Date   

Re: Some SPDX 1.0 beta examples

Peter Williams <peter.williams@...>
 

On 9/29/10 2:32 PM, dmg wrote:
This is good. It can start some discussion on the standard.

First, one question:

I scanned the file for zlib and I found some issues with it, but I
think are worth discussing:

1. Some files do not contain a license, yet they are marked as one:
We assume any that file that does not contain explicit license info and does not match any of the open source in our database is licensed under the declared license of the project. In this case the Zlib license.

2. Some files refer to zlib.h as the file with a license. Now, if the
SHA1 of the file does not change, I would presume (as a user) that I
don't need to scan it again, which is good. But what if zlib.h
changes? Would it be useful in the SPDX to
use a "reference" field to denote such a thing?
I think this is outside the scope of the spdx proper. Many of the decisions about what licenses govern a file will be made on criteria other than an explicit license declaration, direct or indirect. For example, some part of a file might be matched against a database of open source and that open source file might have a license associated with it.

In the short term this could be handled as comment on the file object. It might be an interesting follow on project to create an extension to allow expressing the decision criteria for why a particular license was chosen.

3. Is it the same to include a license than to refer to a license?
We treat those the same. This is a policy issue to be worked out between the producer and the consumers of the spdx file. I think the spec should avoid specify the copyright/license analysis process. Spdx should just provide a way to express the results of such an analysis.


4. In some files the zlib iicense varies slightly:


This software is provided 'as-is', without any express or implied
warranty. In no event will the author be held liable for any damages
arising from the use of this software.

and in others

This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
This also feels like a policy issue to me. We treat those as the same.

Peter Williams
<http://openlogic.com>


License templates

Peter Williams <peter.williams@...>
 

In <https://fossbazaar.org/pipermail/spdx/2010-September/000116.html> dmg brought up and interesting question regarding how similar two license texts need to be before they can be considered the same license.  This got me thinking about the proposed license templates.

I am increasing uncomfortable with the idea of spdx specify a mechanism intended to support recognition of licenses.  That very idea seems fraught with peril, both technically and legally. 

What constitutes similar enough to treat as a single license is a policy decision.  Risk averse organizations with a high profile might choose a relatively high bar for sameness, while less risk averse organizations will probably prefer a lower bar.  I think setting these policies should be left to the producers and consumers of spdx files.  These parties are the only ones with enough information to do it effectively.

There are a few situations where a light weight template syntax in the license text field itself would be useful.  Such a syntax would allow a way to demarcate really obvious and uncontentious replaceable parts of the license.  Square brackets around a description of the replaceable element would probably sufficient.  For example, the 3 clause bsd license text would look like this
Copyright (c) [YEAR], [OWNER]
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of the [ORGANIZATION] nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This would allow spdx to provide canonical forms of licenses without trying to specify policy issues.

Peter Williams
<http://openlogic.com>


Re: Some SPDX 1.0 beta examples

dmg
 

Thanks Peter for your clarifications.

I think this shows, that the ones creating the files will be _making_
decisions. In this case, several have been made:

1. Files without a license share the license of the project
2. If a file A specifies that its license is in B, then license(A) == license(B)
3. Even thought there is no perfect textual comparison of the license
(aside from whitespace) the licenses have been considered to be
equivalent.

These are very good reasons why standardizing text of licenses by
inclusion seems to me like a bad idea.

---dmg

On Thu, Sep 30, 2010 at 9:06 AM, Peter Williams
<peter.williams@...> wrote:
On 9/29/10 2:32 PM, dmg wrote:

This is good. It can start some discussion on the standard.

First, one question:

I scanned the file for zlib and I found some issues with it, but I
think are worth discussing:

1.  Some files do not contain a license, yet they are marked as one:
We assume any that file that does not contain explicit license info and does
not match any of the open source in our database is licensed under the
declared license of the project.  In this case the Zlib license.

2. Some files refer to zlib.h as the file with a license. Now, if the
SHA1 of the file does not change, I would presume (as a user) that I
don't need to scan it again, which is good. But what if zlib.h
changes? Would it be useful in the SPDX to
use a "reference" field to denote such a thing?
I think this is outside the scope of the spdx proper.  Many of the decisions
about what licenses govern a file will be made on criteria other than an
explicit license declaration, direct or indirect.  For example, some part of
a file might be matched against a database of open source and that open
source file might have a license associated with it.

In the short term this could be handled as comment on the file object. It
might be an interesting follow on project to create an extension to allow
expressing the decision criteria for why a particular license was chosen.

3. Is it the same to include a license than to refer to a license?
We treat those the same.  This is a policy issue to be worked out between
the producer and the consumers of the spdx file.  I think the spec should
avoid specify the copyright/license analysis process.  Spdx should just
provide a way to express the results of such an analysis.


4. In some files the zlib iicense varies slightly:


  This software is provided 'as-is', without any express or implied
  warranty.  In no event will the author be held liable for any damages
  arising from the use of this software.

and in others

  This software is provided 'as-is', without any express or implied
  warranty.  In no event will the authors be held liable for any damages
  arising from the use of this software.
This also feels like a policy issue to me.  We treat those as the same.

Peter Williams
<http://openlogic.com>
_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx



--
--dmg

---
Daniel M. German
http://turingmachine.org


Re: Some SPDX 1.0 beta examples

Peter Williams <peter.williams@...>
 

On 9/30/10 11:57 AM, dmg wrote:
Thanks Peter for your clarifications.

I think this shows, that the ones creating the files will be _making_
decisions.
I completely agree. I think anyone that has actual tried to analyze a package for copyright/license info knows that a lot of judgment calls are required.

In this case, several have been made:

1. Files without a license share the license of the project
2. If a file A specifies that its license is in B, then license(A) == license(B)
I would say that as license(A) = license-specified-by(B). For example, the text of GPL v3, <http://www.gnu.org/licenses/gpl.html>, is licensed under terms quite different from GPL. So if license(A) -> B where B is a file containing just the text of the GPL then license(A) = GPL but license(B) = "Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed."

3. Even thought there is no perfect textual comparison of the license
(aside from whitespace) the licenses have been considered to be
equivalent.
This is the only sane thing to do. Unfortunately, there are situations in which reasonable people could disagree about whether two license texts are really the same license or not.

These are very good reasons why standardizing text of licenses by
inclusion seems to me like a bad idea.
Here i disagree. I think standardizing some license texts is a Good Thing. No one will be force to reference those standard licenses. If you find a license that you believe is materially different from the all the texts in the public repo that license can be included in the spdx file as a non-standard license. Having a set of licenses with standardized names allows much more efficient communication and greater interoperability.

The standard should be updated to allow the license text to be included in all situations. Even for standard licenses. That way an spdx producer could include the variations found, even if the producer considers them materially the same.

Peter


---dmg

On Thu, Sep 30, 2010 at 9:06 AM, Peter Williams
<peter.williams@...> wrote:
On 9/29/10 2:32 PM, dmg wrote:

This is good. It can start some discussion on the standard.

First, one question:

I scanned the file for zlib and I found some issues with it, but I
think are worth discussing:

1. Some files do not contain a license, yet they are marked as one:
We assume any that file that does not contain explicit license info and does
not match any of the open source in our database is licensed under the
declared license of the project. In this case the Zlib license.

2. Some files refer to zlib.h as the file with a license. Now, if the
SHA1 of the file does not change, I would presume (as a user) that I
don't need to scan it again, which is good. But what if zlib.h
changes? Would it be useful in the SPDX to
use a "reference" field to denote such a thing?
I think this is outside the scope of the spdx proper. Many of the decisions
about what licenses govern a file will be made on criteria other than an
explicit license declaration, direct or indirect. For example, some part of
a file might be matched against a database of open source and that open
source file might have a license associated with it.

In the short term this could be handled as comment on the file object. It
might be an interesting follow on project to create an extension to allow
expressing the decision criteria for why a particular license was chosen.

3. Is it the same to include a license than to refer to a license?
We treat those the same. This is a policy issue to be worked out between
the producer and the consumers of the spdx file. I think the spec should
avoid specify the copyright/license analysis process. Spdx should just
provide a way to express the results of such an analysis.


4. In some files the zlib iicense varies slightly:


This software is provided 'as-is', without any express or implied
warranty. In no event will the author be held liable for any damages
arising from the use of this software.

and in others

This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
This also feels like a policy issue to me. We treat those as the same.

