Question on two MIT-derivatives


Christian Ehrhardt
 

Hi SPDX,
I was refreshing the license info on a Debian package and found two
licenses that seemed to be MIT-variants that I wasn't sure about. The
reason I looked at it was mostly technical as the current way to
identify them was triggering a lintian warning, but as I said I
wondered what would be correct.

I was not finding the two derivatives in your license list at [1] nor
as an exception in [2].
There are already a bunch of MIT-* identifiers, but none matched the
two that I had.
So I had no "official identifiers" to use and just came up with two for now.

I changed the identifiers like
- MIT(*) -> MIT-ibm
- MIT(**) -> MIT-no-ad
and that satisfies Lintian at least.
The full text of those can be found at [3][4].

I'm full of questions:
- having a look at them, would you think they should be added to your
list and get assigned official identifiers?
- Are these even licenses on their own that deserve an ID?
- Would it need the project or License owner to do such a request?
- I'm neither of that and just looked at it by accident - If needed
I'd be ok to file an issue as outlined in [5] and discuss, but I'm not
sure I could do much more on it.

[1]:https://spdx.org/licenses/
[2]: https://spdx.org/licenses/exceptions-index.html
[3]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/lib/misc/base64.c#L4
[4]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/services/plugins/resolutionSet/libvmwarectrl.h#L4
[5]: https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md

--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd


Philippe Ombredanne
 

Hi Christian:

On Thu, Jul 8, 2021 at 11:27 PM Christian Ehrhardt
<christian.ehrhardt@canonical.com> wrote:

Hi SPDX,
I was refreshing the license info on a Debian package and found two
licenses that seemed to be MIT-variants that I wasn't sure about. The
reason I looked at it was mostly technical as the current way to
identify them was triggering a lintian warning, but as I said I
wondered what would be correct.

I was not finding the two derivatives in your license list at [1] nor
as an exception in [2].
There are already a bunch of MIT-* identifiers, but none matched the
two that I had.
So I had no "official identifiers" to use and just came up with two for now.

I changed the identifiers like
- MIT(*) -> MIT-ibm
- MIT(**) -> MIT-no-ad
and that satisfies Lintian at least.
The full text of those can be found at [3][4].

I'm full of questions:
- having a look at them, would you think they should be added to your
list and get assigned official identifiers?
- Are these even licenses on their own that deserve an ID?
- Would it need the project or License owner to do such a request?
- I'm neither of that and just looked at it by accident - If needed
I'd be ok to file an issue as outlined in [5] and discuss, but I'm not
sure I could do much more on it.

[1]:https://spdx.org/licenses/
[2]: https://spdx.org/licenses/exceptions-index.html
[3]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/lib/misc/base64.c#L4
[4]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/services/plugins/resolutionSet/libvmwarectrl.h#L4
[5]: https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md

I ran scancode-toolkit and the license in base64.c [1] is identified
as an ISC alright. The only (IMHO not material) change is the sentence
"modify, and distribute" with a plain "and" instead of "modify, and/or
distribute" with "and/or". The relevant ISC variant that was detected
is at [2]. The author "INTERNET SOFTWARE CONSORTIUM" is different but
this is within matching guidelines and

Note that the second license in this file is not tracked by SPDX for
now and is detected as "ibm-dhcp" or SPDX LicenseRef-scancode-ibm-dhcp
[3]

In the file libvmwarectrl.h [4] scancode detects another license which
is not yet tracked by SPDX and that we call "xfree86-1.0" or SPDX
LicenseRef-scancode-xfree86-1.0 [5] which is the name used where we
found it [6]

/hth

[1]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/lib/misc/base64.c#L4
[2]: https://github.com/nexB/scancode-toolkit/blob/3f7da81d6b207ac2b1d384defb83a5f2c82216f4/src/licensedcode/data/rules/isc_9.RULE
[3]: https://scancode-licensedb.aboutcode.org/ibm-dhcp
[4]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/services/plugins/resolutionSet/libvmwarectrl.h#L4
[5]: https://scancode-licensedb.aboutcode.org/xfree86-1.0
[6]: http://www.xfree86.org/current/LICENSE5.html#18
[7]: https://github.com/nexB/scancode-toolkit/blob/develop/src/packagedcode/debian_copyright.py
--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@nexB.com
DejaCode - What's in your code?! - http://www.dejacode.com
AboutCode - Open source for open source - https://www.aboutcode.org
nexB Inc. - http://www.nexb.com


Alexios Zavras
 

Hi Christian,

Thanks for reaching to the SPDX project!

As this has purely to do with licenses, it may be better addressed to the legal working group at spdx-legal@lists.spdx.org.

