Topics

Using SPDX for firmware


Richard Hughes
 

Hi all,

I've been using SPDX for years in the AppStream specification to
describe applications that can be installed in software centers. I'm
using the AND, OR extensions, and am soon to include the WITH
exception support too[2]. AppStream can be used to describe free
software, but is increasing being used for other things too, for
instance, in the LVFS[2] firmware update service. In this we describe
firmware licensing using SDPX tags, but I'm not sure what to do about
non-free firmware. OpenHardware firmware is fine, and we can use all
the existing IDs to represent that correctly.

At the moment I've asked vendors to use:
<project_license>proprietary</project_license> to indicate it's
nonfree, but this obviously isn't a SPDX ID and probably will make the
specification people quite upset. What should I be using? Dropping the
<project_license> tags for non-free firmware is fine, but it's then
confusing the "explicitly nonfree" firmware with the "unspecified"
firmware and makes validation hard. It also means there's no clickable
link explaining what proprietary means, unlike all the other SPDX IDs.
Is there already an ID I can use for this?

Comments welcome,

Richard.

[1] Although, http://spdx.org/exceptions-index.html is a 404...
[2] https://beta-lvfs.rhcloud.com/


Philippe Ombredanne
 

On Wed, Aug 12, 2015 at 4:05 PM, Richard Hughes <hughsient@...> wrote:
Hi all,

I've been using SPDX for years in the AppStream specification to
describe applications that can be installed in software centers. I'm
using the AND, OR extensions, and am soon to include the WITH
exception support too[2].
Very nice! About the dead link, I am not sure exceptions have been published
yet, though it could be a bug too.

AppStream can be used to describe free
software, but is increasing being used for other things too, for
instance, in the LVFS[2] firmware update service. In this we describe
firmware licensing using SDPX tags, but I'm not sure what to do about
non-free firmware. OpenHardware firmware is fine, and we can use all
the existing IDs to represent that correctly.

At the moment I've asked vendors to use:
<project_license>proprietary</project_license> to indicate it's
nonfree, but this obviously isn't a SPDX ID and probably will make the
specification people quite upset. What should I be using? Dropping the
<project_license> tags for non-free firmware is fine, but it's then
confusing the "explicitly nonfree" firmware with the "unspecified"
firmware and makes validation hard. It also means there's no clickable
link explaining what proprietary means, unlike all the other SPDX IDs.
Is there already an ID I can use for this?
IMHO using your own ID extensions is quite fine, there is nothing
upsetting about it, especially since it provides valuable indication to
downstream users about the licensing terms, even if this is not precisely
pointing to a unique license text.

The alternative could to have also a catch-all "non-free" or "proprietary"
license ID in SPDX indeed.

--
Cordially
Philippe Ombredanne


Kate Stewart
 

Hi Richard,

On Wed, Aug 12, 2015 at 9:23 AM, Philippe Ombredanne <pombredanne@...> wrote:
On Wed, Aug 12, 2015 at 4:05 PM, Richard Hughes <hughsient@...> wrote:
> Hi all,
>
> I've been using SPDX for years in the AppStream specification to
> describe applications that can be installed in software centers. I'm
> using the AND, OR extensions, and am soon to include the WITH
> exception support too[2].
 
Very cool. 
 

Very nice! About the dead link, I am not sure exceptions have been published
yet, though it could be a bug too.

typo?
Its available from the http://spdx.org/licenses/ page
 

> AppStream can be used to describe free
> software, but is increasing being used for other things too, for
> instance, in the LVFS[2] firmware update service. In this we describe
> firmware licensing using SDPX tags, but I'm not sure what to do about
> non-free firmware. OpenHardware firmware is fine, and we can use all
> the existing IDs to represent that correctly.
>
> At the moment I've asked vendors to use:
> <project_license>proprietary</project_license> to indicate it's
> nonfree, but this obviously isn't a SPDX ID and probably will make the
> specification people quite upset. What should I be using?

Syntax in the specification right now [1] for things not included in the 
SPDX license list is to refer to them as:

"LicenseRef-"<insert your favorite identifier for it here>

Possibly look at adding to the AppStream format, something
like section 5 from the SPDX format [1] to permit the 
arbitrary use of licenses not in the SPDX license list. 
(and translation to other formats ;-) )?  

So in the example - using something like
"LicenseRef-proprietary" is fine as an identifier,
(as would be LicenseRef-proprietary-1, or 
License-Ref-ACME-proprietary-firmware,  etc.)

as long as there's the definition somewhere of what
LicenseRef-proprietary maps to.  In the spdx spec 
see: 

5 Other Licensing Information Detected .....48 
5.1 License Identifier................................... 48 
5.2 Extracted Text....................................... 48 
5.3 License Name....................................... 49 
5.4 License Cross Reference ..................... 50 
5.5 License Comment.................................50

In the RDF - the class for this is ExtractedLicensingInfo

 
Dropping the
> <project_license> tags for non-free firmware is fine, but it's then
> confusing the "explicitly nonfree" firmware with the "unspecified"
> firmware and makes validation hard. It also means there's no clickable
> link explaining what proprietary means, unlike all the other SPDX IDs.
> Is there already an ID I can use for this?

IMHO using your own ID extensions is quite fine, there is nothing
upsetting about it, especially since it provides valuable indication to
downstream users about the licensing terms, even if this is not precisely
pointing to a unique license text.

Agree - if you can line up with using "LicenseRef-" prefix  infront of any
you need to create,  it will permit more automatic recognition down the
road. 


The alternative could to have also a catch-all "non-free" or "proprietary"
license ID in SPDX indeed.

Probably this is a discussion for the legal list, as to whether they want
to permit this?   Concern point is that it won't give enough information
when there are multiple non-free licenses present.
 
Hope this helps, 
Kate



Richard Hughes
 

On 12 August 2015 at 17:40, Kate Stewart <kstewart@...> wrote:
typo?
Is at: http://spdx.org/licenses/exceptions-index.html
Its available from the http://spdx.org/licenses/ page
On http://spdx.org/spdx-license-list the link is marked as
http://spdx.org/exceptions-index.html ...

"LicenseRef-"<insert your favorite identifier for it here>
Right, I wasn't sure if LicenseRef-proprietary was correct as
proprietary isn't really a licence to use something, more of a
statement of reservation of rights. I guess we need some more
information there about when it's legal to use the firmware and under
what circumstances. I'm thinking about something like
https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
for the Raspberry Pi firmware.

So in the example - using something like
"LicenseRef-proprietary" is fine as an identifier,
(as would be LicenseRef-proprietary-1, or
License-Ref-ACME-proprietary-firmware, etc.)
Right, I'll add that information to the AppStream parser, thanks.

as long as there's the definition somewhere
Where and how would I define this? In the AppStream metadata format itself?

Agree - if you can line up with using "LicenseRef-" prefix infront of any
you need to create, it will permit more automatic recognition down the
road.
Right. I'll have to handle LicenseRef prefixes in the software center
explicitly; at the moment we show a clickable link from each
application showing them the licence text.

The alternative could to have also a catch-all "non-free" or "proprietary"
license ID in SPDX indeed.
Probably this is a discussion for the legal list, as to whether they want
to permit this? Concern point is that it won't give enough information
when there are multiple non-free licenses present.
Right, this makes my life easier, but doesn't sit 100% with the idea
of an SPDX licence in itself. I suppose in the RPi example above it
would have to be something ugly like
LicenseRef-ForRaspberryPiUseOnlyRedistributionWithoutModificationOnly
or maybe "LicenseRef-RaspberryPi AND LicenseRef-NoModification" or
even "LicenseRef-https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom"
although I know I'm pushing things here. Better ideas welcome.

Richard.


Kate Stewart
 



On Wed, Aug 12, 2015 at 2:00 PM, Richard Hughes <hughsient@...> wrote:
On 12 August 2015 at 17:40, Kate Stewart <kstewart@...> wrote:
> typo?
> Is at:  http://spdx.org/licenses/exceptions-index.html
> Its available from the http://spdx.org/licenses/ page

On http://spdx.org/spdx-license-list the link is marked as
http://spdx.org/exceptions-index.html ...

Thanks.   I've forward the info to the folks with web access, and we'll
get it fixed. 
 

> "LicenseRef-"<insert your favorite identifier for it here>

Right, I wasn't sure if LicenseRef-proprietary was correct as
proprietary isn't really a licence to use something, more of a
statement of reservation of rights. I guess we need some more
information there about when it's legal to use the firmware and under
what circumstances. I'm thinking about something like
https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
for the Raspberry Pi firmware.

Agree.   

Possibly something like LicenseRef-Rasbperry-Pi-firmware
would be short and descriptive.

Actual syntax in the spec is 
LicenseRef-[idstring] 
where [idstring] is a unique string containing letters, numbers, “.”, “-” or “+”.

Then define in another section of the metadata to contain the actual details
of the License itself, so it can carry along.


> So in the example - using something like
> "LicenseRef-proprietary" is fine as an identifier,
> (as would be LicenseRef-proprietary-1, or
> LicenseRef-ACME-proprietary-firmware,  etc.)

Right, I'll add that information to the AppStream parser, thanks.

> as long as there's the definition somewhere

Where and how would I define this? In the AppStream metadata format itself?

The AppStream metadata probably is the logical point. 
That way the info can be self referential and consistent.
  

> Agree - if you can line up with using "LicenseRef-" prefix  infront of any
> you need to create,  it will permit more automatic recognition down the
> road.

Right. I'll have to handle LicenseRef prefixes in the software center
explicitly; at the moment we show a clickable link from each
application showing them the licence text.

If its in the meta data,  you should be able to still do this.
This is one of the use cases that motivated us having an
"Other Licensing Information Detected" section in SPDX ;-)

For maximizing interoperability,  suggest the following or something similar be added to Appstream metadata specification.   

I've filled it in using Rasberry Pi Firmware example.

<ExtractedLicensingInfo rdf:about="LicenseRef-Raspbery-Pi-Firmware">
   <licenseId>LicenceRef-Raspberi-Pi-Firmware</licenseId>
   <licenseName>Raspberry Pi Firmware from Broadcom</licenseName>
   <rdfs:comment> This permits redistribution without modification only </rdfs:comment>
   <extractedText>
Copyright (c) 2006, Broadcom Corporation.
All rights reserved.

Redistribution. Redistribution and use in binary form, without
modification, are permitted provided that the following conditions are
met:
 * This software may only be used for the purposes of developing for, running or using a Raspberry Pi device.
 * Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution.
 * Neither the name of Broadcom Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission.

DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   </extractedText>
</ExtractedLicensingInfo>


>> The alternative could to have also a catch-all "non-free" or "proprietary"
>> license ID in SPDX indeed.
> Probably this is a discussion for the legal list, as to whether they want
> to permit this?   Concern point is that it won't give enough information
> when there are multiple non-free licenses present.

Right, this makes my life easier, but doesn't sit 100% with the idea
of an SPDX licence in itself. I suppose in the RPi example above it
would have to be something ugly like
LicenseRef-ForRaspberryPiUseOnlyRedistributionWithoutModificationOnly
or maybe "LicenseRef-RaspberryPi AND LicenseRef-NoModification" or
even "LicenseRef-https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom"
although I know I'm pushing things here. Better ideas welcome.

Have filled in an example of how the above would be coded up and carried with the metadata in SPDX.   Of the example,  for SPDX the only fields are mandatory are: 
licenseId, licenseName, & extractedText.   Those would be the ones to make sure are carried in your metadata.    rdfs:seeAlso and rdfs:comment - are optional in SPDX, but are nice to have. 

Hope this helps,
Kate