Re: Some SPDX 1.0 beta examples

Peter Williams <peter.williams@...>

On 9/30/10 11:57 AM, dmg wrote:
Thanks Peter for your clarifications.

I think this shows, that the ones creating the files will be _making_
I completely agree. I think anyone that has actual tried to analyze a package for copyright/license info knows that a lot of judgment calls are required.

In this case, several have been made:

1. Files without a license share the license of the project
2. If a file A specifies that its license is in B, then license(A) == license(B)
I would say that as license(A) = license-specified-by(B). For example, the text of GPL v3, <>, is licensed under terms quite different from GPL. So if license(A) -> B where B is a file containing just the text of the GPL then license(A) = GPL but license(B) = "Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed."

3. Even thought there is no perfect textual comparison of the license
(aside from whitespace) the licenses have been considered to be
This is the only sane thing to do. Unfortunately, there are situations in which reasonable people could disagree about whether two license texts are really the same license or not.

These are very good reasons why standardizing text of licenses by
inclusion seems to me like a bad idea.
Here i disagree. I think standardizing some license texts is a Good Thing. No one will be force to reference those standard licenses. If you find a license that you believe is materially different from the all the texts in the public repo that license can be included in the spdx file as a non-standard license. Having a set of licenses with standardized names allows much more efficient communication and greater interoperability.

The standard should be updated to allow the license text to be included in all situations. Even for standard licenses. That way an spdx producer could include the variations found, even if the producer considers them materially the same.



On Thu, Sep 30, 2010 at 9:06 AM, Peter Williams
<peter.williams@...> wrote:
On 9/29/10 2:32 PM, dmg wrote:

This is good. It can start some discussion on the standard.

First, one question:

I scanned the file for zlib and I found some issues with it, but I
think are worth discussing:

1. Some files do not contain a license, yet they are marked as one:
We assume any that file that does not contain explicit license info and does
not match any of the open source in our database is licensed under the
declared license of the project. In this case the Zlib license.

2. Some files refer to zlib.h as the file with a license. Now, if the
SHA1 of the file does not change, I would presume (as a user) that I
don't need to scan it again, which is good. But what if zlib.h
changes? Would it be useful in the SPDX to
use a "reference" field to denote such a thing?
I think this is outside the scope of the spdx proper. Many of the decisions
about what licenses govern a file will be made on criteria other than an
explicit license declaration, direct or indirect. For example, some part of
a file might be matched against a database of open source and that open
source file might have a license associated with it.

In the short term this could be handled as comment on the file object. It
might be an interesting follow on project to create an extension to allow
expressing the decision criteria for why a particular license was chosen.

3. Is it the same to include a license than to refer to a license?
We treat those the same. This is a policy issue to be worked out between
the producer and the consumers of the spdx file. I think the spec should
avoid specify the copyright/license analysis process. Spdx should just
provide a way to express the results of such an analysis.

4. In some files the zlib iicense varies slightly:

This software is provided 'as-is', without any express or implied
warranty. In no event will the author be held liable for any damages
arising from the use of this software.

and in others

This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
This also feels like a policy issue to me. We treat those as the same.

Peter Williams
Spdx mailing list

Join to automatically receive all group messages.