[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Use SPDX license identifiers to indicate licenses?
Mario Domenech Goulart
Re: Use SPDX license identifiers to indicate licenses?
Mon, 26 Oct 2020 13:46:19 +0100
On Mon, 26 Oct 2020 14:23:00 +0200 Lassi Kortela <email@example.com> wrote:
> SPDX license identifiers are becoming something of a de facto
> standard, being used e.g. in Linux kernel source code. Here is the
> full list of them: <https://spdx.org/licenses/>.
> Would it be possible to update the ad hoc license identifiers at
> <https://wiki.call-cc.org/chicken-projects/egg-index-5.html> and in
> .egg files to use the SPDX ones? This would make it easier to tell the
> difference between e.g. the various flavors of the BSD license, and
> could help automated tools figure out licensing in the future.
> In addition to single license identifiers, SPDX can also do license
> expressions by combining license identifiers using boolean operators.
I think that would be great.
We had a short discussion on that back in 2016, but we haven't reached
any consensus. IRC logs below for context. Maybe this discussion
should be held in chicken-hackers instead (chicken-janitors is more like
a read-only list for keeping track of new tickets).
<sjamaan> There's also pstk
<wasamasa> haven't noticed that one
<wasamasa> ah, it's in the "Unsupported or redundant" section :<
<wasamasa> at least it doesn't have a german license :D
<mario-goulart> Oh, I remember one that had a german license in a pdf file.
<wasamasa> it looks like halfway GPL
<sjamaan> Is this the Bremer licence?
<sjamaan> There was a discussion about that on the mailing list once
<wasamasa> I'm not sure why exactly you'd put *that* on your work, especially
it's essentially an
amalgamation of previous portable tk-scheme interfaces
<wasamasa> I think I know now why felix just wrote tcl code opening a socket
for communication :D
<sjamaan> Apparently Bremer license is similar to BSD
<wasamasa> how can this be if it mentions copyleft in its text?
<sjamaan> Maybe it changed
<mario-goulart> It'd be nice if we could use SPDX ids for eggs in .meta.
<sjamaan> We could make it an absolute requirement to use a SPDX identifier in
<sjamaan> For example, henrietta-cache and/or chicken-install could simply
refuse if no identifier
<wasamasa> "Hierzu geh<81><F6>rt vor allem, dass der Lizenznehmer bearbeitete
Versionen der OSCI-Bibliothek
wiederum diesen Lizenzbestimmungen unterstellen muss ("Copyleft")."
<wasamasa> "This includes that the licensee must publish modified versions of
the library under
these licensing terms ("copyleft")."
<wasamasa> maybe they just don't get their terms right, I dunno
<wasamasa> haven't looked at it in detail
<mario-goulart> sjamaan: +1 for SPDX ids
<wasamasa> it contains a few interesting clauses, like that modifications to
the sources must have
an "obtrusive remark" which allows one to reconstruct what has been
changed at what time
<sjamaan> mario-goulart: One other advantage of that is that we'd be able to
link to the license
text directly from the egg list
<wasamasa> it's as if lawyers have rediscovered version control
<mario-goulart> sjamaan: yeah, and salmonella could better track license
<mario-goulart> And report invalid dependencies
<wasamasa> the institution who crafted that license put it in their "Licenses
with limited copyleft"
<mario-goulart> It can also be nice for products that depend on many eggs, and
you want to filter
out some licenses
<mario-goulart> E.g., GPL3 may be an issue for some projects.
<Bunny351> Hm... SPDX looks like madness to me...
<sjamaan> How so, Bunny351?
<Bunny351> overengineered W3Cish standardisation mania.
<sjamaan> It's just about providing a machine-readable license declaration
<mario-goulart> OpenEmbedded uses it for its recipes and it works quite well,
as far as I can tell.
<Bunny351> but "BSD" is machine readable
<mario-goulart> Bunny351: we'djust use identifiers, like "BSD" in .meta.
<sjamaan> I was just gonna say
<sjamaan> The point is that you wouldn't allow something like "Berkeley"
<evhan> What if I want to use the Burkley Software Distribution license instead?
<Bunny351> I think most people don't care, and those who care can figure the
exact license out.
<sjamaan> It's hard to figure out exactly what you're getting when you do
<sjamaan> Or "chicken-install pastiche", for that matter
<Bunny351> there are ways to check, e.g. by looking at the egg index /
<sjamaan> Yeah, but that's manual and error-prone
* Bunny351 sighs
<mario-goulart> And the id that egg authors use in .meta may not correctly
describe the actual
license. It'd be guesswork.
<sjamaan> You can still put in the wrong identifier, of course
<mario-goulart> Some eggs just have "GPL" in .meta.
<mario-goulart> sjamaan: in this case, that's author's reponsability.
<mario-goulart> In practice, it wouldn't change much for egg authors, as long
as they know what they
are soing with regard to the licenses they choose. It's just a
matter of selecting
the right SPDX id.
<sjamaan> I agree, it's very simple and streamlines things quite a bit
<wasamasa> no SPDX identifier for the bremer license :D
<mario-goulart> No problem. Just use something like "Bremer" in the .meta and
ship the license
<mario-goulart> Weird licenses (those not covered by SPDX) are likely to be
less than 1% of the
<wasamasa> currently no license file is shipped, right?
<mario-goulart> Some eggs (specially in github etc) ship a LICENSE file, IIRC.
<mario-goulart> But it's not the norm.
<wasamasa> yeah, that's what I mean
<wasamasa> I've fetched a mirror of all eggs and usually there is none
<mario-goulart> Actually many of them ship a license file (e.g., fuse, git,
<mario-goulart> But they are not _installed_.
All the best.