12:54 p.m.
regarding Tom’s comment on this topic:
So this is the difficulty. We know of an order of magnitude of different variants of BSD
and MIT (many of which are unclassified by the OSI and SPDX). They're all functionally
identical. Are you volunteering to audit all the Fedora packages to correct the license
tags? I'm not. :)
I could be possible to come up with a correlation of the Fedora tags and SPDX ids (where
Fedora groups licenses under one age, but SPDX uses different ones) and then automate
updating the tags, no?
I have a summary of the work done thus far to align and a spreadsheet from a few years ago
with the correlation. It would need updating on both sides, but it could provide a decent
start.
https://wiki.spdx.org/view/Legal_Team/Fedora-comparison
<https://wiki.spdx.org/view/Legal_Team/Fedora-comparison>
Jilayne
SPDX legal team
3:20 p.m.
New subject: BSD-2-Clause
On Tue, Apr 2, 2019 at 1:57 PM J Lovejoy <opensource(a)jilayne.com> wrote:
regarding Tom’s comment on this topic:
So this is the difficulty. We know of an order of magnitude of different variants of BSD
and MIT (many of which are unclassified by the OSI and SPDX). They're all functionally
identical. Are you volunteering to audit all the Fedora packages to correct the license
tags? I'm not. :)
I could be possible to come up with a correlation of the Fedora tags and SPDX ids (where
Fedora groups licenses under one age, but SPDX uses different ones) and then automate
updating the tags, no?
One of the problems is that in effect Fedora has a different notion of
"matching" from that of SPDX. In general, and especially seen in the
Fedora use of "BSD" and "MIT", there isn't a one-to-one
correspondence
between a Fedora license identifier and an SPDX one. That's not a
theoretical problem because it's common (especially with older
codebases) to have a package consisting of source files under various
materially different BSD-like licenses, or vaguely MIT-like licenses.
One scupulous solution would be to replace a given use of, say, "MIT"
with, in such a case, for example, "MIT-Variant-1 AND MIT-Variant-2 .
. . AND MIT-Variant-N" but no one seems to want to do that (this also
connects with the recent discussion in the SPDX community about the
potential advantages of having SPDX license identifier namespaces). A
nonscrupulous solution which seems similar in spirit to how many
developers are using SPDX identifiers today is to ignore the
complexity and decide arbitrarily, or for convenience, that you'll
describe the package in that case as "MIT", or "BSD-3-Clause", but
that is then pretty unfaithful to the SPDX system (or so it seems to
me).
Richard
4:17 p.m.
New subject: BSD-2-Clause
On Tue, Apr 2, 2019 at 1:20 PM Richard Fontana <rfontana(a)redhat.com> wrote:
On Tue, Apr 2, 2019 at 1:57 PM J Lovejoy
<opensource(a)jilayne.com> wrote:
>
> regarding Tom’s comment on this topic:
>
> So this is the difficulty. We know of an order of magnitude of different
variants of BSD and MIT (many of which are unclassified by the OSI and
SPDX). They're all functionally identical. Are you volunteering to audit
all the Fedora packages to correct the license tags? I'm not. :)
>
>
> I could be possible to come up with a correlation of the Fedora tags and
SPDX ids (where Fedora groups licenses under one age, but SPDX uses
different ones) and then automate updating the tags, no?
One of the problems is that in effect Fedora has a different notion of
"matching" from that of SPDX. In general, and especially seen in the
Fedora use of "BSD" and "MIT", there isn't a one-to-one
correspondence
between a Fedora license identifier and an SPDX one. That's not a
theoretical problem because it's common (especially with older
codebases) to have a package consisting of source files under various
materially different BSD-like licenses, or vaguely MIT-like licenses.
One scupulous solution would be to replace a given use of, say, "MIT"
with, in such a case, for example, "MIT-Variant-1 AND MIT-Variant-2 .
. . AND MIT-Variant-N" but no one seems to want to do that (this also
connects with the recent discussion in the SPDX community about the
potential advantages of having SPDX license identifier namespaces). A
nonscrupulous solution which seems similar in spirit to how many
developers are using SPDX identifiers today is to ignore the
complexity and decide arbitrarily, or for convenience, that you'll
describe the package in that case as "MIT", or "BSD-3-Clause", but
that is then pretty unfaithful to the SPDX system (or so it seems to
me).
Seconding this problem (which I came across in the wild last week).
Does SPDX have a notion of indicating confidence level of a scan? Or is
that just derived from the reputation of whoever creates the manifest?
Luis
9:13 p.m.
New subject: BSD-2-Clause
On Apr 2, 2019, at 3:17 PM, Luis Villa <luis(a)lu.is> wrote:
On Tue, Apr 2, 2019 at 1:20 PM Richard Fontana <rfontana(a)redhat.com
<mailto:rfontana@redhat.com>> wrote:
On Tue, Apr 2, 2019 at 1:57 PM J Lovejoy <opensource(a)jilayne.com
<mailto:opensource@jilayne.com>> wrote:
>
> regarding Tom’s comment on this topic:
>
> So this is the difficulty. We know of an order of magnitude of different variants of
BSD and MIT (many of which are unclassified by the OSI and SPDX). They're all
functionally identical. Are you volunteering to audit all the Fedora packages to correct
the license tags? I'm not. :)
>
>
> I could be possible to come up with a correlation of the Fedora tags and SPDX ids
(where Fedora groups licenses under one age, but SPDX uses different ones) and then
automate updating the tags, no?
One of the problems is that in effect Fedora has a different notion of
"matching" from that of SPDX. In general, and especially seen in the
Fedora use of "BSD" and "MIT", there isn't a one-to-one
correspondence
between a Fedora license identifier and an SPDX one. That's not a
theoretical problem because it's common (especially with older
codebases) to have a package consisting of source files under various
materially different BSD-like licenses, or vaguely MIT-like licenses.
One scupulous solution would be to replace a given use of, say, "MIT"
with, in such a case, for example, "MIT-Variant-1 AND MIT-Variant-2 .
. . AND MIT-Variant-N" but no one seems to want to do that (this also
connects with the recent discussion in the SPDX community about the
potential advantages of having SPDX license identifier namespaces). A
nonscrupulous solution which seems similar in spirit to how many
developers are using SPDX identifiers today is to ignore the
complexity and decide arbitrarily, or for convenience, that you'll
describe the package in that case as "MIT", or "BSD-3-Clause", but
that is then pretty unfaithful to the SPDX system (or so it seems to
me).
Seconding this problem (which I came across in the wild last week).
if you want to assist in getting more licenses on the SPDX License List - especially to
enable more use of SPDX identifiers in source files or elsewhere, then that is a subject
for discussion on that mailing list :)
and we are happy to have the help!
I don’t think aligning Fedora to use SPDX identifiers is insurmountable at all. It’s just
a matter of putting heads and effort together on both sides of the coin.
We could also create some kind of collaborative communication going forward to ensure new
license Fedora comes upon are represented on the SPDX License List.
Does SPDX have a notion of indicating confidence level of a scan? Or is that just derived
from the reputation of whoever creates the manifest?
correct - it’s down to the reputation or your perceived level of trust of whoever created
the BoM/manifest/SPDX document - like always.
Luis
1847
days inactive
1848
days old
3 comments
3 participants
participants (3)
-
J Lovejoy -
Luis Villa -
Richard Fontana