Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support creation of custom exception using "ExceptionRef" #153

Closed
tsteenbe opened this issue Nov 13, 2019 · 12 comments
Closed

Support creation of custom exception using "ExceptionRef" #153

tsteenbe opened this issue Nov 13, 2019 · 12 comments
Labels
profile: licensing Licensing Profile and related matters
Milestone

Comments

@tsteenbe
Copy link
Member

Currently the SPDX spec supports non-SPDX licenses using the "LicenseRef" prefix but such a thing does not exist for exception. Proposal is to introduce “ExceptionRef” prefix to allow SPDX users to define non-SPDX exception.

Per SPDX tech team meeting the only workaround now is to make a LicenseRef out of SPDX license and the non-SPDX exception.

Use case:
Found LGPL-3.0 with an OpenSSL-exception which we now encoded as LicenseRef-ORT-LGPL-3.0-only-with-OpenSSL-exception which means for the tooling it's a complete new license. Better solution would be the expression LGPL-3.0-only WITH ExceptionRef-OpenSSL-exception.

@tsteenbe tsteenbe added this to the 3.0 milestone Nov 13, 2019
@swinslow
Copy link
Member

I'm in favor of this. Agree that there should be a clearly documented way to create custom exception texts.

I assume — consistent with your milestone tagging :) — that this would be 3.0 rather than 2.2, since I think this would be a breaking change to the license expression syntax.

@richardfontana
Copy link

richardfontana commented Apr 25, 2020

I am also in favor of something like this. An example where this might be useful: a project readme file that says

This software is free. You can use it under the terms of GPLv2, see LICENSE. In addition starting from version 3.0rc1 if you're offering a scanner based on testssl.sh as a public and / or paid service in the internet you need to mention to your audience that you're using this program and where to get this program from.

A different example, from the main script file in the same project:

# License: GPLv2, see https://opensource.org/licenses/gpl-2.0.php
# and accompanying license "LICENSE.txt". Redistribution + modification under this
# license permitted.
# If you enclose this script or parts of it in your software, it has to
# be accompanied by the same license (see link) and the place where to get
# the recent version of this program. Do not violate the license and if
# you do not agree to all of these terms, do not use it in the first place.

This sort of phenomenon is not uncommon in nominally *GPL-licensed projects. It could be beneficial in these cases to have an SPDX expression that includes the information that part of the license is a textually-intact license that maps to something on the SPDX license list.

These examples are not "exceptions" in FSF GPL-2.0 parlance (they would be what GPL-3.0 calls "additional requirements") and are worth capturing precisely because they raise issues of GPL compliance and non-normative (even if compliant) use of GPL licensing. So I don't know if it would be better to use a construct name not based on the notion of an "exception".

@tsteenbe
Copy link
Member Author

So I don't know if it would be better to use a construct name not based on the notion of an "exception".

@richardfontana What do you think of "ConditionRef" as a way capture additional clauses that have been added a license and have "ExceptionRef" for clauses that have been removed?

@richardfontana
Copy link

@tsteenbe I don't want to get too hung up on labels, though "ConditionRef" implies a legal conclusion and making a distinction between "exception" and "condition" also implies that some legal analysis is being done, which I think SPDX in general is trying to avoid. I don't know what a good neutral label would be ... "term" is somewhat suggestive of a condition; "clause" implies it's not separate from the main license document (but usually these things are). GPLv3 uses the term "term" in a way that is supposed to encompass anything, and no one ever complained about that. TermRef? AdditionalTermRef?

@nicorikken
Copy link

A similar request was mentioned on the mailinglist of the REUSE project: https://lists.fsfe.org/pipermail/reuse/2021q4/000127.html Treating everything as a new license makes it very explicit and easy to develop SPDX-capable tooling, but makes it more cumbersome to handle a newly encountered exception (handling as custom license or requesting upstream changes). I'm mostly in favor of just defining new licenses that include the exceptions, but I can see the point of view for supporting exceptions, so perhaps SPDX should support exception?

@cdwilson
Copy link

cdwilson commented Dec 3, 2021

So I don't know if it would be better to use a construct name not based on the notion of an "exception".

FWIW, the two cases I've come across recently both call these "exceptions", so "ExceptionRef" prefix would make sense for my use case:

@pombredanne
Copy link
Member

pombredanne commented Dec 9, 2021

A few comments:

My guess unless being proven otherwise is that the vast majority if not all of the LicenseRef- used in license expressions as n exception are from ScanCode.

So I would like to enact this as the standard and avoid to create a new concept of "ExceptionRef". Instead reuse the "LicenseRef" prefix which is plenty good and enough. That would be a minor update to the license expression appendix.

@sschuberth
Copy link
Member

Instead reuse the "LicenseRef" prefix which is plenty good and enough.

Maybe with the additional requirement that such an "exception LicenseRef" also needs to contain the string "-exception" or "-exception-"?

sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Dec 9, 2021
While SPDX 2.2 supports LicenseRefs to refer to licenses that are not
part of the SPDX license list [1], no such mechanism exists for license
exceptions [2]. However, in reality tools like ScanCode need to somehow
express exceptions to custom licenses, and ScanCode does that via
"LicenseRef-scancode-*" Licenserefs that also contain the word
"exception" [3]. Support SPDX expressions containing such exceptions in
the new ALLOW_LICENSEREF_EXCEPTIONS strictness level.

[1]: https://spdx.dev/licenses
[2]: spdx/spdx-spec#153
[3]: https://scancode-licensedb.aboutcode.org/?search=exception

Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Dec 10, 2021
While SPDX 2.2 supports LicenseRefs to refer to licenses that are not
part of the SPDX license list [1], no such mechanism exists for license
exceptions [2]. However, in reality tools like ScanCode need to somehow
express exceptions to custom licenses, and ScanCode does that via
"LicenseRef-scancode-*" Licenserefs that also contain the word
"exception" [3]. Support SPDX expressions containing such exceptions in
the new ALLOW_LICENSEREF_EXCEPTIONS strictness level.

[1]: https://spdx.dev/licenses
[2]: spdx/spdx-spec#153
[3]: https://scancode-licensedb.aboutcode.org/?search=exception

Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
@pombredanne
Copy link
Member

Maybe with the additional requirement that such an "exception LicenseRef" also needs to contain the string "-exception" or "-exception-"?

@sschuberth I am not opposed to it, but this is not even the case for exceptions on the exception list (e.g., there are "official" exceptions that do not use "exception" in their ids), so I cannot see how this could become a requirement for other exceptions.

@sschuberth
Copy link
Member

so I cannot see how this could become a requirement for other exceptions.

Well, we have to start somewhere with establishing best practices. And of course existing exceptions would need to be updated to follow these, too, at some point.

@goneall
Copy link
Member

goneall commented Oct 19, 2022

Providing a link to a proposal made by @zvr - spdx/change-proposal#4

pombredanne added a commit to pombredanne/spdx-spec-1 that referenced this issue Jan 12, 2023
Reference: spdx#153
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
pombredanne added a commit to pombredanne/spdx-spec-1 that referenced this issue Jan 12, 2023
Use a LicenseRef as an exception on the right side of WITH instead.
Also add an example.

Reference: spdx#153
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
qtprojectorg pushed a commit to qt/qtbase that referenced this issue Mar 28, 2023
PCRE2 is available under BSD-3-Clause, but with a relevant exception
that arguably applies to the way Qt uses it, too. So let's mention
this exception in the listed license.

Unfortunately, the exception is not part of the SPDX database, and
combining a standard license with a custom exception is not supported
yet. See [1] for a related discussion. Meanwhile, just defining a whole
license is a common workaround.

[1] spdx/spdx-spec#153

[ChangeLog][Third-Party Code] Clarifying license of PCRE2 to be
BSD-3-Clause with advertisement exception for binary-like packages.

Pick-to: 6.5
Change-Id: Ib6d46806dc5a00ff2f795054ad9bf0ae62920501
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
qtprojectorg pushed a commit to qt/qtbase that referenced this issue Mar 31, 2023
PCRE2 is available under BSD-3-Clause, but with a relevant exception
that arguably applies to the way Qt uses it, too. So let's mention
this exception in the listed license.

Unfortunately, the exception is not part of the SPDX database, and
combining a standard license with a custom exception is not supported
yet. See [1] for a related discussion. Meanwhile, just defining a whole
license is a common workaround.

[1] spdx/spdx-spec#153

[ChangeLog][Third-Party Code] Clarifying license of PCRE2 to be
BSD-3-Clause with advertisement exception for binary-like packages.

Change-Id: Ib6d46806dc5a00ff2f795054ad9bf0ae62920501
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 5a182d3)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
sschuberth added a commit to doubleopen-project/policy-configuration that referenced this issue Dec 15, 2023
Check that all classified licenses are valid non-deprecated SPDX
expressions. In particular, license exceptions must not be classified
on their own. But `LicenseRefs` are accepted as exceptions / as an
operand for `WITH` to work around the limitation described in [1].

[1]: spdx/spdx-spec#153

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
sschuberth added a commit to doubleopen-project/policy-configuration that referenced this issue Dec 15, 2023
Check that all classified licenses are valid non-deprecated SPDX
expressions. In particular, license exceptions must not be classified
on their own. But `LicenseRefs` are accepted as exceptions / as an
operand for `WITH` to work around the limitation described in [1].

Fixes #37.

[1]: spdx/spdx-spec#153

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
sschuberth added a commit to doubleopen-project/policy-configuration that referenced this issue Dec 27, 2023
Check that all classified licenses are valid non-deprecated SPDX
expressions. In particular, license exceptions must not be classified
on their own. But `LicenseRefs` are accepted as exceptions / as an
operand for `WITH` to work around the limitation described in [1].

Fixes #37.

[1]: spdx/spdx-spec#153

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@goneall
Copy link
Member

goneall commented Apr 4, 2024

This was added in 3.0 as part of the change request for AdditionRef.

Closing as resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
profile: licensing Licensing Profile and related matters
Projects
None yet
Development

No branches or pull requests

8 participants