seems to me that these views are not contradictory but describesFrom a practical perspective: the LGPL-3.0 clearly states at theThat's interesting. If this was the case, the whole problem would not different matters: * SPDX lingo describes which licensing has been granted * REUSE wants to know which license documents need to be included Sensible to me is not to "correct" the LGPL-3-* licenses in SPDX to embed (optionally or not) the full contents of the GPL-3, but instead to extend metadata to state that LGPL-3 depends on GPL-3. I.e. extend SPDX ontology with e.g. "spdx:licenseTextDependsOn". - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private |
|
|
|
Dear Jilayne,
Things have been moving really quickly on this, so I think I ought to give some background! I believe this to be a complete summary, though of course I don't know of the content of the Max's correspondence with the Free Software Foundation. Last Saturday I was looking through the list of issues on the REUSE tool repository and noticed https://github.com/fsfe/reuse-tool/issues/86. The issue described is that the LGPL requires the full GPL text to be present for proper compliance, but REUSE does not allow unused license texts to be included in a given repository. It occurred to me that this could be resolved in the SPDX License List instead of in REUSE - the entire GPL-3.0 could be added in an optional section below the LGPL-3.0. This would mean that: - No SPDX License IDs would change. LGPL-3.0-or-later and LGPL-3.0-only would still refer to a standalone license, and users would not need to use the 'AND' syntax in SPDX documents or license expressions. - Users of REUSE would simply need to download LGPL-3.0 via the REUSE tool. The tool fetches the SPDX License List's text, including with the optional sections. As a result, no further action would be needed to comply with the LGPL's condition that the GPL be included. - License scanning tools following the SPDX License Matching Guidelines would not be affected: as the entire GPL section is surrounded by <optional> tags, existing occurrences of the LGPL text would still be matched as LGPL, as has been the case thus far. I took the time to review the previous discussions about the LGPL in the past, both on SPDX's and REUSE's mailing list archives and GitHub repositories. Nothing similar to had been brought up before, as far as I can tell. Hence, I posted my idea in the reuse-tool GitHub issue and waited - not for long as it turned out! Earlier this week, both Max and Matija agreed on that issue that it would be a good solution, and Max contacted the FSF about it. Fast-forward to today, and I was just about to write to you and Steve Winslow to ask for this to be put on the agenda for the next Legal Team meeting. At that point I saw Max's note that the FSF had already released the combined text! Apologies if this caught you by surprise, Jilyane; the FSF's speedy publication certainly did for me! All my correspondence with Max is publicly visible on the aforementioned GitHub issue. Sorry for the somewhat long post - hopefully I've been able to describe how this idea satisfies the REUSE requirement, whilst addressing the concerns about backwards compatibility for those using the existing identifiers, both for license matching and for licensing their own repositories. If you or anyone else has any futher questions I'm more than happy to answer them here :) Best wishes, Sebastian |
|
|
|
Alexios Zavras
Sebastian,
toggle quoted message
Show quoted text
When you say "Nothing similar had been brought up before" are you talking about the inclusion of GPL text inside the LGPL one? Because the whole thing "LGPL is an exception" and "needs GPL text" has been discussed at somewhat length: https://github.com/spdx/license-list-XML/issues/956 (and then on a Legal call, as stated). -- zvr -----Original Message-----
From: Spdx-legal@... <Spdx-legal@...> On Behalf Of Sebastian Sent: Wednesday, 28 July, 2021 19:03 To: Spdx-legal@... Subject: Re: Combined version of LGPL + GPL 3.0 Dear Jilayne, Things have been moving really quickly on this, so I think I ought to give some background! I believe this to be a complete summary, though of course I don't know of the content of the Max's correspondence with the Free Software Foundation. Last Saturday I was looking through the list of issues on the REUSE tool repository and noticed https://github.com/fsfe/reuse-tool/issues/86. The issue described is that the LGPL requires the full GPL text to be present for proper compliance, but REUSE does not allow unused license texts to be included in a given repository. It occurred to me that this could be resolved in the SPDX License List instead of in REUSE - the entire GPL-3.0 could be added in an optional section below the LGPL-3.0. This would mean that: - No SPDX License IDs would change. LGPL-3.0-or-later and LGPL-3.0-only would still refer to a standalone license, and users would not need to use the 'AND' syntax in SPDX documents or license expressions. - Users of REUSE would simply need to download LGPL-3.0 via the REUSE tool. The tool fetches the SPDX License List's text, including with the optional sections. As a result, no further action would be needed to comply with the LGPL's condition that the GPL be included. - License scanning tools following the SPDX License Matching Guidelines would not be affected: as the entire GPL section is surrounded by <optional> tags, existing occurrences of the LGPL text would still be matched as LGPL, as has been the case thus far. I took the time to review the previous discussions about the LGPL in the past, both on SPDX's and REUSE's mailing list archives and GitHub repositories. Nothing similar to had been brought up before, as far as I can tell. Hence, I posted my idea in the reuse-tool GitHub issue and waited - not for long as it turned out! Earlier this week, both Max and Matija agreed on that issue that it would be a good solution, and Max contacted the FSF about it. Fast-forward to today, and I was just about to write to you and Steve Winslow to ask for this to be put on the agenda for the next Legal Team meeting. At that point I saw Max's note that the FSF had already released the combined text! Apologies if this caught you by surprise, Jilyane; the FSF's speedy publication certainly did for me! All my correspondence with Max is publicly visible on the aforementioned GitHub issue. Sorry for the somewhat long post - hopefully I've been able to describe how this idea satisfies the REUSE requirement, whilst addressing the concerns about backwards compatibility for those using the existing identifiers, both for license matching and for licensing their own repositories. If you or anyone else has any futher questions I'm more than happy to answer them here :) Best wishes, Sebastian Intel Deutschland GmbH Registered Address: Am Campeon 10, 85579 Neubiberg, Germany Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de> Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva Chairperson of the Supervisory Board: Nicole Lau Registered Office: Munich Commercial Register: Amtsgericht Muenchen HRB 186928 |
|
|
|
Philippe Ombredanne
Dear Sebastian, Max:
On Wed, Jul 28, 2021 at 7:03 PM Sebastian <seabass-labrax@...> wrote: - Users of REUSE would simply need to download LGPL-3.0 via the REUSEThat's the source of the issue. License texts in SPDX have never been designed to be used as a reference for attribution. This is unfortunately commonly done but ends up more often than not with garbled text because of the extra adornments, templating, commentaries or placeholders present in SPDX texts. MO, this should be clarified on the SPDX web site to avoid this trap. Max: The problem is simply that REUSE should not reuse the SPDX texts but instead use its own reference texts. For instance, on my side we maintain our own reference texts in ScanCode and AttributeCode for attribution, and these texts have been cleaned from SPDX adornments, comments, placeholders and similar. Alternatively SPDX could add a new reference text for each tracked license (when it differs from the existing text) which would be a useful public service and would avoid the confusion we have today. There you could have an LGPL+GPL thing, best combined with some extra statement to clarify what the GPL text means here. And REUSE could then use this alright - License scanning tools following the SPDX License Matching GuidelinesIf you have a file that contains only the full text of the LGPL and the full text of the GPL there is no way to disambiguate, matching guidelines or not. This would throw off matching tools in a trap that would entice them to return misleading results (possibly skipping entirely the GPL) when using SPDX guidelines. Not sure we want this. No tool could determine if we have these licenses: - the LGPL with GPL text included for use in LGPL, e.g. a GPL with an LGPL exception - the LGPL AND the GPL separately, e.g. GPL with an LGPL exception AND a GPL You need an extra statement, declaration, or notice to this effect. You cannot even use an SPDX expression for this for now. How could you sanely express something such as: "the text below is a combination of the LGPL and GPL texts, but the license we meant to document here is really only the LGPL. We included the GPL text because it is included by reference in the LGPL and should be included for redistribution". <rant> In hindsight the LGPL is a bad FOSS license text design since one must include another text but the license does not include it by default. It helps nobody: not the software authors, not the users, not redistributors, nobody. It just requires extra busy work from everyone involved and is a source of head scratching and doubt at best. It could have been because programmers felt it was OK to "import" a license text in another license text .... but a license text is not software code. We have to deal with this mess, let's not make it worse. I feel that the only sane thing at this stage would be to requalify the LGPL-3.0 correctly as an exception to the GPL because this is it. </rant> -- Cordially Philippe Ombredanne license texts janitor |
|
|
|
J Lovejoy
Hi all,
toggle quoted message
Show quoted text
Sorry for the delay in responding, I got busy with other things and needed some time to fully re-read this thread and absorb everything. Thanks to Max, Matija, and Sebastian for your combined collection of catching us up to how we got here. I fully believe there were only good intentions here, just not the ideal order of events or modes of comms (a point which needs not be dwelled on further). In any case, this thread raises several separate (even if related) issues, which I think would be best if separated out a bit. Sorry this got kind of long, but please read to the bottom. :) 1) LGPL-3.0 as a standalone short identifier: Let's just all acknowledge (once and for all) that the LGPL-3.0 (unlike 2.0 or 2.1) is NOT written as a standalone license, but it IS an additional permission (aka, exception) to GPL-3.0. The FSF, as the license steward states it as so on this page https://www.gnu.org/licenses/lgpl-3.0.en.html, where it says, "This license is a set of additional permissions added to version 3 of the GNU General Public License." Thus, we can all agree that in strictly applied SPDX license expressions, it should be on the exceptions list and denoted as: GPL-3.0* WITH LGPL-3.0*. However, when we implemented 2.0 of the SPDX License List with the license expressions in 2015, this was discussed and given industry practice and understanding, we did not put LGPL-3.0 on the exceptions list. Is this sort of breaking the mold, in terms of how other licenses/exceptions are treated on the SPDX License List? Yes. (Is it also somewhat "consistent" in terms of treating all of the GNU licenses in a special way, especially given later changes? Yes.) It is what it is, that shipped has sailed, there is no reason to cause further confusion (and disruption to SPDX users) by changing identifiers/expression now especially when the FSF has seemingly confirmed this special case scenario. (We might consider putting a Note acknowledging this to some degree, to avoid further discussion or questions in the future.) 2) How the text of GPL/LGPL-3.0 is displayed as per the FSF: The FSF has always had the advice to put a COPYING file with the GPL and add a COPYING.LESSER file with the LGPL if using that, as per https://www.gnu.org/licenses/gpl-howto.html That is pretty clear instructions (and is what I've observed people to mostly do). From my/a legal perspective, if someone only provided the text of the LGPL, I don't think this causes some great problem or license non-compliance. The LGPL-3.0 clearly states that it "incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below." Sure, I link to GPL-3.0 would be nice, but I don't think the lack of a link causes any failure. It's pretty clear. As far as I can tell, the only thing the FSF has done is add a specific page with the combination of the GPL-3.0 and LGPL-3.0 text, which one would only find (by navigation) on this page https://www.gnu.org/licenses/lgpl-3.0.en.html - the advice on their "How to use GNU licenses" page remains the same. Certainly for tooling (license scanners) matching on the text of both the GPL-3.0 and LGPL-3.0 as per the FSF's instructions is not enough to let you know specifically what code is licensed under what license. Having both texts in one file doesn't really change this situation. But this is no different than any of the GNU licenses: if a project has just COPYING file with the text of the GPL-3.0, you don't know if the code is meant to be under GPL-3.0-or-later or GPL-3.0-only; the way you know that is via the notice on the source files - be that the standard header that the GNU licenses include or an SPDX identifier/expression. Thus, I don't see how the FSF adding a somewhat hard-to-find new webpage with the plain text of both the GPL-3.0 and LGPL-3.0 changes anything. 3) FSF endorsing SPDX identifiers: On a related note: What WOULD be helpful here is if the FSF could explicitly endorse and document on the appropriate pages the use of "SPDX-License-Identifier: " in each source file. I have copied John Sullivan (who is already on the SPDX-legal list) and Donald (who is not) here again. A response would be nice. 4) Using SPDX data to pull the text of the license for use elsewhere (be it, REUSE or other places that we aware also do this): While this may not be an explicit goal of SPDX, we have long known that the database that comprises the totality of the SPDX License List is quite useful and used by many people and organizations in a variety of ways. That is a success of the project, for sure. I do not agree at all that the plain text versions that are stored in the repo for the SPDX License List are not appropriate for this use. However, I think this is a larger topic that goes beyond this specific scenario and suggest we have a separate thread on that (I'll start that off later this week) 5) Compliance with REUSE: it seems the the real issue that started this lies with some strict requirement for compliance with the REUSE specification to have one text file per one license identifier (as opposed to a license expression) with all the necessary text of the license; and that LGPL-3.0, by way of its inclusion of GPL-3.0 and the FSF's recommendation for two files kind of breaks that. I am certainly not a programmer, but couldn't this be solved with a bit of coding to make an exception (ha ha ha) for the special circumstance of LGPL-3.0? Going to the extent of adding the full text of the GPL-3.0 as optional to the LGPL-3.0 files in the SPDX License List database still seems backwards to me. I think the key thing that needs further discussion is #4 - as mentioned above, I'll start a separate email thread with some thoughts on that and we can go from there. I don't think there's much to discuss as to #1 and #2 and we will have to wait for a response from the FSF on the tangent issue of #3. #5 can probably be continued, as need be on the mailing list, at least for now? Given the above, the late hour now, and that we have a meeting tomorrow, we we will focus on closing out the 3.14 release, some other projects that need attending to. Thanks again, Jilayne On 7/30/21 9:25 AM, Matija Šuklje
wrote:
On Wednesday 28 July 2021 17:22:21 CEST J Lovejoy wrote:I meant to add: our next legal call is Thursday, Aug 5th at 10am mountain time. Happy to dedicate some time then to this topic, if a live-discussion would help and all interested parties can attend. |
|
|