Date
1 - 12 of 12
Commutativity of SPDX expressions
Richard Fontana
I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?
Richard
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?
Richard
McCoy Smith
At the risk of sounding like I’m hijacking this to re-raise my prior issue:
If AND is the operator to be used when having different inbound vs outbound, then AND may not be commutative, since the order of listing the licenses may convey information about which license is inbound vs outbound, and (maybe) which license applies to different parts of the code.
Which militates to me toward a new expression, but I’ve made that point already.
toggle quoted message
Show quoted text
If AND is the operator to be used when having different inbound vs outbound, then AND may not be commutative, since the order of listing the licenses may convey information about which license is inbound vs outbound, and (maybe) which license applies to different parts of the code.
Which militates to me toward a new expression, but I’ve made that point already.
On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...> wrote:
I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?
Richard
Warner Losh
Please define "INBOUND" and "OUTBOUND" licenses. None of the open source licenses indexed by SPDX grant permission to relicense the derived work, so any work including them either is solely the original license, or an AND of the project's license and the original license (to the extent the project creates a derived work). This is a clear case for "AND" where both licenses must be complied with. SPDX expressions do not have additional , secondary meanings, like what is the preferred license, what license do we accept changes for this derived work under, etc. All those secondary meanings would, if any, would need to be spelled out explicitly by the project wishing for them to apply for that project. For example, if a project takes MIT licensed code and creates a derived work they wish to license as GPL, they must list the license as GPL AND MIT because their desire to license under the GPL does not override the MIT license nor the IP of the original author. To say that the GPL is a proper-superset of the MIT license would be taking a legal position that's more aggressive than has been taken in the past, and I don't think that the SPDX project wants to be in the position of creating a matrix that says what is a superset of what so you can 'reduce' the complexity of the SPDX-License-Expression using some set of rules.
As for "AND": IThe standard says the following:
'If required to simultaneously comply with two or more licenses, use the conjunctive binary "AND"..."
Since each license is given equal weight in this construct, I'd say that AND is commutative where A AND B == B AND A. The standard has no verbage to the contrary to suggest one is controlling when there's a conflict, for example. Nor any of the other problems that might result from them being non-commutative. The standard is not explicit that it is commutative, but common usage for AND is. In the absence of a more specific definition, common usage would dictate interpretation should this be litigated. I'll let the better legal minds here, though, chime in as to whether or not the SPDX standard, as written, would need any correction to its language to address this potential ambiguity.
Warner
On Sun, Jul 17, 2022 at 1:18 PM McCoy Smith <mccoy@...> wrote:
At the risk of sounding like I’m hijacking this to re-raise my prior issue:
If AND is the operator to be used when having different inbound vs outbound, then AND may not be commutative, since the order of listing the licenses may convey information about which license is inbound vs outbound, and (maybe) which license applies to different parts of the code.
Which militates to me toward a new expression, but I’ve made that point already.
> On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...> wrote:
>
> I'm working on some draft documentation for Fedora around use of SPDX
> expressions in RPM spec file License: fields. I was surprised to
> apparently not see anything in the SPDX spec that says that the AND
> and OR operators are commutative. I want to assert that the expression
> "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
> SPDX spec actually take no position on this?
>
> Richard
>
>
>
>
>
>
J Lovejoy
Hi Richard,
Annex D explains the order of precedence for the operators and use of parentheses. https://spdx.github.io/spdx-spec/SPDX-license-expressions/
I admit, I find the use of parentheses easier to understand overall (than relying on remembering the order of precedence).
I’m not sure it explicitly states that "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT” but I think that’s kind of implicit, no?
I also think this entire annex could use a re-write to make it a bit more user-friendly (on the topic of improving documentation…)
Jilayne
toggle quoted message
Show quoted text
Annex D explains the order of precedence for the operators and use of parentheses. https://spdx.github.io/spdx-spec/SPDX-license-expressions/
I admit, I find the use of parentheses easier to understand overall (than relying on remembering the order of precedence).
I’m not sure it explicitly states that "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT” but I think that’s kind of implicit, no?
