1. Spdx
  2. Messages

Re: Using SPDX for firmware

Kate Stewart
 

Hi Richard,

On Wed, Aug 12, 2015 at 9:23 AM, Philippe Ombredanne <pombredanne@...> wrote:
On Wed, Aug 12, 2015 at 4:05 PM, Richard Hughes <hughsient@...> wrote:
> Hi all,
>
> I've been using SPDX for years in the AppStream specification to
> describe applications that can be installed in software centers. I'm
> using the AND, OR extensions, and am soon to include the WITH
> exception support too[2].
 
Very cool. 
 

Very nice! About the dead link, I am not sure exceptions have been published
yet, though it could be a bug too.

typo?
Its available from the http://spdx.org/licenses/ page
 

> AppStream can be used to describe free
> software, but is increasing being used for other things too, for
> instance, in the LVFS[2] firmware update service. In this we describe
> firmware licensing using SDPX tags, but I'm not sure what to do about
> non-free firmware. OpenHardware firmware is fine, and we can use all
> the existing IDs to represent that correctly.
>
> At the moment I've asked vendors to use:
> <project_license>proprietary</project_license> to indicate it's
> nonfree, but this obviously isn't a SPDX ID and probably will make the
> specification people quite upset. What should I be using?

Syntax in the specification right now [1] for things not included in the 
SPDX license list is to refer to them as:

"LicenseRef-"<insert your favorite identifier for it here>

Possibly look at adding to the AppStream format, something
like section 5 from the SPDX format [1] to permit the 
arbitrary use of licenses not in the SPDX license list. 
(and translation to other formats ;-) )?  

So in the example - using something like
"LicenseRef-proprietary" is fine as an identifier,
(as would be LicenseRef-proprietary-1, or 
License-Ref-ACME-proprietary-firmware,  etc.)

as long as there's the definition somewhere of what
LicenseRef-proprietary maps to.  In the spdx spec 
see: 

5 Other Licensing Information Detected .....48 
5.1 License Identifier................................... 48 
5.2 Extracted Text....................................... 48 
5.3 License Name....................................... 49 
5.4 License Cross Reference ..................... 50 
5.5 License Comment.................................50

In the RDF - the class for this is ExtractedLicensingInfo

 
Dropping the
> <project_license> tags for non-free firmware is fine, but it's then
> confusing the "explicitly nonfree" firmware with the "unspecified"
> firmware and makes validation hard. It also means there's no clickable
> link explaining what proprietary means, unlike all the other SPDX IDs.
> Is there already an ID I can use for this?

IMHO using your own ID extensions is quite fine, there is nothing
upsetting about it, especially since it provides valuable indication to
downstream users about the licensing terms, even if this is not precisely
pointing to a unique license text.

Agree - if you can line up with using "LicenseRef-" prefix  infront of any
you need to create,  it will permit more automatic recognition down the
road. 


The alternative could to have also a catch-all "non-free" or "proprietary"
license ID in SPDX indeed.

Probably this is a discussion for the legal list, as to whether they want
to permit this?   Concern point is that it won't give enough information
when there are multiple non-free licenses present.
 
Hope this helps, 
Kate


[1] http://spdx.org/sites/spdx/files/SPDX-2.0.pdf  section 5
Join spdx@lists.spdx.org to automatically receive all group messages.