Alternatively, feel free to raise your questions as issues on the license list GitHub repo, if you prefer: https://github.com/spdx/license-list-XML

-- zvr

-----Original Message-----
From: spdx@lists.spdx.org <spdx@lists.spdx.org> On Behalf Of Christian Ehrhardt
Sent: Wednesday, 7 July, 2021 09:48
To: spdx@lists.spdx.org
Subject: [spdx] Question on two MIT-derivatives

Hi SPDX,
I was refreshing the license info on a Debian package and found two licenses that seemed to be MIT-variants that I wasn't sure about. The reason I looked at it was mostly technical as the current way to identify them was triggering a lintian warning, but as I said I wondered what would be correct.

I was not finding the two derivatives in your license list at [1] nor as an exception in [2].
There are already a bunch of MIT-* identifiers, but none matched the two that I had.
So I had no "official identifiers" to use and just came up with two for now.

I changed the identifiers like
- MIT(*) -> MIT-ibm
- MIT(**) -> MIT-no-ad
and that satisfies Lintian at least.
The full text of those can be found at [3][4].

I'm full of questions:
- having a look at them, would you think they should be added to your list and get assigned official identifiers?
- Are these even licenses on their own that deserve an ID?
- Would it need the project or License owner to do such a request?
- I'm neither of that and just looked at it by accident - If needed I'd be ok to file an issue as outlined in [5] and discuss, but I'm not sure I could do much more on it.

[1]:https://spdx.org/licenses/
[2]: https://spdx.org/licenses/exceptions-index.html
[3]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/lib/misc/base64.c#L4
[4]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/services/plugins/resolutionSet/libvmwarectrl.h#L4
[5]: https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md

--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd





Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de>
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Christian Ehrhardt
 

On Fri, Jul 9, 2021 at 11:07 AM Philippe Ombredanne
<pombredanne@nexb.com> wrote:

Hi Christian:

On Thu, Jul 8, 2021 at 11:27 PM Christian Ehrhardt
<christian.ehrhardt@canonical.com> wrote:

Hi SPDX,
I was refreshing the license info on a Debian package and found two
licenses that seemed to be MIT-variants that I wasn't sure about. The
reason I looked at it was mostly technical as the current way to
identify them was triggering a lintian warning, but as I said I
wondered what would be correct.

I was not finding the two derivatives in your license list at [1] nor
as an exception in [2].
There are already a bunch of MIT-* identifiers, but none matched the
two that I had.
So I had no "official identifiers" to use and just came up with two for now.

I changed the identifiers like
- MIT(*) -> MIT-ibm
- MIT(**) -> MIT-no-ad
and that satisfies Lintian at least.
The full text of those can be found at [3][4].

I'm full of questions:
- having a look at them, would you think they should be added to your
list and get assigned official identifiers?
- Are these even licenses on their own that deserve an ID?
- Would it need the project or License owner to do such a request?
- I'm neither of that and just looked at it by accident - If needed
I'd be ok to file an issue as outlined in [5] and discuss, but I'm not
sure I could do much more on it.

[1]:https://spdx.org/licenses/
[2]: https://spdx.org/licenses/exceptions-index.html
[3]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/lib/misc/base64.c#L4
[4]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/services/plugins/resolutionSet/libvmwarectrl.h#L4
[5]: https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md

I ran scancode-toolkit and the license in base64.c [1] is identified
as an ISC alright. The only (IMHO not material) change is the sentence
"modify, and distribute" with a plain "and" instead of "modify, and/or
distribute" with "and/or". The relevant ISC variant that was detected
is at [2]. The author "INTERNET SOFTWARE CONSORTIUM" is different but
this is within matching guidelines and

Note that the second license in this file is not tracked by SPDX for
now and is detected as "ibm-dhcp" or SPDX LicenseRef-scancode-ibm-dhcp
[3]

In the file libvmwarectrl.h [4] scancode detects another license which
is not yet tracked by SPDX and that we call "xfree86-1.0" or SPDX
LicenseRef-scancode-xfree86-1.0 [5] which is the name used where we
found it [6]

/hth
You really did help, thanks for the pointers and license disambiguation!
I think with that in place there is no further need to fix (in
project) or track (SPDX) them in more detail.

Thanks!

[1]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/lib/misc/base64.c#L4
[2]: https://github.com/nexB/scancode-toolkit/blob/3f7da81d6b207ac2b1d384defb83a5f2c82216f4/src/licensedcode/data/rules/isc_9.RULE
[3]: https://scancode-licensedb.aboutcode.org/ibm-dhcp
[4]: https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/services/plugins/resolutionSet/libvmwarectrl.h#L4
[5]: https://scancode-licensedb.aboutcode.org/xfree86-1.0
[6]: http://www.xfree86.org/current/LICENSE5.html#18
[7]: https://github.com/nexB/scancode-toolkit/blob/develop/src/packagedcode/debian_copyright.py
--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@nexB.com
DejaCode - What's in your code?! - http://www.dejacode.com
AboutCode - Open source for open source - https://www.aboutcode.org
nexB Inc. - http://www.nexb.com





--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd