On 6/19/24 6:07 PM, Richard Fontana
wrote:
that is correct and I would say that is not the domain of SPDX generally as it has to do with interpretation.On Wed, Jun 19, 2024 at 11:58 AM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote:On 18. 06. 24 18:46, Miroslav Suchý wrote:Hi. I am going to do the mass change of the license from GPLv2 to GPL-2.0-onlyHi. How do you know the License tag is not supposed to be e.g. "GPL-2.0-only AND MIT" or similar? Converting "GPLv2" (which could mean any number of "weaker" licenses are hidden under the "stronger" GPL in the old notation) to "GPL-2.0-only" (which means all the code is exactly GPL 2.0 only) cannot be done automatically. Same for the other thread about LGPLv3 to LGPL-3.0-only conversion.The meaning of something like "GPLv2" or "LGPLv3" in the Callaway™ (old notation) system was not consistently defined, documented or understood. We've had some discussions about this (see legal list threads on the so-called "effective license" concept). It is true that under the Callaway system some package maintainers were applying some sort of idiosyncratic effective license theory when populating license tags, but prior to Fedora's migration to SPDX expressions I would have asserted this was incorrect. It should be noted btw that much (probably most) of the use of SPDX identifiers in the open source community seems to be based on application of various kinds of undocumented effective license theories. So non-use of effective license theory is not an inherent property of SPDX, at least in practice. The SPDX spec itself, and the SPDX project, doesn't really assert an opinion on how SPDX expressions should be used by projects (i.e., what something like `GPL-2.0-only` *ought* to mean), at least as far as I understand.
In any case, I don't see anyway that kind of thing could be or ever will be consistently defined across the diverse reality of "the open source community"
not improper per se - if people find a license and choose not to identify it in an SPDX _expression_, that isn't really something the SPDX spec has guidance about. It cuts to trust in whoever made that call or created an SPDX document.I'd argue that proper use of SPDX expressions should lead to the non-use of effective license analysis, which I guess implies that much of the use of SPDX expressions is improper.
+1 I also had a lot of misgivings. In addition to Richard's comments, I think I've come to thinking that complacency is an issue no matter what and any amount of auto-conversion is not likely to make that worse or better.So anyway what I think you're basically saying is that if you automatically convert a Callaway-notation package license tag from `GPLv2` to `GPL-2.0-only`, the resulting license tag will often be incorrect under the current (post-Callaway/SPDX-based) system. This is true, but I would say that in such cases the license tag should have been viewed as incorrect under the Callaway system for at least partially the same reasons. Relatedly, I have had some misgivings and mixed feelings about these mass conversions, because I have worried that the resulting situation will make people complacent regarding the correctness of the license tag. That is, they may assume that a converted license tag has some sort of implied stamp of approval. However, I've mostly gotten comfortable with the piecemeal mass conversions over time. I accept that we'll (still) have many inaccurate license tags, under our current documented standards, and we'll just have to gradually try to improve them.
really don't want that!I'm not sure it's really better to stick with Callaway license tags for some longer period of time in the hope that the *first* attempt to convert a package license tag to SPDX expressions will be relatively accurate. I do worry that if everyone is complacent about this, Fedora could become yet another project using SPDX expressions inappropriately.
In any case, Miro, I appreciate your observations and concerns. I think in the long run, putting in place more specific advice and better tooling for license review that is maybe even part of the packaging process would be better. Even for the packages that were diligently updated to SPDX ids won't stay up-to-date over time as packages change their licenses, etc.
thanks,
Jilayne
Richard -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue