THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Legal Team/or-later-vs-unclear-disambiguation"
Line 24: | Line 24: | ||
2) add new concept of short identifier “alias” and make "GPL-2.0" equivalent to "GPL-2.0-only": If GPL-2.0 = GPL-2.0-only, then how do you get the "or later" option? You'd end up with GPL-2.0-only+ which makes no sense! The ends result here needs to indicate: GPL-2.0-only and GPL-2.0+ and no ability to combine them. Also, short identifier "alias" concept would be a new concept and possibly over-engineering a solution for one set of licenses. | 2) add new concept of short identifier “alias” and make "GPL-2.0" equivalent to "GPL-2.0-only": If GPL-2.0 = GPL-2.0-only, then how do you get the "or later" option? You'd end up with GPL-2.0-only+ which makes no sense! The ends result here needs to indicate: GPL-2.0-only and GPL-2.0+ and no ability to combine them. Also, short identifier "alias" concept would be a new concept and possibly over-engineering a solution for one set of licenses. | ||
− | 3) roll back + operator: remove the + operator from the license expression syntax and re-implement GPL-2.0-only and GPL-2.0+ as separate line items on the SPDX License List. This would not impact the extensibility of applying exceptions, as the "with" operator is the key factor for that. This seems to be the best option, but | + | 3) roll back + operator: remove the + operator from the license expression syntax and re-implement GPL-2.0-only and GPL-2.0+ as separate line items on the SPDX License List. This would not impact the extensibility of applying exceptions, as the "with" operator is the key factor for that. This would also solve header matching problem as it would allow the standard header field to be existing and matchable for both variations. The key downside to this solution is it means rolling back something we spent a lot of work implementing, but if the outcome provides more clarity and better license "hygiene" as well as aligning with the FSF wishes, then it is worth the work? |
− | * original argument was that + operator could be used with other licenses (not just GNU family), but do other licenses actually need it? and have people even used it with other licenses? (not that has been observed) | + | |
+ | This seems to be the best option, but key consideration is impact on other licenses. * original argument was that + operator could be used with other licenses (not just GNU family), but do other licenses actually need it? and have people even used it with other licenses? (not that has been observed) | ||
+ | Below is an analysis of the licenses that have "or later version" type language. Please add to this as needed! | ||
+ | |||
+ | ==== GPL language | ||
+ | [The Free Software Foundation/Affero, Inc] may publish revised and/or new versions of the [Lesser/Affero] General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. | ||
+ | |||
+ | Each version is given a distinguishing version number. If the [Library/Program] specifies a version number of [the license/this License] which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by [the Free Software Foundation/Affero, Inc.]. If the [Library/Program] does not specify a version number of the license, you may choose any version ever published by [the Free Software Foundation/Affero, Inc.]. | ||
+ | |||
+ | v3 | ||
+ | Each version is given a distinguishing version number. If the Program/Library specifies that a certain numbered version of the GNU General Public License “or any later version” applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. | ||
+ | |||
+ | If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. | ||
+ | |||
+ | Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. | ||
+ | |||
+ | AGPL-1 | ||
+ | You may also choose to redistribute modified versions of this program under any version of the Free Software Foundation's GNU General Public License version 3 or higher, so long as that version of the GNU GPL includes terms and conditions substantially equivalent to those of this license. | ||
+ | |||
+ | |||
+ | |||
* would need to check other licenses if they behave like GPL | * would need to check other licenses if they behave like GPL | ||
* e.g. MPL-2.0 - doesn’t “only” or “or later” because license isn’t written that way / doesn’t give option to do one or the other | * e.g. MPL-2.0 - doesn’t “only” or “or later” because license isn’t written that way / doesn’t give option to do one or the other | ||
Line 31: | Line 51: | ||
* MPL, EPL family, CC licenses, others? | * MPL, EPL family, CC licenses, others? | ||
− | + | ||
− | + | ||
== Selected responses/ideas/commentary from mailing list === | == Selected responses/ideas/commentary from mailing list === |
Revision as of 00:49, 6 July 2017
Contents
Introduction to Issue
Background
Originally, the SPDX License List listed variations of licenses as separate "line items". Notably, various versions of L/GPL had two listed items: one for a specific version-only, and one indicating a version-or-later. This was indicated in the list via the inclusion of the words "only" and "or later" in the full name; and via the short identifier: GPL-2.0 and GPL-2.0+ respectively. (examples throughout use GPL-2.0, but this issue applies to the entire family of GNU licenses, i.e., GPL, LGPL, FDL, APGL).
When the license expression syntax was introduced in version 2.0 of SPDX, licenses with the "or later" indication were removed as separate listed licenses, as they could now be provided for via using the "+" operator. This, along with the "with" operator solved the issue of under-representation of license-exception combinations.
However, this also created a new issue whereby the standard header which is usually where the "or later" or "only" option is indicated in practice could no longer be differentiated or captured directly.
Issue
In practice, practitioners are not always explicit about whether a license is a version only or or later option. Also, not all licenses that provide for later versions treat their application in the same way or as explicitly as the GNU family of licenses does. This, combined with the SPDX identifier not explicitly indicating "only" has the potential for people not using the accurate SPDX identifier.
Solution
Replace "GPL-2.0" identifier with "GPL-2.0-only"
This has been discussed with representatives from FSF and reflects their approval and blessing.
Implementation of Solution
The remaining question is how to implement this change.
Below are several options considered, some of which are not tenable for stated reasons. They have been included here for reference.
1) add “only” as an operator: does not solve issue as would still leave door open to use "GPL-2.0" which would be ambiguous as it would not indicate "only" or "or later". L/GPL language is clear that it is one or the other, so this could only create more confusion and not reflect the intention of the license. This could also result in people using the "only" operator with other licenses where it is not needed or shouldn't be used.
2) add new concept of short identifier “alias” and make "GPL-2.0" equivalent to "GPL-2.0-only": If GPL-2.0 = GPL-2.0-only, then how do you get the "or later" option? You'd end up with GPL-2.0-only+ which makes no sense! The ends result here needs to indicate: GPL-2.0-only and GPL-2.0+ and no ability to combine them. Also, short identifier "alias" concept would be a new concept and possibly over-engineering a solution for one set of licenses.
3) roll back + operator: remove the + operator from the license expression syntax and re-implement GPL-2.0-only and GPL-2.0+ as separate line items on the SPDX License List. This would not impact the extensibility of applying exceptions, as the "with" operator is the key factor for that. This would also solve header matching problem as it would allow the standard header field to be existing and matchable for both variations. The key downside to this solution is it means rolling back something we spent a lot of work implementing, but if the outcome provides more clarity and better license "hygiene" as well as aligning with the FSF wishes, then it is worth the work?
This seems to be the best option, but key consideration is impact on other licenses. * original argument was that + operator could be used with other licenses (not just GNU family), but do other licenses actually need it? and have people even used it with other licenses? (not that has been observed) Below is an analysis of the licenses that have "or later version" type language. Please add to this as needed!
==== GPL language [The Free Software Foundation/Affero, Inc] may publish revised and/or new versions of the [Lesser/Affero] General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the [Library/Program] specifies a version number of [the license/this License] which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by [the Free Software Foundation/Affero, Inc.]. If the [Library/Program] does not specify a version number of the license, you may choose any version ever published by [the Free Software Foundation/Affero, Inc.].
v3 Each version is given a distinguishing version number. If the Program/Library specifies that a certain numbered version of the GNU General Public License “or any later version” applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation.
If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.
Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.
AGPL-1 You may also choose to redistribute modified versions of this program under any version of the Free Software Foundation's GNU General Public License version 3 or higher, so long as that version of the GNU GPL includes terms and conditions substantially equivalent to those of this license.
- would need to check other licenses if they behave like GPL
* e.g. MPL-2.0 - doesn’t “only” or “or later” because license isn’t written that way / doesn’t give option to do one or the other * what are other licenses: * MPL, EPL family, CC licenses, others?
Selected responses/ideas/commentary from mailing list =
NOTE: Please feel free to add/clarify below
At the same time as conversations between SPDX leaders and FSF representatives were on-going, this topic bubbled up on SPDX mailing list. Below is a summary of such conversations.
D. Wheeler 5/25/2017
Technically “GPL-2.0” in SPDX means “only this version”, but in practice many practitioners & tools are sloppy about this. Part of the problem is that tools can easily determine that “GPL version 2.0 is in this package” but in many cases they cannot easily determine automatically a distinction between “2.0 or greater” versus “2.0 and no other”. In addition, in many cases it doesn’t matter, so the increased effort would be a waste of time. What the tools really need to indicate is a way in SPDX to indicate “2.0 at least is here, and I don’t know if ‘or later’ is okay”. Since SPDX doesn’t have a mechanism to report this, “GPL-2.0” is sometimes being used to report of “I know 2.0 is here, and I don’t know if ‘or later’ is okay” - even though it’s technically not compliant with the SDPX spec.
It’d be helpful to have a simple way to indicate “I really mean this specific version” (my “!” suffix) vs. “this version at least is okay, and I’m not sure about later versions” (which is how “GPL-2.0” is currently interpreted; maybe another suffix like “?” or “*” would help to mark this case).
K. Stewart 5/25/2017
We've started having some discussions with FSF about what they'd prefer, and their preference seems to be GPL-2.0-only, so we probably want to go that way rather than introducing the "!" idea.
D. Wheeler 5/25/2017
K. Stewart: We've started having some discussions with FSF about what they'd prefer, and their preference seems to be GPL-2.0-only, so we probably want to go that way rather than introducing the "!" idea.
Okay. Although that's less flexible, that's much easier to transition (you don't have to change any parsing code), so I see the advantages of this.
If this is done: 1. It needs to cover all the licenses where this is likely. At *least* GPL and LGPL; I think MPL is probably in this case too. 2. The original license terms need to *stay* in SPDX, with modified clarifying text. Something like this:
GPL-2.0: The GNU General Public License (GPL), version 2.0 is acceptable, and without any clear statement if later versions are acceptable. Where practical, try to use more specific license expressions such as "GPL-2.0+", "GPL-2.0-only", or "(GPL-2.0-only OR GPL-3.0-only)". Historically this indicator meant "GPL version 2.0 only", but in practice tools often can't determine if later ones are acceptable (or not) & used this term in such cases. This specification acknowledges this practice and provides more specific alternatives when that information is available.
D. Wheeler 5/26/2017
We need at least *3* cases. Here they are, with potential names/expressions:
- GPL-2.0-only. I *know* that *only* the GPL version 2.0 is acceptable. I had originally proposed a "!" suffix.
- GPL-2.0+. I *know* that GPL version 2.0, or later, is acceptable.
- GPL-2.0. I *know* that at least GPL version 2.0 is acceptable (e.g., I found its license text). However, I'm not entirely certain whether or not later versions are acceptable, so I make *no* assertion either way. This appears to be what "GPL-2.0" has become, in some cases, in spite of the spec. Which is why we need a way to mark certainty vs. uncertainty. If you prefer, you could label this "GPL-2.0-at-least", or add a "?" suffix to mean "I don't know if later/other versions are acceptable".
The problem is that while tools can detect the presence of a license, it's often difficult for them to determine if an "or later" clause is valid in some cases. In many cases SPDX is capturing tool output, so we need for there to be a valid expression for tools to output. My understanding is that some tools that find GPL version 2.0 will currently report "GPL-2.0"... even if a later version is also acceptable... and as a result, "GPL-2.0" is not being interpreted as originally intended.
What's more, without a third case, it'll just happen again. Tools can't easily determine if "or later" applies, and in many cases you do *NOT* need more information than this. It can take a lot of effort ($) to determine if it's really "GPL-2.0-only" or "GPL-2.0+", and if the spec only supports those two options, then that's a problem.. because people are *not* going to spend effort unnecessarily.
If "GPL-2.0" is deprecated, then tools will start reporting "GPL-2.0-only" when they're not sure if later versions apply, because in many cases they can't easily determine it. Then we'll be back to the original problem, where "GPL-2.0-only" may mean "I found GPL 2.0 but maybe later versions will be okay". Ugh. Since many tools can only determine "at least this version", there needs to be a standard way to report it.
T. King 5/26/2017
Digging at this “acceptable” idea a bit more, I'm guessing it's something like “adapters may share adapted works under”. But the SPDX isn't just about copyleft (e.g. it includes CC-BY-ND-*). I think it makes more sense to focus on licenses (just the text, e.g. GPL-2.0) and license grants. For example, here are some SPDX License Expressions translated into grants:
- GPL-2.0: You can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation.
- GPL-2.0+: You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
- CC-BY-SA-4.0: This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
You can distribute an adaptation under a later version of the CC BY-SA because that's part of the CC-BY-SA-4.0 [1].
- CC-BY-SA-4.0+: This work is licensed under a Creative Commons Attribution 4.0 International License; either version 4.0 of the License, or (at your option) any later version.
The CC-BY-SA-4.0 tries to grant you that right anyway, but regardless of how you read the CC-BY-SA-4.0, I'm granting you that right directly.
> CC-BY-SA-3.0+ would be a synonym for CC-BY-SA-3.0 [6], but I don't > see a problem with that. It would probably be useful to call that > out in the wording that forbids the -only suffix for CC-BY-SA-3.0…
If the SPDX doesn't want to get into the business of determining when licenses grant + semantics, then we probably don't want an -only suffix and we certainly don't want a GPL-2.0-only short identifier.
But if you want to be in the business of warning users about the lack of built-in or-later wording in the GPL, CC-BY-ND-4.0, etc. and the presence of built-in or-later in the CC-BY-SA-4.0, etc., I don't see how you'd avoid making claims about whether the license had built-in or-later wording.
D. Seaward 5/26/2017
Perhaps "GPL-2.0"could be deprecated and instead whoever is tagging must use one of:
- GPL-2.0-only
- GPL-2.0+
- GPL-2.0?
...where "only" means only, "+" means "or later" and "?" means unclear. Legacy data still tagged "GPL-2.0" would be treated as "GPL-2.0?" until updated. (This assumes the SPDX team want people tagging things as unclear!)