Re: Using SPDX for firmware


Kate Stewart
 



On Wed, Aug 12, 2015 at 2:00 PM, Richard Hughes <hughsient@...> wrote:
On 12 August 2015 at 17:40, Kate Stewart <kstewart@...> wrote:
> typo?
> Is at:  http://spdx.org/licenses/exceptions-index.html
> Its available from the http://spdx.org/licenses/ page

On http://spdx.org/spdx-license-list the link is marked as
http://spdx.org/exceptions-index.html ...

Thanks.   I've forward the info to the folks with web access, and we'll
get it fixed. 
 

> "LicenseRef-"<insert your favorite identifier for it here>

Right, I wasn't sure if LicenseRef-proprietary was correct as
proprietary isn't really a licence to use something, more of a
statement of reservation of rights. I guess we need some more
information there about when it's legal to use the firmware and under
what circumstances. I'm thinking about something like
https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
for the Raspberry Pi firmware.

Agree.   

Possibly something like LicenseRef-Rasbperry-Pi-firmware
would be short and descriptive.

Actual syntax in the spec is 
LicenseRef-[idstring] 
where [idstring] is a unique string containing letters, numbers, “.”, “-” or “+”.

Then define in another section of the metadata to contain the actual details
of the License itself, so it can carry along.


> So in the example - using something like
> "LicenseRef-proprietary" is fine as an identifier,
> (as would be LicenseRef-proprietary-1, or
> LicenseRef-ACME-proprietary-firmware,  etc.)

Right, I'll add that information to the AppStream parser, thanks.

> as long as there's the definition somewhere

Where and how would I define this? In the AppStream metadata format itself?

The AppStream metadata probably is the logical point. 
That way the info can be self referential and consistent.
  

> Agree - if you can line up with using "LicenseRef-" prefix  infront of any
> you need to create,  it will permit more automatic recognition down the
> road.

Right. I'll have to handle LicenseRef prefixes in the software center
explicitly; at the moment we show a clickable link from each
application showing them the licence text.

If its in the meta data,  you should be able to still do this.
This is one of the use cases that motivated us having an
"Other Licensing Information Detected" section in SPDX ;-)

For maximizing interoperability,  suggest the following or something similar be added to Appstream metadata specification.   

I've filled it in using Rasberry Pi Firmware example.

<ExtractedLicensingInfo rdf:about="LicenseRef-Raspbery-Pi-Firmware">
   <licenseId>LicenceRef-Raspberi-Pi-Firmware</licenseId>
   <licenseName>Raspberry Pi Firmware from Broadcom</licenseName>
   <rdfs:comment> This permits redistribution without modification only </rdfs:comment>
   <extractedText>
Copyright (c) 2006, Broadcom Corporation.
All rights reserved.

Redistribution. Redistribution and use in binary form, without
modification, are permitted provided that the following conditions are
met:
 * This software may only be used for the purposes of developing for, running or using a Raspberry Pi device.
 * Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution.
 * Neither the name of Broadcom Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission.

DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   </extractedText>
</ExtractedLicensingInfo>


>> The alternative could to have also a catch-all "non-free" or "proprietary"
>> license ID in SPDX indeed.
> Probably this is a discussion for the legal list, as to whether they want
> to permit this?   Concern point is that it won't give enough information
> when there are multiple non-free licenses present.

Right, this makes my life easier, but doesn't sit 100% with the idea
of an SPDX licence in itself. I suppose in the RPi example above it
would have to be something ugly like
LicenseRef-ForRaspberryPiUseOnlyRedistributionWithoutModificationOnly
or maybe "LicenseRef-RaspberryPi AND LicenseRef-NoModification" or
even "LicenseRef-https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom"
although I know I'm pushing things here. Better ideas welcome.

Have filled in an example of how the above would be coded up and carried with the metadata in SPDX.   Of the example,  for SPDX the only fields are mandatory are: 
licenseId, licenseName, & extractedText.   Those would be the ones to make sure are carried in your metadata.    rdfs:seeAlso and rdfs:comment - are optional in SPDX, but are nice to have. 

Hope this helps,
Kate

Join spdx@lists.spdx.org to automatically receive all group messages.