On Wed, Jun 8, 2022 at 1:24 PM Bradley M. Kuhn <bkuhn@xxxxxxx> wrote: > So, the problem we has is we really have no way of knowing for sure that > variance in (say) the warranty disclaimer was intentional or just goofy — and > if it was just goofy, did that goofiness end up being legally significant? > For all we know, minor changes were determined as very significant by some > contributor who has a lot of liability and fears a warranty claim. Who are > we to judge — given that GPLv2 *does* allow you to vary your warranty > disclaimer (or remove it entirely)? To be a little clearer about why this bothers me a little bit. I know that in the past the FSF gave public guidance to companies that it was okay to tack on materially different warranty and liability disclaimer language to GPL notices (or, say, in global product license agreements). (GPLv3 codifies this in its section 7.) Also, earlier in my time at Red Hat I went through a period where I was recommending to developers to include some disclaimer language that differed from what you have in the traditional GPL boilerplate. The point is that there are cases where the materially different language is deliberate and reflected the legal preferences of the contributor (or contributor's employer) in question > Which, BTW, leads to another key point: SPDX identifiers do *not* indicate > whether a standard warranty claim, or no warranty claim, or anything else was > present. Without this external file, how is anyone to know without digging > through Git logs *whether* a warranty disclaimer used to be there or not? I > hadn't thought about this before, but this is actually a huge bug in SPDX. > Part of the reason we're struggling with this is that SPDX *should have* > provided identifiers for the items that GPLv2 allows to vary in presentation > and terms of the licenses! This is an interesting point. SPDX identifiers were I think originally meant to refer to license texts, not license notices, except for the "or-later" vs. "only" issue found in the GPL family. If you had a GPLv2 license file altered so that the warranty disclaimer section had some additional language, SPDX would say this is not "GPL-2.0-only" anymore because the matching criterion fails. It would need a LicenseRef- or a new standard SPDX identifier. I am not sure why a GPLv2-only license *notice* containing nonstandard, legally significant language shouldn't be treated as distinct from what SPDX means by "GPL-2.0-only" if what you're doing is removing the historical license notice from the source file. I wonder if "SPDX-License-Identifier:" isn't sufficiently well defined. > I realize that as of, like, "now" as in "the last 24 hours", that's true, > because Thomas indicated that he updated/is-updating his patch set to exclude > the ones Fontana identified (IIUC). But I have two concerns: (a) Thomas > already indicated that tabling this issue in 2019 led to slow down on the > project, and I presume it will do so again if it's tabled again and (b) the > number of lawyers reviewing these patches is minimal, and they're also human > beings and they may miss stuff (and/or may disagree about the legal > significance). As such, I think there are already no certainty that some > items that the patch-reviewers believed were legally insignificant are > actually legally significant. > > It also leads me to ask Fontana, since he seems to be the only lawyer > watching this issue: are you *sure* there weren't other patches that drifted > through already that had legally-significant variance in warranty disclaimer? No, because I didn't have that much time to focus on this in 2019 and less time now. If I have some time soon I will try to go through Thomas's recent patchsets but I only looked at a small number of them. Richard
