On 8/27/10 2:47 PM, Jeff Luszcz wrote:
Hi Kate et al,
As we discussed on the call a few times, I think having this amazing list of license in one place is a great asset to the community and I believe will help reduce license proliferation (esp. if spdx.org, Linux foundation, OSI, etc... continue to work on anointing certain license as preferred.)
One of my concerns in having the SPDX document only contain links to these reference licenses instead of the actual full text is that we have the chance of drift and incompleteness a few years down the road, especially if the list of licenses we anointed as "reference license" becomes as large as it looks like it is becoming.
We see analogies to this in our day to day license analysis in these current cases:
Files that say "see License.txt file for more info" and the License.txt is missing
"See http://www.gnu.org/licenses/lgpl.html" in a file where this used to mean lgpl 2.1 in 2006, it now means lgpl 3.0 since the link target text was changed by the FSF
"Download from my university page http://www.ccsf.edu/~someStudent" which is now gone and no longer alive
"This is under a BSD license" when in fact they've added Copyleft style terms or other strange things to the actual license text.
A SPDX doc should be completely self contained for long term validity, but can reference out to the spdx.org web site as a hook for optional data that may appear down the road
Some organizations have serious confidential concerns about outside web links/dependencies in Intellectual Property reports such as SPDX
By this I mean, if to render or validate the text of a license for a spdx report an organization has to hit the spdx.org website, this may cause leakage of confidential info
Having a large list of references licenses is great, especially if common names can be created for them
Template licenses / references are great for scanning tool verification / spec compliance etc but the SPDX doc should contain the actual text of the license in effect
Once a license is "approved" and placed in the repo it should be immutable. That way there is no chance of the text changing once the license name is in use.
To prevent links going defunct we could use PURL. PURL is a permanent URL service provided under the auspices of the OCLC (the library cooperative). PURL is widely used in the RDF, IETF and W3C communities for URIs that need to remain valid permanently.
Providing an optional way to embed the license text could still be useful. If we do allow an "approved" license to be specified along with it's license text the spec should clarify what the semantics are if the license text in the SPDX file doesn't match the license text of the named license in the license repo. Should it be treated as a custom license, and tools would ignore the specified license? Or should that constitute an error? Or should license text be ignore in favor of the license name?