On 5/25/22 1:13 PM, Bradley M. Kuhn wrote:
In answering Thomas' question …
Thomas Gleixner wrote at 14:10 (PDT) on Monday:
If I want to remove this option, then how do I express this with a SPDX
license identifier?
… some licensing/SPDX background is in order. (I apologize in advance for a
few paragraphs of license-splaining, as I know that many on this thread know
these points already, but I suspect most only have only vague familiarity
with this issue.)
copyleft-next 0.3.1 reads:
+11. Later License Versions
+ The Copyleft-Next Project may release new versions of copyleft-next,
+ designated by a distinguishing version number ("Later Versions").
Many don't realize that GPL is (or was, pre-copyleft-next) unique in
structure among copyleft licenses in that the -or-later clause of all
licenses in the GPL family is configurable. That yields the complex forms
of: GPLv1-only, GPLv1-or-later, GPLv2-only, GPLv2-or-later, etc. GPLv3 even
added the proxy upgrade clause (— a formulation SPDX can't handle at all).
Other non-trivial FOSS licenses — such as Mozilla Public License (MPL),
Common Development and Distribution License (CDDL), and Eclipse Public
License (EPL) (as just three examples) — all have “automatic -or-later”.
Thus, “MPLv2.0” *always* means “MPLv2.0-or-later”, so if you use the SPDX
moniker for that (“MPL-2.0”), it really is akin to using “GPLv2-or-later”.
Meanwhile, there is no *actual* way to license code under “MPLv2-only” — the
license text itself prohibits it.
A few folks on the SPDX legal team did a summary chart of all the
nuances and while I'm not going to go down that road again, suffice to
say, the "or later" clauses have more variation than most people would
think (which is probably b/c most people don't need to pay attention to
it). The "+" operator is always available if someone so chooses to apply
it as needed.
All that's to say: the GPL has (historically) always been a huge FOSS
licensing special-case because of the complex configurability of its
“-or-later” clause.
Agreed.
One of the last activities I did with SPDX (in late 2017) was to help
negotiate a solution on reworking the GPL identifiers to deal with this
special case. The solution was a classic political compromise — where
*everyone* left unhappy — but that's what led to the deprecation of SPDX's
“GPL-2.0” identifier in favor of “GPL-2.0-or-later” and “GPL-2.0-only”.
I would agree with this characterization, except this was the outcome
the FSF wanted, so ostensibly they were happy (and you forgot that
GPL-2.0+ ).
(And to give credit where credit is due, Bradley's input during that
challenging "negotiation" was very helpful. :)
So, this problem that Thomas notes above is definitely an error by the SPDX
project, *just like* the one that exists for the deprecated “GPL-2.0”
To be clear, the GPL-2.0 identifier was never an error by the SPDX team
- we were always very clear as to what it meant/means. It was that the
FSF didn't like it. That is clearly explained in the blog post on the
SPDX website, as well as the post on the FSF site on the subject.
Jilayne