Change Proposal: AdditionRef- #4
Comments
|
+1 on the change proposal. One suggestion - we should also support external document references to ExceptionRef's in the same way we support external document references to LicenseRef's. |
|
I think this would be a good addition. I like the distinction of ExceptionRef- rather than allowing LicenseRef- on both sides of the WITH operator, as it seems to avoid confusion. Implications for spec:
|
|
Update: I think @pombredanne's counterproposal is preferable because it seems to address (in this one limited context) my basic objection to SPDX's tying itself to a narrow, normative understanding of what an "exception" is, instead of attempting to devise an objective way of representing the actual kinds of license term supplementation that occurs in practice, which would be more consistent with how SPDX treats license representation. Further update: Having just dealt with a real-world case of some terms that could be characterized either as an orthodox GPL exception or as an alternative (non-FOSS) license, and in the process concluding that we needed to have two data files in the Fedora license data repository (with two different SPDX expressions) to represent both interpretations, I am now mildly -1 on this proposal and instead support @pombredanne's suggestion for allowing LicenseRef- to be used in WITH subexpressions. Essentially, the concern that 'LicenseRef-1 WITH LicenseRef-2' (to use @Pizza-Ria's example) is undesirable is IMO misplaced because in some situations you might want to use LicenseRef-2 outside of a WITH context. @pombredanne says:
This is related to why I find SPDX's treatment of exceptions confusing given what I thought was a "just the facts" principle. The SPDX spec says of WITH: "Sometimes a set of license terms apply except under special circumstances." And the SPDX exception list says: "These exceptions grant an exception to a license condition or additional permissions beyond those granted in a license; they are not stand-alone licenses." This implies SPDX is making some kind of nontrivial legal interpretation of what are often informal and confusing terms. In reality, we have things in FOSS/pseudo-FOSS characterized as 'exceptions' that are probably not really "granting an exception" in any meaningful sense (see for example the old license of Liberation Fonts). We also might have highly restrictive terms that have been constructed to look like an orthodox GPL exception. SPDX should not deciding whether supplementary terms, whether or not characterized by the licensor as an 'exception', are actually additional permissions or something else. |
|
+1 - Seems to align with already documented exceptions provided at https://spdx.org/licenses/exceptions-index.html and offer an easier way to identify them especially considering the final note in the writeup of the ambiguity of only using "with" (i.e., "However, this would result in an impossibility to distinguish between Licenses and Exceptions, therefore a construct like LicenseRef-1 WITH LicenseRef-2 might be valid (if it were similar to Apache-2.0 WITH LLVM-exception) or not (if it were similar to Apache-2.0 WITH BSD-3-Clause)." |
|
I agree with both @zvr ’s suggestion and @richardfontana ’s comment above. (as pretty much always, likely won’t be able to make the call due to a clash) |
|
Providing a link to an existing issue in the SPDX spec proposing same: spdx/spdx-spec#153 |
|
-1 I do not agree with this proposed change. This is consistent with my previous comment on the topic spdx/spdx-spec#153 (comment) a few years back. Having a separate prefix for an identifier did not make sense then and it does not make more sense today. The latest guideline is to "use a single LicenseRef- to represent the entire license terms, including the exception." I also wrote back then: spdx/spdx-spec#153 (comment) : “My guess is that the majority, if not all, of the LicenseRef- used in license expressions as an exception are from ScanCode.” Counter proposal The only thing that seems reasonable is to allow the use of LicenseRef values in the WITH part of a license expression. Some key supporting points:
Note that this approach is already considered in https://github.com/spdx/change-proposal/blob/main/proposals/ExceptionRef.md#not-introducing-new-prefix. A concern expressed here is: This is already the case because there is nothing in the SPDX standards to define the validity of license elements within a license expression, nor does it make sense for SPDX to cover that. There is no specific meaning attached to the exception identifiers to reliably determine if a license id on the SPDX license list is for a license or an exception short of getting more data beyond the identifier alone. Existing exception identifiers are not prefixed or suffixed consistently in the license list, so adding an arbitrary convention for non-SPDX listed exceptions does not make sense. If someone mistakenly records “Apache-2.0 WITH BSD-3-Clause” instead of “Apache-2.0 AND BSD-3-Clause”, most people would understand the meaning. A good way to think of this is that WITH is a special case of AND to alert you to the fact that the next license in the license expression is an exception. Using a consistent convention to include the word "exception" in the license id would be a good thing and is probably all that is needed. See suggestion by @sschuberth in spdx/spdx-spec#153 (comment) |
|
I haven't had a chance to think about this in detail, but based on an initial review of the proposal and the comments above, here are my thoughts: Overall: I'm +1 to the original proposal. Open to some modifications to it, but as a baseline I think there needs to be some way to support user-defined exceptions within the existing SPDX license expression syntax and license data model. Exceptions on the license list itself: For purposes of the exceptions actually on the SPDX License List, to respond to @richardfontana I do think there has been value in keeping it to the narrow definition of "additional permissions" or "exceptions." Briefly, by limiting it to those exceptions, you can look at an expression using So I think there's value in it having worked this way in the past. All that said, I could also be open to an argument that the value there is outweighed by replacing "exceptions" with a more general "modifier" concept. But I think that's outside the scope of this particular change proposal. If the question is just whether custom Prefix for custom exceptions: I'm -1 to the comments above indicating that Licenses are different from exceptions to licenses (and/or modifiers to licenses). They are defined differently on the SPDX license list (licenses vs. exceptions); in the location and permitted syntax for the license-list-XML templates (schema); and in the RDF objects that represent them in the underlying SPDX data model (licenses vs. exceptions). Changing the license expression syntax to permit I would suggest that the discussion here be focused on the specific proposal at hand, and whether to adopt this (as-is or with minor/moderate changes) in the near term. If people want to propose more significant changes to the underlying SPDX data model, license expression syntax, etc., then I would suggest it's probably appropriate for those to be submitted as a separate change proposal so that it can be similarly considered and discussed. |
|
NOTE - we will discuss this Change Proposal in terms of 1) proceeding with it or not (yes or no); and 2) if yes, then specifics as to implementation. On Thursday, Jan 12th at noon US eastern time using the Legal team dial-in. I will also send an email reminder to both the legal and tech mailing lists. |
|
Having re-read this thread, I think there are a few tangents and I want to make sure we stay focused on our call Thursday. To use an illustrative example: If I found a package licensed under Apache-2.0 (which is on the SPDX License List), and it also applied the Commons Clause (which is not on the SPDX License List):
2a) An alternative implementation option (suggested by @pombredanne and which, if I understand correctly, is what Scancode has already been doing?) would to be able to use: 'Apache-2.0 WITH LicenseRef-CommonsClause' in 10.1 License identifier field and capture the text of only the Commons Clause in 10.2 Extracted text field. |
|
Will this proposed change be in 2.3.1, 2.4 or 3.0? |
|
Discussed on Jan 12th legal call https://github.com/spdx/meetings/blob/main/legal/2023-01-12.md Everyone in favor of allowing more extensible ability to represent things not on SPDX License List on right side of Still need to decide on implementation and meaning. Next steps:
To revisit once PRs are posted after FOSDEM - probably mid-Feb |
I drafted this PR spdx/spdx-spec#829 |
This completes the initial draft of the classes and other content for the Licensing profile. The exceptions are the exceptions, specifically the exception- related classes, which are left as placeholder files pending the ongoing discussion about the Change Proposal for custom exceptions at spdx/change-proposal#4. Signed-off-by: Steve Winslow <steve@swinslow.net>
|
During all the discussions, it seems that there was support for having a way to reference things not in the SPDX Licene List. There were two alternatives of what these "things" could be:
I don't think we had consensus on what was the goal.
I can join one of the next Legal Team calls and discuss them, if needed. |
|
My 2 cents:
|
|
Thanks for this and apologies for my slow reply. Here are my thoughts on the proposals from @pombredanne and @zvr following from the prior meeting about this change proposal:
So overall, I'm +1 to move forward with #839 in concept, though will take a closer look at the specific wording in that PR. |
|
Still a hesitant +1 - I'm afraid this is going to result in a lot of clutter but hopefully it will be more restrained than my fears. |
|
I stand by -1 as explained in #4 (comment) |
|
Without repeating all the pros and cons of all alternatives, I'm in favor of |
|
Leaving aside my earlier comments: Of the two proposals, I prefer I would assume that, as proposed,
|
@richardfontana Yes -- my expectation is that |
How is this different from a LicenseRef then? I still have not seen a convincing argument of why using a LicenseRef for these would not be good enough. There is no way that any meaning attached to the content of what's in such a file can be enforced, so using a special new prefix does not help with anything I can fathom. |
|
@pombredanne In my view:
My view is that these are two distinct things, with different semantic and syntactic meanings. Therefore, it is worthwhile to use different prefixes for them. Note that this reflects the way that SPDX has handled licenses vs. exceptions for at least as long as the Exceptions List has existed. This long pre-dates my own involvement with SPDX, but from looking at prior versions of the spec it appears that at least since the license expression syntax was introduced in SPDX 2.0 in 2015, there has been a dichotomy between "licenses" and "things that are added to licenses." So this is not a new concept.
That's true, but only in the sense that this applies to any other free text field in the specification. We can say "the intent for this field or this class is X", and people may or may not comply with it, but that doesn't stop us from establishing a specification for how things should be used. |
|
I'm +1 to I would note that none of the PRs, in my opinion, are complete. As noted in a comment above, I foresee this change impacting the Appendix, Section 10 of the spec and possibly other collateral - this will need to be fleshed out, but given the complete change in format for 3.0, I won't fault @pombredanne or @zvr for submitting a partial PR. @pombredanne - I'm a bit perplexed by your comments above - you cite the current state of the spec to "use a single LicenseRef- to represent the entire license terms, including the exception." But then seem to say that Scancode has used As someone who look at many SPDX license expressions, I would find As for messing things up - I recall that when we adopted the operators, there was some concern that people would use the Point being if we articulate the intention for the use of |
|
I personally thing that Regards, |
|
Since it's been a month and some more arguments were made, let me state again that I am personally in favor of @jlovejoy I'd like to hear what other parts of the spec are impacted, in your view. I thought I had went through all of the text and made a comprehensive PR. In short, "license expressions" are only explained and expanded in Annex D and that's the only thing that gets changed. @karsten-klein it was decided that each ChangeProposal should have a specific scope to stop us discussing ever-expanding issues. I understand your proposal is much more general, changing the way we model licenses and affecting the spec, the license expression syntax, the License List, the inclusion principles, and possibly other aspects. This is not what is being discussed here. For this Change Proposal, would you prefer:
|
|
@zvr - yes, license expressions are only explained in Annex D, but I would think this would need to be addressed in Section 10 as well, or maybe a separate section. Assuming the text of the additional text for the |
swinslow
changed the title
|
Following from the discussions in this thread, the mailing list and on the January call and today's call, we concluded on a few items:
More details included in the minutes from today's meeting, which I'll post in the meetings repo shortly. Next steps are for me to revise the licensing-profile branch in the spdx-3-model repo to implement these changes. I'll follow up here and will close the issue after that is done. |
|
This has now been merged into the initial SPDX 3.0 licensing model: Classes: Properties:
Ancillary materials such as the License Expression Syntax annex will still need to be updated. Not yet clear to me how the annexes will be carried over from SPDX 2.3 to 3.0, so I'll leave this issue open as a placeholder until this is complete |
This completes the initial draft of the classes and other content for the Licensing profile. The exceptions are the exceptions, specifically the exception- related classes, which are left as placeholder files pending the ongoing discussion about the Change Proposal for custom exceptions at spdx/change-proposal#4. Signed-off-by: Steve Winslow <steve@swinslow.net>
|
The question whether to use Should the information whether the text is an addition or a stand-alone license be encoded as part of the ID string or not? drawbacks I see with
Looking just at ScanCode: It offers meta-data it associates with the IDs, which includes license category and also an Given that I believe it'd be less of a hazzle to just allow |