Peter Williams
<http://openlogic.com>
_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx



Re: Some SPDX 1.0 beta examples

dmg
 

In my opinion, the problem with allowing "user judgement" in included
license variability can lead to disagreements of what a license really
is, or even worse, misunderstanding of what the license of a file is.

Say hypothetically, you read a license and for you it is zlib, and for
me it is not, and I prefer to refer to it as a zlib-variant, because
for me the differences are strong enough to worry.

I would prefer that there was a single place at the beginning of the
SPDX file where such two variants of the license are located, and then
I can look at it and decide if it is equal or not. Rather than
trusting your judgement.

Perhaps I am just beating a dead horse, and nobody really cares about
such differences (think MIT/X11 and BSD-variants not this zlib
example).

--dmg

On Thu, Sep 30, 2010 at 1:19 PM, Peter Williams
<peter.williams@...> wrote:
3. Even thought there is no perfect textual comparison of the license
(aside from whitespace) the licenses have been considered to be
equivalent.
This is the only sane thing to do.  Unfortunately, there are situations in
which reasonable people could disagree about whether two license texts are
really the same license or not.

These are very good reasons why standardizing text of licenses by
inclusion seems to me like a bad idea.
Here i disagree.  I think standardizing some license texts is a Good Thing.
 No one will be force to reference those standard licenses.  If you find a
license that you believe is materially different from the all the texts in
the public repo that license can be included in the spdx file as a
non-standard license.  Having a set of licenses with standardized names
allows much more efficient communication and greater interoperability.


--
--dmg

---
Daniel M. German
http://turingmachine.org


Re: Some SPDX 1.0 beta examples

dmg
 

Two more things about the zlib example:

1. The license of the ada subdirectory is GPLv2+ not, GPLv2.

2. There is another interesting example, which is labelled BSD-3 in
the SPDX. Same issues regarding this than the variability of the zlib
license apply here.

/*
* match.S -- optimized version of longest_match()
* based on the similar work by Gilles Vollant, and Brian Raiter, written 1998
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the BSD License. Use by owners of Che Guevarra
* parafernalia is prohibited, where possible, and highly discouraged
* elsewhere.
*/

On Wed, Sep 29, 2010 at 1:32 PM, dmg <dmg@...> wrote:
This is good. It can start some discussion on the standard.

First, one question:

I scanned the file for zlib and I found some issues with it, but I
think are worth discussing:

1.  Some files do not contain a license, yet they are marked as one:

dmg@i:/tmp/zlib-1.2.5$ more contrib/minizip/zip.c
/* zip.c -- IO on .zip files using zlib
  Version 1.1, February 14h, 2010
  part of the MiniZip project - (
http://www.winimage.com/zLibDll/minizip.html )

        Copyright (C) 1998-2010 Gilles Vollant (minizip) (
http://www.winimage.com/zLibDll/minizip.html )

        Modifications for Zip64 support
        Copyright (C) 2009-2010 Mathias Svensson ( http://result42.com )

        For more info read MiniZip_info.txt

        Changes
  Oct-2009 - Mathias Svensson - Remove old C style function prototypes
  Oct-2009 - Mathias Svensson - Added Zip64 Support when creating new
file archives
  Oct-2009 - Mathias Svensson - Did some code cleanup and refactoring
to get better overview of some functions.
  Oct-2009 - Mathias Svensson - Added zipRemoveExtraInfoBlock to
strip extra field data from its ZIP64 data
                                It is used when recreting zip archive
with RAW when deleting items from a zip.
                                ZIP64 data is automaticly added to
items that needs it, and existing ZIP64 data need to be removed.
  Oct-2009 - Mathias Svensson - Added support for BZIP2 as
compression mode (bzip2 lib is required)
  Jan-2010 - back to unzip and minizip 1.0 name scheme, with
compatibility layer

*/


------------
2. Some files refer to zlib.h as the file with a license. Now, if the
SHA1 of the file does not change, I would presume (as a user) that I
don't need to scan it again, which is good. But what if zlib.h
changes? Would it be useful in the SPDX to
use a "reference" field to denote such a thing?

---------
3. Is it the same to include a license than to refer to a license?

---
4. In some files the zlib iicense varies slightly:


 This software is provided 'as-is', without any express or implied
 warranty.  In no event will the author be held liable for any damages
 arising from the use of this software.

and in others

 This software is provided 'as-is', without any express or implied
 warranty.  In no event will the authors be held liable for any damages
 arising from the use of this software.

--dmg


On Wed, Sep 29, 2010 at 12:52 PM, Philip Odence
<podence@...> wrote:
I moved it to
Home » Wiki » Software Package Data Exchange (SPDX) » Spec
Development » Sandbox For Sharing Examples, Ideas, Etc.
Not sure if it way my knowledge or permissions or both, but anyway, it's
there.
Good stuff, Peter.



On Sep 29, 2010, at 3:45 PM, Peter Williams wrote:

Hi all,

I have posted some examples, along with some notes about them at
<http://spdx.org/wiki/openlogic-spdx-10-beta-examples>.  The examples
are intended to conform to the 1.0 beta version of the spec except that
we used sha-256 checksums -- rather than sha-1 -- to identify the files.

I was not able to figure out how to add that page to the examples
sandbox.  (Perhaps i do not permission to do that? )   Would someone
with more knowledge of (or permissions with) the wiki do that for me?

Comments and feedback are welcome.

Peter Williams
<http://openlogic.com>
_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx


_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx



--
--dmg

---
Daniel M. German
http://turingmachine.org
--
--dmg

---
Daniel M. German
http://turingmachine.org


Re: Some SPDX 1.0 beta examples

dmg
 

PErhaps the solution is to have a judgement field, that indicates if
the license is matched perfectly, or a decision was made.

I also think it would be very useful to extract the license statement
of file, and save it. As tools get better then can concentrate on the
analysis of such,k particular for the extraction of copyright
information.

On Thu, Sep 30, 2010 at 1:45 PM, dmg <dmg@...> wrote:
Two more things about the zlib example:

1. The license of the ada subdirectory is GPLv2+ not, GPLv2.

2. There is another interesting example, which is labelled BSD-3 in
the SPDX. Same issues regarding this than the variability of the zlib
license apply here.

/*
 * match.S -- optimized version of longest_match()
 * based on the similar work by Gilles Vollant, and Brian Raiter, written 1998
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the BSD License. Use by owners of Che Guevarra
 * parafernalia is prohibited, where possible, and highly discouraged
 * elsewhere.
 */

On Wed, Sep 29, 2010 at 1:32 PM, dmg <dmg@...> wrote:
This is good. It can start some discussion on the standard.

First, one question:

I scanned the file for zlib and I found some issues with it, but I
think are worth discussing:

1.  Some files do not contain a license, yet they are marked as one:

dmg@i:/tmp/zlib-1.2.5$ more contrib/minizip/zip.c
/* zip.c -- IO on .zip files using zlib
  Version 1.1, February 14h, 2010
  part of the MiniZip project - (
http://www.winimage.com/zLibDll/minizip.html )

        Copyright (C) 1998-2010 Gilles Vollant (minizip) (
http://www.winimage.com/zLibDll/minizip.html )

        Modifications for Zip64 support
        Copyright (C) 2009-2010 Mathias Svensson ( http://result42.com )

        For more info read MiniZip_info.txt

        Changes
  Oct-2009 - Mathias Svensson - Remove old C style function prototypes
  Oct-2009 - Mathias Svensson - Added Zip64 Support when creating new
file archives
  Oct-2009 - Mathias Svensson - Did some code cleanup and refactoring
to get better overview of some functions.
  Oct-2009 - Mathias Svensson - Added zipRemoveExtraInfoBlock to
strip extra field data from its ZIP64 data
                                It is used when recreting zip archive
with RAW when deleting items from a zip.
                                ZIP64 data is automaticly added to
items that needs it, and existing ZIP64 data need to be removed.
  Oct-2009 - Mathias Svensson - Added support for BZIP2 as
compression mode (bzip2 lib is required)
  Jan-2010 - back to unzip and minizip 1.0 name scheme, with
compatibility layer

*/


------------
2. Some files refer to zlib.h as the file with a license. Now, if the
SHA1 of the file does not change, I would presume (as a user) that I
don't need to scan it again, which is good. But what if zlib.h
changes? Would it be useful in the SPDX to
use a "reference" field to denote such a thing?

---------
3. Is it the same to include a license than to refer to a license?

---
4. In some files the zlib iicense varies slightly:


 This software is provided 'as-is', without any express or implied
 warranty.  In no event will the author be held liable for any damages
 arising from the use of this software.

and in others

 This software is provided 'as-is', without any express or implied
 warranty.  In no event will the authors be held liable for any damages
 arising from the use of this software.

--dmg


On Wed, Sep 29, 2010 at 12:52 PM, Philip Odence
<podence@...> wrote:
I moved it to
Home » Wiki » Software Package Data Exchange (SPDX) » Spec
Development » Sandbox For Sharing Examples, Ideas, Etc.
Not sure if it way my knowledge or permissions or both, but anyway, it's
there.
Good stuff, Peter.



On Sep 29, 2010, at 3:45 PM, Peter Williams wrote:

Hi all,

I have posted some examples, along with some notes about them at
<http://spdx.org/wiki/openlogic-spdx-10-beta-examples>.  The examples
are intended to conform to the 1.0 beta version of the spec except that
we used sha-256 checksums -- rather than sha-1 -- to identify the files.

I was not able to figure out how to add that page to the examples
sandbox.  (Perhaps i do not permission to do that? )   Would someone
with more knowledge of (or permissions with) the wiki do that for me?

Comments and feedback are welcome.

Peter Williams
<http://openlogic.com>
_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx


_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx



--
--dmg

---
Daniel M. German
http://turingmachine.org


--
--dmg

---
Daniel M. German
http://turingmachine.org
--
--dmg

---
Daniel M. German
http://turingmachine.org


Re: Some SPDX 1.0 beta examples

Peter Williams <peter.williams@...>
 

On 9/30/10 2:54 PM, dmg wrote:
PErhaps the solution is to have a judgement field, that indicates if
the license is matched perfectly, or a decision was made.

I also think it would be very useful to extract the license statement
of file, and save it. As tools get better then can concentrate on the
analysis of such,k particular for the extraction of copyright
information.
A judgment is always made. Even if the file says "licensed under the terms of the BSD License", you have to decide if you believe that or if you believe they copied the file from a GPL licensed project and stripped the original license header.

Peter
<http://openlogic.com>

On Thu, Sep 30, 2010 at 1:45 PM, dmg<dmg@...> wrote:
Two more things about the zlib example:

1. The license of the ada subdirectory is GPLv2+ not, GPLv2.

2. There is another interesting example, which is labelled BSD-3 in
the SPDX. Same issues regarding this than the variability of the zlib
license apply here.

/*
* match.S -- optimized version of longest_match()
* based on the similar work by Gilles Vollant, and Brian Raiter, written 1998
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the BSD License. Use by owners of Che Guevarra
* parafernalia is prohibited, where possible, and highly discouraged
* elsewhere.
*/

On Wed, Sep 29, 2010 at 1:32 PM, dmg<dmg@...> wrote:
This is good. It can start some discussion on the standard.

First, one question:

I scanned the file for zlib and I found some issues with it, but I
think are worth discussing:

1. Some files do not contain a license, yet they are marked as one:

dmg@i:/tmp/zlib-1.2.5$ more contrib/minizip/zip.c
/* zip.c -- IO on .zip files using zlib
Version 1.1, February 14h, 2010
part of the MiniZip project - (
http://www.winimage.com/zLibDll/minizip.html )

Copyright (C) 1998-2010 Gilles Vollant (minizip) (
http://www.winimage.com/zLibDll/minizip.html )

Modifications for Zip64 support
Copyright (C) 2009-2010 Mathias Svensson ( http://result42.com )

For more info read MiniZip_info.txt

Changes
Oct-2009 - Mathias Svensson - Remove old C style function prototypes
Oct-2009 - Mathias Svensson - Added Zip64 Support when creating new
file archives
Oct-2009 - Mathias Svensson - Did some code cleanup and refactoring
to get better overview of some functions.
Oct-2009 - Mathias Svensson - Added zipRemoveExtraInfoBlock to
strip extra field data from its ZIP64 data
It is used when recreting zip archive
with RAW when deleting items from a zip.
ZIP64 data is automaticly added to
items that needs it, and existing ZIP64 data need to be removed.
Oct-2009 - Mathias Svensson - Added support for BZIP2 as
compression mode (bzip2 lib is required)
Jan-2010 - back to unzip and minizip 1.0 name scheme, with
compatibility layer

*/


------------
2. Some files refer to zlib.h as the file with a license. Now, if the
SHA1 of the file does not change, I would presume (as a user) that I
don't need to scan it again, which is good. But what if zlib.h
changes? Would it be useful in the SPDX to
use a "reference" field to denote such a thing?

---------
3. Is it the same to include a license than to refer to a license?

---
4. In some files the zlib iicense varies slightly:


This software is provided 'as-is', without any express or implied
warranty. In no event will the author be held liable for any damages
arising from the use of this software.

and in others

This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.

--dmg


On Wed, Sep 29, 2010 at 12:52 PM, Philip Odence
<podence@...> wrote:
I moved it to
Home » Wiki » Software Package Data Exchange (SPDX) » Spec
Development » Sandbox For Sharing Examples, Ideas, Etc.
Not sure if it way my knowledge or permissions or both, but anyway, it's
there.
Good stuff, Peter.



On Sep 29, 2010, at 3:45 PM, Peter Williams wrote:

Hi all,

I have posted some examples, along with some notes about them at
<http://spdx.org/wiki/openlogic-spdx-10-beta-examples>. The examples
are intended to conform to the 1.0 beta version of the spec except that
we used sha-256 checksums -- rather than sha-1 -- to identify the files.

I was not able to figure out how to add that page to the examples
sandbox. (Perhaps i do not permission to do that? ) Would someone
with more knowledge of (or permissions with) the wiki do that for me?

Comments and feedback are welcome.

Peter Williams
<http://openlogic.com>
_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx


_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx



--
--dmg

---
Daniel M. German
http://turingmachine.org


--
--dmg

---
Daniel M. German
http://turingmachine.org


Re: License templates

Philippe Ombredanne
 

On 2010-09-30 18:52, Peter Williams wrote:
In <https://fossbazaar.org/pipermail/spdx/2010-September/000116.html>
dmg brought up and interesting question regarding how similar two
license texts need to be before they can be considered the same license.
This got me thinking about the proposed license templates.

I am increasing uncomfortable with the idea of spdx specify a mechanism
intended to support recognition of licenses. That very idea seems
fraught with peril, both technically and legally.

What constitutes similar enough to treat as a single license is a policy
decision. Risk averse organizations with a high profile might choose a
relatively high bar for sameness, while less risk averse organizations
will probably prefer a lower bar. I think setting these policies should
be left to the producers and consumers of spdx files. These parties are
the only ones with enough information to do it effectively.

There are a few situations where a light weight template syntax in the
license text field itself would be useful. Such a syntax would allow a
way to demarcate really obvious and uncontentious replaceable parts of
the license. Square brackets around a description of the replaceable
element would probably sufficient.
Peter:
my 2 cents:

the idea is good, though we should not reinvent a license templates syntax when the OSI has alreday done something.
They use angle brackets so I would suggest using the same, not square brackets. See http://www.opensource.org/licenses/bsd-license.php for instance.

Another note is that copyright notices (such as in the BSD example you provide) may or may not be part of the license.
I consider them part of the license when the license text itself is copyrighted explicitly (GPL, Apache).
In the case of a BSD, I would not consider the copyright notice to be explicitly part of the license, and therefore likely not needed in a templatized license.



For example, the 3 clause bsd license
text would look like this

Copyright (c) [YEAR], [OWNER]
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
* Neither the name of the [ORGANIZATION] nor the names of its
contributors may be used to endorse or promote products
derived from this software without specific prior written
permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

This would allow spdx to provide canonical forms of licenses without
trying to specify policy issues.

Peter Williams
<http://openlogic.com>



_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx

--
Cordially
Philippe

philippe ombredanne | 1 650 799 0949 | pombredanne at nexb.com
nexB - Open by Design (tm) - http://www.nexb.com


Re: Mailing list archive

Martin Michlmayr
 

* Armijn Hemel <armijn@...> [2010-09-29 20:31]:
But, to actually make it a question: is there an archive available of
the period before August 10?
We used a different mailing list (called package-facts) in the past
and decided not to open up those archives to the public since it was a
closed list. However, if you subscribe to the package-facts list I
will approve you and then you can access the archives.
--
Martin Michlmayr
Open Source Program Office, Hewlett-Packard


Re: License templates

Peter Williams <peter.williams@...>
 

On 10/2/10 4:39 AM, Philippe Ombredanne wrote:
the idea is good, though we should not reinvent a license templates
syntax when the OSI has alreday done something.
They use angle brackets so I would suggest using the same, not square
brackets. See http://www.opensource.org/licenses/bsd-license.php for
instance.
I was unaware that OSI has a pattern for this already. I agree we should follow the pattern they have used.

Another note is that copyright notices (such as in the BSD example you
provide) may or may not be part of the license.
I consider them part of the license when the license text itself is
copyrighted explicitly (GPL, Apache).
In the case of a BSD, I would not consider the copyright notice to be
explicitly part of the license, and therefore likely not needed in a
templatized license.
That is an excellent point. it seems reasonable to treat the copyright declarations that are usually associated with the BSD license as not really part of the license. Could those of you with a legal background comment on this?

Peter Williams
<http://openlogic.com>


SPDX RDF Sub-group Mtg 5 concall / gotomeeting details

Bill Schineller
 

Today's call dial-in details:
(I understand Kate is unavailable)

SPDX RDF Sub-group Mtg 5
(TODAY) Tuesday October 5, 11AM eastern time

Toll-free dial-in number (U.S. and Canada): (877) 435-0230
International dial-in number: (253) 336-6732
Conference code: 7833942033

URL to join meeting:
http://blackducksoftware.na6.acrobat.com/r55067356/


Bill Schineller
Knowledge Base Manager
Black Duck Software Inc.
T: +1.781.810.1829
F: +1.781.891.5145
E: bschineller@...
http://www.blackducksoftware.com


Oct 7 meeting postponed until Oct 14

Philip Odence
 

SPDX Group,

Kate has been traveling in Europe and has not been able to free up the time for our meeting on Thursday, so we are pushing for one week.

Next meeting will be October 14, 8am PDT/11AM EDT/15:00 UTC

I will send out an agenda prior to.

Thanks for your flexibility.


L. Philip Odence
Vice President of Business Development
Black Duck Software, inc.
265 Winter Street, Waltham, MA 02451
Phone: 781.810.1819, Mobile: 781.258.9502


SPDX RDF Sub-group Mtg 6 agenda / concall / gotomeeting details

Bill Schineller
 

Today's requested agenda items:

1) rdfa/xhtml example - Peter (15 min)

2) Formal proposal to leverage other vocabularies - Gary (15 min)

3) SHA1 usage - Gary (15 min)

Today's call dial-in details:

SPDX RDF Sub-group Mtg 6
(TODAY) Tuesday October 12, 11AM eastern time

Toll-free dial-in number (U.S. and Canada): (877) 435-0230
International dial-in number: (253) 336-6732
Conference code: 7833942033

URL to join meeting:
http://blackducksoftware.na6.acrobat.com/r92133955/

Bill Schineller
Knowledge Base Manager
Black Duck Software Inc.
T: +1.781.810.1829
F: +1.781.891.5145
E: bschineller@...
http://www.blackducksoftware.com


Proposal for use of External Vocabularies

Gary O'Neall
 

On behalf of the SPDX RDF Sub-group, I would like to provide the larger SPDX organization a proposal to leverage some of the existing RDF vocabularies.  After analyzing several existing vocabularies, the SPDX RDF Sub-group have agreed on a few SPDX tags/properties that we believe would be improved by referencing these external vocabularies. 


The attached document provides some background, specifics on the proposed changes, and potential issues with their adoption.

 

Please let us know if you have any questions or feedback.

 

Thanks,
Gary O’Neall

 

 


October 14 Meeting Notice

Philip Odence
 

As per my email last week, there will be a meeting tomorrow, Oct 14 at 8am PDT/11AM EDT/15:00 UTC.

I will be on a plane, so Kate will host. She will provide an agenda at the beginning of the meeting. We will not have a webshare for this one. Dial in:
Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

Here are minutes from the last meeting: http://www.spdx.org/wiki/20100923-minutes.

Sorry to miss the call. See you on the next one.

Best regards,
Phil


L. Philip Odence
Vice President of Business Development
Black Duck Software, inc.
265 Winter Street, Waltham, MA 02451
Phone: 781.810.1819, Mobile: 781.258.9502


Agenda - Oct 14, 2010

kate.stewart@...
 

Sorry for the delay on getting this out, have been having a couple of issues with my computer on the road. :(

Details for the call will be:
Toll-free dial-in number (U.S. and Canada): (877) 435-0230
International dial-in number: (253) 336-6732
Conference code: 7812589502

For those dialing in from other regions, a list of toll free numbers can be found: https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

Agenda
* Approval of minutes from Sept 23
- http://www.spdx.org/wiki/20100923-minutes
* Outreach and evangelism:
- Industry Venues – PhilR
- Website – MartinM
* Roll Out Update - KimW/JohnE
* Legal Update - Rockett (if available)
* Licensing Subgroup Update - Kate/KimW
* RDF Subgroup Update - BillS
* Linux Foundation Code Repository - Kate


Action Items
* Kate- Transfer document (.pdf) back to WIKI.
* Kim- Clean up the sharing analysis to what is accurate.
* JeffL (w/Bill/Gary- Update zlib based on new specification
* RDF Group- Work out syntax for 5.6/5.7
* Kate- Track and implement changes described in Spec from maillist.
* PeterW- Implement issue tracking system with Linux Foundation infrastructure.
* Phil R- Update Industry Events.
* Kate- Draft example for LF Member Counsel; include XML and corresponding spreadsheet (or spreadsheet-like) format.



spec is back in WIKI format again,,,

kate.stewart@...
 


Just to let you know that the spec is now back in WIKI form, and open again for questions and comments to be posted in it.  It is now broken down into one page per section from the SPEC so, scope of change/editing isn't as daunting ;)

see:  http://www.spdx.org/spec/current

Caveats:
  - A couple of the line breaks are still not ideal, and I'll finish the cleanup as time permits.
  - The license information is being revised into a spreadsheet, so we can generate the per license WIKI pages easily (from Callaway's proposal),  there should be a separate email coming out shortly with the list as it stands, for further review.  Ignore what's in Appendix I for now.

Thanks for your patience,   Kate

Kate


Re: spec is back in WIKI format again,,,

Tom Incorvia
 

Hi Kate, I will be glad to give the license information spreadsheet a good review when it is available (or review an interim document).  Tom

 

Tom Incorvia

tom.incorvia@...

Direct:  (512) 340-1336

Mobile: (408) 499 6850

From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of kate.stewart@...
Sent: Tuesday, October 19, 2010 9:32 AM
To: spdx@...
Subject: spec is back in WIKI format again,,,

 


Just to let you know that the spec is now back in WIKI form, and open again for questions and comments to be posted in it.  It is now broken down into one page per section from the SPEC so, scope of change/editing isn't as daunting ;)

see:  http://www.spdx.org/spec/current

Caveats:
  - A couple of the line breaks are still not ideal, and I'll finish the cleanup as time permits.
  - The license information is being revised into a spreadsheet, so we can generate the per license WIKI pages easily (from Callaway's proposal),  there should be a separate email coming out shortly with the list as it stands, for further review.  Ignore what's in Appendix I for now.

Thanks for your patience,   Kate

Kate

 

Click here to report this email as spam.

This message has been scanned for viruses by MailController.


SPDX RDF Sub-group Mtg 7 concall / gotomeeting details

Bill Schineller
 

Today's call dial-in details:

SPDX RDF Sub-group Mtg 7
(TODAY) Tuesday October 19, 11AM eastern time

Toll-free dial-in number (U.S. and Canada): (877) 435-0230
International dial-in number: (253) 336-6732
Conference code: 7833942033

URL to join meeting:
http://blackducksoftware.na6.acrobat.com/r15375307/

121 - 140 of 1587