-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support creation of custom exception using "ExceptionRef" #153
Comments
I'm in favor of this. Agree that there should be a clearly documented way to create custom exception texts. I assume — consistent with your milestone tagging :) — that this would be 3.0 rather than 2.2, since I think this would be a breaking change to the license expression syntax. |
I am also in favor of something like this. An example where this might be useful: a project readme file that says
A different example, from the main script file in the same project:
This sort of phenomenon is not uncommon in nominally *GPL-licensed projects. It could be beneficial in these cases to have an SPDX expression that includes the information that part of the license is a textually-intact license that maps to something on the SPDX license list. These examples are not "exceptions" in FSF GPL-2.0 parlance (they would be what GPL-3.0 calls "additional requirements") and are worth capturing precisely because they raise issues of GPL compliance and non-normative (even if compliant) use of GPL licensing. So I don't know if it would be better to use a construct name not based on the notion of an "exception". |
@richardfontana What do you think of "ConditionRef" as a way capture additional clauses that have been added a license and have "ExceptionRef" for clauses that have been removed? |
@tsteenbe I don't want to get too hung up on labels, though "ConditionRef" implies a legal conclusion and making a distinction between "exception" and "condition" also implies that some legal analysis is being done, which I think SPDX in general is trying to avoid. I don't know what a good neutral label would be ... "term" is somewhat suggestive of a condition; "clause" implies it's not separate from the main license document (but usually these things are). GPLv3 uses the term "term" in a way that is supposed to encompass anything, and no one ever complained about that. TermRef? AdditionalTermRef? |
A similar request was mentioned on the mailinglist of the REUSE project: https://lists.fsfe.org/pipermail/reuse/2021q4/000127.html Treating everything as a new license makes it very explicit and easy to develop SPDX-capable tooling, but makes it more cumbersome to handle a newly encountered exception (handling as custom license or requesting upstream changes). I'm mostly in favor of just defining new licenses that include the exceptions, but I can see the point of view for supporting exceptions, so perhaps SPDX should support exception? |
FWIW, the two cases I've come across recently both call these "exceptions", so "ExceptionRef" prefix would make sense for my use case:
|
A few comments:
My guess unless being proven otherwise is that the vast majority if not all of the So I would like to enact this as the standard and avoid to create a new concept of "ExceptionRef". Instead reuse the "LicenseRef" prefix which is plenty good and enough. That would be a minor update to the license expression appendix. |
Maybe with the additional requirement that such an "exception LicenseRef" also needs to contain the string "-exception" or "-exception-"? |
While SPDX 2.2 supports LicenseRefs to refer to licenses that are not part of the SPDX license list [1], no such mechanism exists for license exceptions [2]. However, in reality tools like ScanCode need to somehow express exceptions to custom licenses, and ScanCode does that via "LicenseRef-scancode-*" Licenserefs that also contain the word "exception" [3]. Support SPDX expressions containing such exceptions in the new ALLOW_LICENSEREF_EXCEPTIONS strictness level. [1]: https://spdx.dev/licenses [2]: spdx/spdx-spec#153 [3]: https://scancode-licensedb.aboutcode.org/?search=exception Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
While SPDX 2.2 supports LicenseRefs to refer to licenses that are not part of the SPDX license list [1], no such mechanism exists for license exceptions [2]. However, in reality tools like ScanCode need to somehow express exceptions to custom licenses, and ScanCode does that via "LicenseRef-scancode-*" Licenserefs that also contain the word "exception" [3]. Support SPDX expressions containing such exceptions in the new ALLOW_LICENSEREF_EXCEPTIONS strictness level. [1]: https://spdx.dev/licenses [2]: spdx/spdx-spec#153 [3]: https://scancode-licensedb.aboutcode.org/?search=exception Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
@sschuberth I am not opposed to it, but this is not even the case for exceptions on the exception list (e.g., there are "official" exceptions that do not use "exception" in their ids), so I cannot see how this could become a requirement for other exceptions. |
Well, we have to start somewhere with establishing best practices. And of course existing exceptions would need to be updated to follow these, too, at some point. |
Providing a link to a proposal made by @zvr - spdx/change-proposal#4 |
Reference: spdx#153 Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
Use a LicenseRef as an exception on the right side of WITH instead. Also add an example. Reference: spdx#153 Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
PCRE2 is available under BSD-3-Clause, but with a relevant exception that arguably applies to the way Qt uses it, too. So let's mention this exception in the listed license. Unfortunately, the exception is not part of the SPDX database, and combining a standard license with a custom exception is not supported yet. See [1] for a related discussion. Meanwhile, just defining a whole license is a common workaround. [1] spdx/spdx-spec#153 [ChangeLog][Third-Party Code] Clarifying license of PCRE2 to be BSD-3-Clause with advertisement exception for binary-like packages. Pick-to: 6.5 Change-Id: Ib6d46806dc5a00ff2f795054ad9bf0ae62920501 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
PCRE2 is available under BSD-3-Clause, but with a relevant exception that arguably applies to the way Qt uses it, too. So let's mention this exception in the listed license. Unfortunately, the exception is not part of the SPDX database, and combining a standard license with a custom exception is not supported yet. See [1] for a related discussion. Meanwhile, just defining a whole license is a common workaround. [1] spdx/spdx-spec#153 [ChangeLog][Third-Party Code] Clarifying license of PCRE2 to be BSD-3-Clause with advertisement exception for binary-like packages. Change-Id: Ib6d46806dc5a00ff2f795054ad9bf0ae62920501 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit 5a182d3) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Check that all classified licenses are valid non-deprecated SPDX expressions. In particular, license exceptions must not be classified on their own. But `LicenseRefs` are accepted as exceptions / as an operand for `WITH` to work around the limitation described in [1]. [1]: spdx/spdx-spec#153 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
Check that all classified licenses are valid non-deprecated SPDX expressions. In particular, license exceptions must not be classified on their own. But `LicenseRefs` are accepted as exceptions / as an operand for `WITH` to work around the limitation described in [1]. Fixes #37. [1]: spdx/spdx-spec#153 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
Check that all classified licenses are valid non-deprecated SPDX expressions. In particular, license exceptions must not be classified on their own. But `LicenseRefs` are accepted as exceptions / as an operand for `WITH` to work around the limitation described in [1]. Fixes #37. [1]: spdx/spdx-spec#153 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
This was added in 3.0 as part of the change request for AdditionRef. Closing as resolved. |
Currently the SPDX spec supports non-SPDX licenses using the "LicenseRef" prefix but such a thing does not exist for exception. Proposal is to introduce “ExceptionRef” prefix to allow SPDX users to define non-SPDX exception.
Per SPDX tech team meeting the only workaround now is to make a LicenseRef out of SPDX license and the non-SPDX exception.
Use case:
Found LGPL-3.0 with an OpenSSL-exception which we now encoded as LicenseRef-ORT-LGPL-3.0-only-with-OpenSSL-exception which means for the tooling it's a complete new license. Better solution would be the expression LGPL-3.0-only WITH ExceptionRef-OpenSSL-exception.
The text was updated successfully, but these errors were encountered: