Technical Team/Minutes/2017-08-07

From SPDX Wiki
Jump to: navigation, search

August 8, 2017

Joint technical/legal call


  • Gary O’Neall
  • Thomas Steenberg
  • Anna Buhman
  • Kate Stewart
  • Matija Suklje
  • Dennis Clark
  • Jack Manbeck
  • Trevor King
  • Paul Maddick
  • Phil Odence
  • John Sullivan
  • David Wheeler
  • Uday Shankar
  • Yev Bronshteyn
  • Karen Copenhaver
  • Hung Chang
  • See: WIKI page for background

  • Default for GPL license is or later, unless specified, and our id GPL-3.0 assumes only, rather than or later.
  • Desire is to get to clarity without too much disruption.
  • David Wheeler: needs to be some way to distinguish between only or-later. Back compatibility is good though. There is a third case, hard to figure if its only or or-later. Tools will give you wrong info. Tool found this license text and not making any assertion.

Tools are a key part of this infrastructure - be able to generate without forcing them to lie.

  • Phil: Some tools can tell
  • David: Distinguishing this is sometimes an english prose exercise is hard.
  • Jilayne: File level license text, example when standard header language with removal of “or later” - tool can make direct hit. What identifier is used for full text of license?
  • David: Likes use of -only, but thinks the ambiguous case needs to be captured.
  • Gary: Agrees useful to capture 3 different states.
  • Jilayne: License itself gives guidance, but looking outside the license text is needed. 5 files, 1 with text of GPL 2.0 license and 4 source files without any license info whatsoever. What is the short identifier to use for the license file? What is the Concluded License for 4 source files?
  • Dennis: totally agreed with Gary
  • Trevor: Get “only” handling.
  • John: If not explicit you can choose any version.
  • John: Worry about misuse of that category. One of the concerns with having identifier that is ambiguous, has been misused in the past. Part of interest and support is because SPDX is aspirational to help get things cleaned up. Current tooling. For SPDX to achieve its goal, better to not deliberately cover case or lax clarity.
  • David Wheeler - only, or-later, “at-least”. Tools can look at license text - can’t tell I don’t know. Should be reporting at “at-least”.
  • Gary: If author and originator of code, forcing them to justify. In the tooling and human audit has value.
  • Kate: noassertion exists for ambiguity.
  • David: don’t need detail and analysis - GPL indicator is sufficient. I propose "only", "or later", and "at least".
  • Jilayne: 5 files, 1 with text of GPL 2.0 license and 4 source files without any license info whatsoever. What is the short identifier to use for the license file? What is the Concluded License for 4 source files?
  • John: Need to follow up with use case.
  • John: Any way to return two possibilities? GPL-2.0-only OR GPL-2.0-or-later

Could indicate this?

  • Jilayne: Right now GPL-2.0 means GPL-2.0-only

So at this point we haven’t changed meaning. Putting back GPL-2.0+.

  • Trevor: OR means pick a license, choice 1 or 2 - what is probablity of either. Don’t know what the real option. GPL-2.0 is in all the possible sets, so use it.
  • David: For the cases encountered, knowing its at least GPL-2.0 is good enough. Yes, I’ve dealt with it and done.
  • Gary: If designing this from scratch - are 3 states useful? Probably useful here. Solve the backwards compatibility in another manner.
  • Dennis: I think we should vote on Gary's proposal before this meeting is over.

I think it addresses all of the issues. KS

  • Kate Stewart: Would like to make sure FSF as license author is ok with it, before we vote.
  • Gary: propose that introduce “only” operator. Keep “+” for “or-later”. For compatibility, deprecate GPL-2.0 to be used with “only operator”. GPL-2.0 is the license text.
  • David: Just remove the word “only” in the license name. Just getting developers to include any license is a major step forward.
  • Discussions with John, David, Gary on variants.
  • Trevor: what about cases with multiple licenses Apache & GPL? We have in SPDX document with LicensesFoundInFile is meant to capture this with no assertion of relation between them. However Github doesn’t show this.
  • Thomas: 99.9% of all Javascript - just look at license in package JSON file.
  • Gary: different use cases of software. Author trust, tool then some of these cases.
  • David: License expression needs to express summary of information necessary to figure out.
  • Thomas: Rename GPL tag to be from family. Simply unknown or don’t want to specify, don’t think deprecating and switching tags is good idea with nodeworld. Would be a massive operation taking years. Easier to change our definition. Add the -only flag for those who are specific. Instead of forcing 1000s of developers to upgrade.
  • Action Items:
    • Gary to move proposal up to top of WIKI page, in light of the call.
    • John to circle back with FSF - about reality of people not identifying one way or another.
    • Revisit on legal call, and pick up then. Esp. how it plays to other licenses.
  • Paul agrees.
  • To be followed up on August 17th on Legal call.