Re: Some SPDX 1.0 beta examples


dmg
 

Thanks Peter for your clarifications.

I think this shows, that the ones creating the files will be _making_
decisions. In this case, several have been made:

1. Files without a license share the license of the project
2. If a file A specifies that its license is in B, then license(A) == license(B)
3. Even thought there is no perfect textual comparison of the license
(aside from whitespace) the licenses have been considered to be
equivalent.

These are very good reasons why standardizing text of licenses by
inclusion seems to me like a bad idea.

---dmg

On Thu, Sep 30, 2010 at 9:06 AM, Peter Williams
<peter.williams@...> wrote:
On 9/29/10 2:32 PM, dmg wrote:

This is good. It can start some discussion on the standard.

First, one question:

I scanned the file for zlib and I found some issues with it, but I
think are worth discussing:

1.  Some files do not contain a license, yet they are marked as one:
We assume any that file that does not contain explicit license info and does
not match any of the open source in our database is licensed under the
declared license of the project.  In this case the Zlib license.

2. Some files refer to zlib.h as the file with a license. Now, if the
SHA1 of the file does not change, I would presume (as a user) that I
don't need to scan it again, which is good. But what if zlib.h
changes? Would it be useful in the SPDX to
use a "reference" field to denote such a thing?
I think this is outside the scope of the spdx proper.  Many of the decisions
about what licenses govern a file will be made on criteria other than an
explicit license declaration, direct or indirect.  For example, some part of
a file might be matched against a database of open source and that open
source file might have a license associated with it.

In the short term this could be handled as comment on the file object. It
might be an interesting follow on project to create an extension to allow
expressing the decision criteria for why a particular license was chosen.

3. Is it the same to include a license than to refer to a license?
We treat those the same.  This is a policy issue to be worked out between
the producer and the consumers of the spdx file.  I think the spec should
avoid specify the copyright/license analysis process.  Spdx should just
provide a way to express the results of such an analysis.


4. In some files the zlib iicense varies slightly:


  This software is provided 'as-is', without any express or implied
  warranty.  In no event will the author be held liable for any damages
  arising from the use of this software.

and in others

  This software is provided 'as-is', without any express or implied
  warranty.  In no event will the authors be held liable for any damages
  arising from the use of this software.
This also feels like a policy issue to me.  We treat those as the same.

Peter Williams
<http://openlogic.com>
_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx



--
--dmg

---
Daniel M. German
http://turingmachine.org

Join spdx@lists.spdx.org to automatically receive all group messages.