I also think this entire annex could use a re-write to make it a bit more user-friendly (on the topic of improving documentation…)
Jilayne
On Jul 17, 2022, at 12:21 PM, Richard Fontana <rfontana@...> wrote:
I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?
Richard
J Lovejoy
Hi McCoy,
I’m wondering if you are trying to adapt SPDX identifiers in a situation not anticipated. Consider that aim of an SPDX document (as per the SPDX specification, and thus, using SPDX license ids in the various specification field, is to communicate licensing, copyright, provenance, etc. information for a given bundle of software. For example, I sell you Jilaynes-awesome-software-app and provide an SPDX document for that software product. The licensing info in this context would be presubaly what I think you are referring to as the “outbound” license - that is the license under which the software is used by the recipient.
Let’s say, Jilaynes-awesome-software-app includes some open source software under various open source licenses, say, MIT and Apache-2.0, and I also added some of my own (new) code under BSD-3-Clause, that all of this can be reflected in the appropriate license fields at the package, file, and/or snippet level.
I think of “inbound”, in relation to open source software, as usually referring to the license under which contributions are provided to the project. But I think you might be meaning “inbound” in relation to Jilayne’s-awesome-software-app - that is, the open source software that I incorporate into my app under MIT and Apache-2.0. Is that right?
Thanks,
Jilayne
toggle quoted message
Show quoted text
I’m wondering if you are trying to adapt SPDX identifiers in a situation not anticipated. Consider that aim of an SPDX document (as per the SPDX specification, and thus, using SPDX license ids in the various specification field, is to communicate licensing, copyright, provenance, etc. information for a given bundle of software. For example, I sell you Jilaynes-awesome-software-app and provide an SPDX document for that software product. The licensing info in this context would be presubaly what I think you are referring to as the “outbound” license - that is the license under which the software is used by the recipient.
Let’s say, Jilaynes-awesome-software-app includes some open source software under various open source licenses, say, MIT and Apache-2.0, and I also added some of my own (new) code under BSD-3-Clause, that all of this can be reflected in the appropriate license fields at the package, file, and/or snippet level.
I think of “inbound”, in relation to open source software, as usually referring to the license under which contributions are provided to the project. But I think you might be meaning “inbound” in relation to Jilayne’s-awesome-software-app - that is, the open source software that I incorporate into my app under MIT and Apache-2.0. Is that right?
Thanks,
Jilayne
On Jul 17, 2022, at 1:18 PM, McCoy Smith <mccoy@...> wrote:
At the risk of sounding like I’m hijacking this to re-raise my prior issue:
If AND is the operator to be used when having different inbound vs outbound, then AND may not be commutative, since the order of listing the licenses may convey information about which license is inbound vs outbound, and (maybe) which license applies to different parts of the code.
Which militates to me toward a new expression, but I’ve made that point already.On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...> wrote:
I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?
Richard
McCoy Smith
Rather than getting into further debates about what various licenses do and don't require, or for that matter what copyright law does or doesn't require, I guess I'd turn back to the ath5k example.
Is the license designation they used the same as the AND operator in SPDX? I think it is not (or if AND encompasses it, AND may be interpreted too broadly so as to potentially cause confusion or incorrect assumptions about the license state).
Ath5k license designation is here: https://lwn.net/Articles/247806/
Now, people are free to respond back that the ath5k license designation is legally invalid, but I for one will not stand here and have Richard Fontana's legal skills besmirched!
toggle quoted message
Show quoted text
Is the license designation they used the same as the AND operator in SPDX? I think it is not (or if AND encompasses it, AND may be interpreted too broadly so as to potentially cause confusion or incorrect assumptions about the license state).
Ath5k license designation is here: https://lwn.net/Articles/247806/
Now, people are free to respond back that the ath5k license designation is legally invalid, but I for one will not stand here and have Richard Fontana's legal skills besmirched!
-----Original Message-----
From: J Lovejoy <opensource@...>
Sent: Sunday, July 17, 2022 1:18 PM
To: McCoy Smith <mccoy@...>
Cc: Richard Fontana <rfontana@...>; SPDX-legal <spdx-
legal@...>
Subject: Re: Commutativity of SPDX expressions
Hi McCoy,
I’m wondering if you are trying to adapt SPDX identifiers in a situation not
anticipated. Consider that aim of an SPDX document (as per the SPDX
specification, and thus, using SPDX license ids in the various specification
field, is to communicate licensing, copyright, provenance, etc. information
for a given bundle of software. For example, I sell you Jilaynes-awesome-
software-app and provide an SPDX document for that software product. The
licensing info in this context would be presubaly what I think you are
referring to as the “outbound” license - that is the license under which the
software is used by the recipient.
Let’s say, Jilaynes-awesome-software-app includes some open source
software under various open source licenses, say, MIT and Apache-2.0, and I
also added some of my own (new) code under BSD-3-Clause, that all of this
can be reflected in the appropriate license fields at the package, file, and/or
snippet level.
I think of “inbound”, in relation to open source software, as usually referring
to the license under which contributions are provided to the project. But I
think you might be meaning “inbound” in relation to Jilayne’s-awesome-
software-app - that is, the open source software that I incorporate into my
app under MIT and Apache-2.0. Is that right?
Thanks,
JilayneOn Jul 17, 2022, at 1:18 PM, McCoy Smith <mccoy@...> wrote:outbound, then AND may not be commutative, since the order of listing the
At the risk of sounding like I’m hijacking this to re-raise my prior issue:
If AND is the operator to be used when having different inbound vs
licenses may convey information about which license is inbound vs
outbound, and (maybe) which license applies to different parts of the code.Which militates to me toward a new expression, but I’ve made that pointalready.wrote:On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...>
I'm working on some draft documentation for Fedora around use of
SPDX expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the
expression "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND
MIT". Does the SPDX spec actually take no position on this?
Richard
Richard Fontana
The order of operations is a different issue, I think. I guess the
SPDX spec assumes, as you say, that commutativity of AND and OR is
implicit (like counterpart operations in propositional logic), but
this implicit property was not obvious to one Fedora contributor.
Richard
toggle quoted message
Show quoted text
SPDX spec assumes, as you say, that commutativity of AND and OR is
implicit (like counterpart operations in propositional logic), but
this implicit property was not obvious to one Fedora contributor.
Richard
On Sun, Jul 17, 2022 at 4:08 PM J Lovejoy <opensource@...> wrote:
Hi Richard,
Annex D explains the order of precedence for the operators and use of parentheses. https://spdx.github.io/spdx-spec/SPDX-license-expressions/
I admit, I find the use of parentheses easier to understand overall (than relying on remembering the order of precedence).
I’m not sure it explicitly states that "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT” but I think that’s kind of implicit, no?
I also think this entire annex could use a re-write to make it a bit more user-friendly (on the topic of improving documentation…)
JilayneOn Jul 17, 2022, at 12:21 PM, Richard Fontana <rfontana@...> wrote:
I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?
Richard
Warner Losh
On Sun, Jul 17, 2022 at 2:43 PM McCoy Smith <mccoy@...> wrote:
Rather than getting into further debates about what various licenses do and don't require, or for that matter what copyright law does or doesn't require, I guess I'd turn back to the ath5k example.
Is the license designation they used the same as the AND operator in SPDX? I think it is not (or if AND encompasses it, AND may be interpreted too broadly so as to potentially cause confusion or incorrect assumptions about the license state).
Ath5k license designation is here: https://lwn.net/Articles/247806/
Now, people are free to respond back that the ath5k license designation is legally invalid, but I for one will not stand here and have Richard Fontana's legal skills besmirched!
Each of the individual files retains the original copyright and license, as the original author required. You are required to still abide by the terms in those files (but each individual grant is not the sum of the requirements).
The current kernel.org Linux ath5k driver is marked as 'MODULE_LICENSE("Dual BSD/GPL");', The kernel.org version of this driver does not have these changes included. In addition, the OpenBSD folks were none-too-happy with this attempt to strip off the BSD licenses. https://undeadly.org/cgi?action=article&sid=20070829001634 has the details (but Google finds many other instances, I've not chased them all down). LICENSE_MODULE is beyond the scope of SPDX and is up to the Linux Kernel Community what licenses they support and when.
The SPDX matching tool, which implements the SDPX license matching guidelines, would say that there's multiple licenses you must comply with. That means the union of all the licenses which is the meaning of AND in a SPDX-License-Identifier which I believe would be the result for several of the files. I've not run it on the current version of these files, but have obtained that result for other code that has multiple licenses.
I'm not entirely sure, given the contentious history that this makes a good example, though.
Warner
> -----Original Message-----
> From: J Lovejoy <opensource@...>
> Sent: Sunday, July 17, 2022 1:18 PM
> To: McCoy Smith <mccoy@...>
> Cc: Richard Fontana <rfontana@...>; SPDX-legal <spdx-
> legal@...>
> Subject: Re: Commutativity of SPDX expressions
>
> Hi McCoy,
>
> I’m wondering if you are trying to adapt SPDX identifiers in a situation not
> anticipated. Consider that aim of an SPDX document (as per the SPDX
> specification, and thus, using SPDX license ids in the various specification
> field, is to communicate licensing, copyright, provenance, etc. information
> for a given bundle of software. For example, I sell you Jilaynes-awesome-
> software-app and provide an SPDX document for that software product. The
> licensing info in this context would be presubaly what I think you are
> referring to as the “outbound” license - that is the license under which the
> software is used by the recipient.
>
> Let’s say, Jilaynes-awesome-software-app includes some open source
> software under various open source licenses, say, MIT and Apache-2.0, and I
> also added some of my own (new) code under BSD-3-Clause, that all of this
> can be reflected in the appropriate license fields at the package, file, and/or
> snippet level.
>
> I think of “inbound”, in relation to open source software, as usually referring
> to the license under which contributions are provided to the project. But I
> think you might be meaning “inbound” in relation to Jilayne’s-awesome-
> software-app - that is, the open source software that I incorporate into my
> app under MIT and Apache-2.0. Is that right?
>
> Thanks,
> Jilayne
>
> > On Jul 17, 2022, at 1:18 PM, McCoy Smith <mccoy@...> wrote:
> >
> > At the risk of sounding like I’m hijacking this to re-raise my prior issue:
> > If AND is the operator to be used when having different inbound vs
> outbound, then AND may not be commutative, since the order of listing the
> licenses may convey information about which license is inbound vs
> outbound, and (maybe) which license applies to different parts of the code.
> > Which militates to me toward a new expression, but I’ve made that point
> already.
> >
> >> On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...>
> wrote:
> >>
> >> I'm working on some draft documentation for Fedora around use of
> >> SPDX expressions in RPM spec file License: fields. I was surprised to
> >> apparently not see anything in the SPDX spec that says that the AND
> >> and OR operators are commutative. I want to assert that the
> >> expression "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND
> >> MIT". Does the SPDX spec actually take no position on this?
> >>
> >> Richard
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >
Gary O'Neall
I've always assumed the AND and OR operators to be commutative and the SPDX Java tools take full advantage of the commutative properties when comparing license expressions.
I would welcome a pull request to Annex D to clarify this since at least one member of the community found this ambiguous and/or confusing.
Gary
toggle quoted message
Show quoted text
I would welcome a pull request to Annex D to clarify this since at least one member of the community found this ambiguous and/or confusing.
Gary
-----Original Message-----
From: Spdx-legal@... <Spdx-legal@...> On Behalf Of
Richard Fontana
Sent: Sunday, July 17, 2022 2:36 PM
To: J Lovejoy <opensource@...>
Cc: SPDX-legal <spdx-legal@...>
Subject: Re: Commutativity of SPDX expressions
The order of operations is a different issue, I think. I guess the SPDX spec
assumes, as you say, that commutativity of AND and OR is implicit (like
counterpart operations in propositional logic), but this implicit property was
not obvious to one Fedora contributor.
Richard
On Sun, Jul 17, 2022 at 4:08 PM J Lovejoy <opensource@...> wrote:relying on remembering the order of precedence).
Hi Richard,
Annex D explains the order of precedence for the operators and use of
parentheses.
https://spdx.github.io/spdx-spec/SPDX-license-expressions/
I admit, I find the use of parentheses easier to understand overall (than"Apache-2.0 AND MIT” but I think that’s kind of implicit, no?
I’m not sure it explicitly states that "MIT AND Apache-2.0" is equivalent towrote:
I also think this entire annex could use a re-write to make it a bit
more user-friendly (on the topic of improving documentation…)
JilayneOn Jul 17, 2022, at 12:21 PM, Richard Fontana <rfontana@...>
I'm working on some draft documentation for Fedora around use of
SPDX expressions in RPM spec file License: fields. I was surprised
to apparently not see anything in the SPDX spec that says that the
AND and OR operators are commutative. I want to assert that the
expression "MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND
MIT". Does the SPDX spec actually take no position on this?
Richard
Dear Gary,
though - has the final draft been released yet?
https://github.com/spdx/spdx-spec/pull/748
Best wishes,
Sebastian
I've always assumed the AND and OR operators to be commutative andI've made a pull request for this :) Not sure whether it'll make 2.3
the SPDX Java tools take full advantage of the commutative
properties when comparing license expressions.
I would welcome a pull request to Annex D to clarify this since at
least one member of the community found this ambiguous and/or
confusing.
though - has the final draft been released yet?
https://github.com/spdx/spdx-spec/pull/748
Best wishes,
Sebastian
Gary O'Neall
Thanks Sebastian - since we haven't finished the review of the version 2.3,
I think there is still time.
Best regards,
Gary
toggle quoted message
Show quoted text
I think there is still time.
Best regards,
Gary
-----Original Message-----though - has
From: Spdx-legal@... <Spdx-legal@...> On Behalf Of
Sebastian Crane
Sent: Monday, July 18, 2022 9:13 AM
To: Spdx-legal@...
Subject: Re: Commutativity of SPDX expressions
Dear Gary,I've always assumed the AND and OR operators to be commutative and theI've made a pull request for this :) Not sure whether it'll make 2.3
SPDX Java tools take full advantage of the commutative properties when
comparing license expressions.
I would welcome a pull request to Annex D to clarify this since at
least one member of the community found this ambiguous and/or
confusing.
the final draft been released yet?
https://github.com/spdx/spdx-spec/pull/748
Best wishes,
Sebastian
Richard Fontana
I feel like what some projects might find useful is something like:
SPDX-License-Identifier-Concluding-What's-Been-Contributed-As-Of-Some-Past-Time:
SPDX-License-Identifier-Of-What's-Been-Contributed-After-That-Past-Time-And-Default-License-of-Future-Contributions:
since these might point to different licenses. The snippet construct
can possibly express this adequately in some cases but I think
reliable identification of a snippet will normally be impractical.
Richard
toggle quoted message
Show quoted text
SPDX-License-Identifier-Concluding-What's-Been-Contributed-As-Of-Some-Past-Time:
SPDX-License-Identifier-Of-What's-Been-Contributed-After-That-Past-Time-And-Default-License-of-Future-Contributions:
since these might point to different licenses. The snippet construct
can possibly express this adequately in some cases but I think
reliable identification of a snippet will normally be impractical.
Richard
On Sun, Jul 17, 2022 at 3:18 PM McCoy Smith <mccoy@...> wrote:
At the risk of sounding like I’m hijacking this to re-raise my prior issue:
If AND is the operator to be used when having different inbound vs outbound, then AND may not be commutative, since the order of listing the licenses may convey information about which license is inbound vs outbound, and (maybe) which license applies to different parts of the code.
Which militates to me toward a new expression, but I’ve made that point already.On Jul 17, 2022, at 11:22 AM, Richard Fontana <rfontana@...> wrote:b
I'm working on some draft documentation for Fedora around use of SPDX
expressions in RPM spec file License: fields. I was surprised to
apparently not see anything in the SPDX spec that says that the AND
and OR operators are commutative. I want to assert that the expression
"MIT AND Apache-2.0" is equivalent to "Apache-2.0 AND MIT". Does the
SPDX spec actually take no position on this?
Richard