On 8/29/10 8:07 PM, Soeren_Rabenstein@... wrote:

The only concern I have is accountability for accuracy of the license repository.
*One possible* way to overcome this is, that we may specify what is a standard compliant spdx license text repository as well. Then there can be the default PURL repository (without warranty), but companies may also host their own repository, and include to their spdx files a pointer to that adress. (However if I say, this is a sdpx version x.y compliant repository, I may not represent LGPL 2.1 as LGPL 3.0 in there.)

I can see some benefits to this approach. It will result in multiple URIs for the same logical license, though. This might cause some complications for certain classes of tools that consume SPDX. We could overcome this by requiring that licenses in private repos provide a isVersionOf[1] property whose value is the URI of the equivalent license in the standard SPDX repo.

It is not clear to me that many organizations would need, or want, to duplicate the main repo if it is maintained by an organization that can credibly assert that once licenses are approved they are never modified. However, supporting multiple repos is pretty easy.

Such functionality would also provide an organic way to grow the set of standardized licenses. Licenses would start in private repos. Over time the common ones would be approved into the main repo. Then private repos could be update to indicate they are versions of the standardized license.

Peter

[1]: http://dublincore.org/documents/dcmi-terms/#terms-isVersionOf