Re: "Scope" of licenses to be covered by SPDX

Bradley M. Kuhn <bkuhn@...>

Ciaran Farrell wrote at 15:45 (EDT) on Saturday:

at openSUSE .... we'd like to adopt SPDX, but the license list does
not provide anywhere need the coverage that we need.
This is interesting; I'd suspect this might be the case for other
distributions, too. Debian, for example, basically has always kept a
full text file (.../doc/copyright) to describe the exact licensing
situation of its packages.

Peter Bigot wrote on Friday:
With respect to the license list, an issue I happened to notice this
morning is that items on it appear to reflect a very flat concept of
a license when there are options, e.g. GPL-2.0-with-GCC-exception and
GPL-2.0+. The problem is that this approach limits the succinct
representation of licenses. For example, if a package (e.g., libgcc)
is GPL 2.0 or later version with runtime exception, there is no
Indeed. I don't even *know* of any package in the world that's licensed
under "GPLv2-only along with any given 'GCC exception'". There is
actually *no such thing* as a single "GPL-2.0-with-GCC-exception". The
GPLv2'd versions of GCC actually have a patchwork of *different*
exceptions that are all worded slightly differently and appear
throughout various directories in the sources. When I helped lead the
process of drafting the GPLv3 RTL exception, one of our primary goals
was to encompass and rectify the differences in the various GPLv2
exceptions for GCC.

Meanwhile, one of my proposals during the GPLv3 RTL exception drafting
process -- which FSF now does -- is that all exceptions should be
versioned. SPDX's license list doesn't account for this at all. SPDX
will have to completely rework its monikers and details when new
versions of exceptions are released [0].

Meanwhile, I note the obvious additional issue that Peter hinted at but
didn't raise explicitly: I'm not aware of any program in the world
that's GPLv3-only plus the GCC RTL exception 3.1. GCC itself is
currently under "GPLv3-or-later with the GCC Runtime Library Exception
3.1". But even *that* isn't fully accurate as a generalization, because
*parts* of GCC are under that license I just stated, but the majority of
the code is straight GPLv3-or-later.

Having not looked closely at the SPDX license list before, a first
analysis shows that it's completely inadequate for representing even the
most common licensing situations on some of the most widely used of
programs. Indeed, it seems as SPDX's license list stands now, I
basically couldn't represent the license of *any* version of GCC except
versions from the very early 1990s, and even for those, I'd need to add
a license exception or two.

(Note, BTW -- and I bet this issue will be of particular interest to the
Free Software licensing historians among us -- that the proto-GPL
license such as the Emacs Public License, the GCC Public License, and
the Nethack Public License aren't on SPDX's license list at all. To the
extent that anyone wants to use SPDX's license list as a tool to
represent historical versions of software, that's completely impossible,
too. Notwithstanding that the Nethack Public License is actually still
in active use AFAIK.)

[0] Also, note there is, in fact, an RTL exception v3.0, although,
I suspect it's not used by any package. It was only the default
version "in the wild" for about 6 weeks, which is of course longer
than GFDL 1.0's 4 day lifespan as the current version. (Those of you
who, like me, were doing Free Software licensing work back in 2000
will remember that widespread confusion in early March 2000; I'm
still apologizing for my role in that and various confusions about
the GFDL. :)
-- bkuhn

Join { to automatically receive all group messages.