SPDX v2 does not allow using custom (`LicenseRef-`) IDs as exceptions and an SPDX expression. Whether / how that could be supported in future is currently being discussed, see [1]. When the SPDX reporter creates an SPDX document containing `LicenseRef-` exceptions it crashes due to an exception from `SpdxExpression.validate()`. The only SPDX V2 compliant options for preventing that crash are: 1. Come up with a whole new `LicenseRef-` license string which denotes to a text containing both, the license and the exception. 2. Allow `LicenseRef-` in the report. So, this commit implements #2 which is an easy fix, at least for the short term. [1] spdx/change-proposal#4 Signed-off-by: Marcel Bochtler <marcel.bochtler@bosch.com>
SPDX v2 does not allow using custom (`LicenseRef-`) IDs as exceptions and an SPDX expression. Whether / how that could be supported in future is currently being discussed, see [1]. When the SPDX reporter creates an SPDX document containing `LicenseRef-` exceptions it crashes due to an exception from `SpdxExpression.validate()`. The only SPDX V2 compliant option for preventing that crash is to come up with a whole new `LicenseRef-` license ID which denotes a text containing both, the license and the exception. As a simple, maybe short term solution, relax the check so that the reporter no more crashes. This violates the SPDX v2 spec, but keeps the information about the association of the license and the exception. Users then patch up the license finding using a license finding curation to assign a dedicated custom license ID. [1] spdx/change-proposal#4 Signed-off-by: Marcel Bochtler <marcel.bochtler@bosch.com>
Currently, there is no syntax for custom exceptions to licenses defined in the SPDX specification. Whether / how that could be supported in future is currently being discussed, see [1]. When the SPDX reporter creates an SPDX document containing `LicenseRef-` exceptions it crashes due to an exception from `SpdxExpression.validate()`. The only SPDX V2 compliant option for preventing that crash is to come up with a whole new `LicenseRef-` license ID which denotes a text containing both, the license and the exception. As a simple, maybe short term solution, relax the check so that the reporter no more crashes. This violates the SPDX v2 spec, but keeps the information about the association of the license and the exception. Users then patch up the license finding using a license finding curation to assign a dedicated custom license ID. [1] spdx/change-proposal#4 Signed-off-by: Marcel Bochtler <marcel.bochtler@bosch.com>
Currently, there is no syntax for custom exceptions to licenses defined in the SPDX specification. Whether / how that could be supported in future is currently being discussed, see [1]. When the SPDX reporter creates an SPDX document containing `LicenseRef-` exceptions it crashes due to an exception from `SpdxExpression.validate()`. The only SPDX V2 compliant option for preventing that crash is to come up with a whole new `LicenseRef-` license ID which denotes a text containing both, the license and the exception. As a simple, maybe short term solution, relax the check so that the reporter no more crashes. This violates the SPDX v2 spec, but keeps the information about the association of the license and the exception. Users then patch up the license finding using a license finding curation to assign a dedicated custom license ID. [1] spdx/change-proposal#4 Signed-off-by: Marcel Bochtler <marcel.bochtler@bosch.com>
Currently, there is no syntax for custom exceptions to licenses defined in the SPDX specification. Whether / how that could be supported in future is currently being discussed, see [1]. When the SPDX reporter creates an SPDX document containing `LicenseRef-` exceptions it crashes due to an exception from `SpdxExpression.validate()`. The only SPDX V2 compliant option for preventing that crash is to come up with a whole new `LicenseRef-` license ID which denotes a text containing both, the license and the exception. As a simple, maybe short term solution, relax the check so that the reporter no more crashes. This violates the SPDX v2 spec, but keeps the information about the association of the license and the exception. Users then patch up the license finding using a license finding curation to assign a dedicated custom license ID. [1] spdx/change-proposal#4 Signed-off-by: Marcel Bochtler <marcel.bochtler@bosch.com>
|
FYI: as visible from the linked PR above, some tools start supporting |
|
@fviernau @maxhbr Just for clarity, the decision to require This issue is just remaining open as a placeholder pending determination about where ancillary materials (e.g., the Annexes from SPDX 2.3 and earlier) will be inserted for SPDX 3.0, so that the annexes relating to the License Expression Syntax can be updated to reflect this decision. |
Please review a new Change Proposal for adding an ExceptionRef here: https://github.com/spdx/change-proposal/blob/main/proposals/ExceptionRef.md submitted by @zvr
To be reviewed by SPDX-legal and SPDX-tech team.
Please indicate in this issue, if you think this proposal should move forward or not at this time, which a brief supporting statement for your decision.
If there is support to move forward, then we will move the discussion to the appropriate team for discussion related implementation.
The text was updated successfully, but these errors were encountered: