Using SPDX for firmware
I've been using SPDX for years in the AppStream specification to
describe applications that can be installed in software centers. I'm
using the AND, OR extensions, and am soon to include the WITH
exception support too. AppStream can be used to describe free
software, but is increasing being used for other things too, for
instance, in the LVFS firmware update service. In this we describe
firmware licensing using SDPX tags, but I'm not sure what to do about
non-free firmware. OpenHardware firmware is fine, and we can use all
the existing IDs to represent that correctly.
At the moment I've asked vendors to use:
<project_license>proprietary</project_license> to indicate it's
nonfree, but this obviously isn't a SPDX ID and probably will make the
specification people quite upset. What should I be using? Dropping the
<project_license> tags for non-free firmware is fine, but it's then
confusing the "explicitly nonfree" firmware with the "unspecified"
firmware and makes validation hard. It also means there's no clickable
link explaining what proprietary means, unlike all the other SPDX IDs.
Is there already an ID I can use for this?
 Although, http://spdx.org/exceptions-index.html is a 404...
On Wed, Aug 12, 2015 at 4:05 PM, Richard Hughes <email@example.com> wrote:
Hi all,Very nice! About the dead link, I am not sure exceptions have been published
yet, though it could be a bug too.
AppStream can be used to describe freeIMHO using your own ID extensions is quite fine, there is nothing
upsetting about it, especially since it provides valuable indication to
downstream users about the licensing terms, even if this is not precisely
pointing to a unique license text.
The alternative could to have also a catch-all "non-free" or "proprietary"
license ID in SPDX indeed.
On Wed, Aug 12, 2015 at 9:23 AM, Philippe Ombredanne <pombredanne@...> wrote:Hope this helps,
On Wed, Aug 12, 2015 at 4:05 PM, Richard Hughes <hughsient@...> wrote:
Its available from the http://spdx.org/licenses/ page
Syntax in the specification right now  for things not included in the
SPDX license list is to refer to them as:
"LicenseRef-"<insert your favorite identifier for it here>
Possibly look at adding to the AppStream format, something
like section 5 from the SPDX format  to permit the
arbitrary use of licenses not in the SPDX license list.
(and translation to other formats ;-) )?
So in the example - using something like
"LicenseRef-proprietary" is fine as an identifier,
(as would be LicenseRef-proprietary-1, or
as long as there's the definition somewhere of what
LicenseRef-proprietary maps to. In the spdx spec
5 Other Licensing Information Detected .....48
5.1 License Identifier................................... 48
5.2 Extracted Text....................................... 48
5.3 License Name....................................... 49
5.4 License Cross Reference ..................... 50
5.5 License Comment.................................50
In the RDF - the class for this is ExtractedLicensingInfo
Agree - if you can line up with using "LicenseRef-" prefix infront of any
you need to create, it will permit more automatic recognition down the
Probably this is a discussion for the legal list, as to whether they want
to permit this? Concern point is that it won't give enough information
when there are multiple non-free licenses present.
 http://spdx.org/sites/spdx/files/SPDX-2.0.pdf section 5
On 12 August 2015 at 17:40, Kate Stewart <firstname.lastname@example.org> wrote:
typo?On http://spdx.org/spdx-license-list the link is marked as
"LicenseRef-"<insert your favorite identifier for it here>Right, I wasn't sure if LicenseRef-proprietary was correct as
proprietary isn't really a licence to use something, more of a
statement of reservation of rights. I guess we need some more
information there about when it's legal to use the firmware and under
what circumstances. I'm thinking about something like
for the Raspberry Pi firmware.
So in the example - using something likeRight, I'll add that information to the AppStream parser, thanks.
as long as there's the definition somewhereWhere and how would I define this? In the AppStream metadata format itself?
Agree - if you can line up with using "LicenseRef-" prefix infront of anyRight. I'll have to handle LicenseRef prefixes in the software center
explicitly; at the moment we show a clickable link from each
application showing them the licence text.
Right, this makes my life easier, but doesn't sit 100% with the ideaThe alternative could to have also a catch-all "non-free" or "proprietary"Probably this is a discussion for the legal list, as to whether they want
of an SPDX licence in itself. I suppose in the RPi example above it
would have to be something ugly like
or maybe "LicenseRef-RaspberryPi AND LicenseRef-NoModification" or
although I know I'm pushing things here. Better ideas welcome.
On Wed, Aug 12, 2015 at 2:00 PM, Richard Hughes <hughsient@...> wrote:
On 12 August 2015 at 17:40, Kate Stewart <kstewart@...> wrote:
Thanks. I've forward the info to the folks with web access, and we'll
get it fixed.
Possibly something like LicenseRef-Rasbperry-Pi-firmware
would be short and descriptive.
Actual syntax in the spec is
where [idstring] is a unique string containing letters, numbers, “.”, “-” or “+”.
Then define in another section of the metadata to contain the actual details
of the License itself, so it can carry along.
The AppStream metadata probably is the logical point.
That way the info can be self referential and consistent.
If its in the meta data, you should be able to still do this.
This is one of the use cases that motivated us having an
"Other Licensing Information Detected" section in SPDX ;-)
For maximizing interoperability, suggest the following or something similar be added to Appstream metadata specification.
I've filled it in using Rasberry Pi Firmware example.
<licenseName>Raspberry Pi Firmware from Broadcom</licenseName>
<rdfs:comment> This permits redistribution without modification only </rdfs:comment>
Have filled in an example of how the above would be coded up and carried with the metadata in SPDX. Of the example, for SPDX the only fields are mandatory are:
licenseId, licenseName, & extractedText. Those would be the ones to make sure are carried in your metadata. rdfs:seeAlso and rdfs:comment - are optional in SPDX, but are nice to have.
Hope this helps,