Peter Williams <peter.williams@...>
There has been a bit of discussion in the technical working group
about the role of judgments in spdx. It has been suggested that
information that is the result of human, or automated heuristic,
judgment should disallowed/discouraged in spdx files.
This has lead me to wonder a about the primary purpose of the
licensing parts of spdx. Do we intended for spdx files to convey the
actual licenses under which a package is copyable? Or should spdx
files convey the just licenses under which a package is explicitly
stated/declared to be copyable?
The actual licensing of a package is often not fully and explicitly
stated. (Files don't have header, code snippets are copied, etc.)
Therefore if spdx conveys the actual licensing of a package this will
require representing human/heuristic judgments.
Conveying the actual licensing will also mean that two spdx files for
the same package might disagree regarding the licensing. This could
happen because one was generated by a person or tool that discovered
more facts. (For example, a tool might detect that some of the code
in a file appears to originate from some other project while a human
on their own might not.) Or it could result from different judgments
being made from the same information.
If we limit spdx to conveying only the stated/declared licensing we
would avoid inharmonious spdx files. This would be achieved by
precluding judgments (or limiting the types of allowed judgments to a
very small set). However, consumers would not be able to treat spdx
files as an authoritative guide to the licensing of the package. The
set of declared/explicitly stated licenses would often be incomplete
and sometimes it would be erroneous.
The beta spec states that "information that cannot be derived from an
inspection (whether manual or using automated tools) of the package to
be analyzed" is "not covered in the specification". This would seem
to imply that judgments about what licenses a package was copyable
under would be allowed if those judgments where based in discoverable
facts. However, i am not sure it is entirely cut and dry.
I think some this issue bares some discussion in the larger group.
Are technical judgments regarding the licensing of the files and
packages acceptable and/or desirable in spdx files?