android icon indicating copy to clipboard operation
android copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

`GPL-2.0-only AND AGPL-3.0-or-later` is not a compatible SPDX license expression

Open carmenbianca opened this issue 1 year ago • 7 comments

⚠️ Before posting ⚠️

  • [X] This is a bug, not a question or an enhancement.
  • [X] I've searched for similar issues and didn't find a duplicate.
  • [X] I've written a clear and descriptive title for this issue, not just "Bug" or "Crash".
  • [X] I agree to follow Nextcloud's Code of Conduct.

Steps to reproduce

N/A, kind of. A lot of files in this project are tagged GPL-2.0-only AND AGPL-3.0-or-later. I don't think this is a compatible SPDX license expression. Any v2.0 GPL is not compatible with any v3.0 GPL, meaning that both licences cannot be simultaneously respected.

I have to assume that the intention was to write GPL-2.0-only OR AGPL-3.0-or-later. If not, #4014 contains more context for this issue.

Expected behaviour

N/A

Actual behaviour

N/A

Android version

N/A

Device brand and model

N/A

Stock or custom OS?

Stock

Nextcloud android app version

master

Nextcloud server version

N/A

Using a reverse proxy?

No

Android logs

No response

Server error logs

No response

Additional information

No response

carmenbianca avatar Apr 23 '24 13:04 carmenbianca

Hi @carmenbianca happy for any insights you can provide since i am unsure if it is wrong or how to do it right. So https://github.com/nextcloud/android/issues/4014 isn't of any help actually bit let me try to explain why I chose GPL-2.0-only AND AGPL-3.0-or-later where #4014 does cover it to some extend. So files haven GPL-2.0-only AND AGPL-3.0-or-later have old code from before the fork which by than has been GPLv2-only while any newly added code in that file from that moment onwards is AGPLv3+. So I choose the above licenses with an AND to reflect that. According to @schiessle this is fine and basically everything is seen as GPLv2-only until no GPLv2-only lines exist in the file and than only GPLv3+ remains.

So yes, both can't be respected at the same time - GPL2-only wins, yet I need to have a way to state new code is AGPL3+. So would you say that this is then an OR which I doubt since that would mean the GPL2-only- licensed code could be AGPL3+ which it can't.

Looking forward to your feedback

AndyScherzinger avatar Apr 23 '24 14:04 AndyScherzinger

Oof, I'm not entirely certain how to convey that information in an SPDX expression. From the perspective of AGPL-3.0-or-later-licensed code, the OR statement makes perfect sense, but not the other way around.

My non-expert analysis would probably be something like this:

A newly created file is licensed AGPL-3.0-or-later. However, because the whole of the program is licensed under GPL-2.0-only (with which AGPL-3.0-or-later is not compatible), it should be licensed AGPL-3.0-or-later OR GPL-2.0-only, allowing the user to 'fall back' to GPL-2.0.

An old file still containing GPL-2.0-only code sometimes also receives new contributions that are licensed AGPL-3.0-or-later OR GPL-2.0-only. However, this license expression is not correct for the entire file. As such, the license expression should be GPL-2.0-only AND (AGPL-3.0-or-later OR GPL-2.0-only). This collapses to GPL-2.0-only, as intended, but communicates additional semantics.

Something like that? I'm not a licensing compatibility expert, mind.

carmenbianca avatar Apr 23 '24 15:04 carmenbianca

I also have a hard time wrapping my head around it. Also cause when you reach the point where all lines are AGPLv3+ than we would remove any GPLv2 statements. So if you actively put them in again than you also locked that license into the code base and the goal is to get rid of gpl2-only.

Looping in @schiessle for feedback.

AndyScherzinger avatar Apr 23 '24 15:04 AndyScherzinger

In my reading, there is no way to license any code in this project exclusively AGPL-3.0-or-later if it must also be compatible with existing GPL-2.0-only code.

carmenbianca avatar Apr 23 '24 15:04 carmenbianca

I can't tell but I would expect to be able to change a license if all code has been changed. With your argument you would never be able to ever get aways from a GPLv2-only.

AndyScherzinger avatar Apr 23 '24 15:04 AndyScherzinger

Well, yes and no. After you've removed the last line of code that is GPL-2.0-only, you'd be able to replace all instances of AGPL-3.0-or-later OR GPL-2.0-only with AGPL-3.0-or-later. From that point on, all future code is really truly no longer dual-licensed. Until then, getting rid of GPL-2.0-only seems impossible to me.

But I reiterate that I'm not an expert, neither in licensing compatibility nor in this project.

carmenbianca avatar Apr 23 '24 16:04 carmenbianca

If the later is the case, yes, than that would be a viable option. Getting rid of GPL2-only before that, yes impossible. I just can't say how to best express that in the license expression, but if GPL-2.0-only AND (AGPL-3.0-or-later OR GPL-2.0-only) reflects that than I can jut take care of getting this change in.

AndyScherzinger avatar Apr 23 '24 17:04 AndyScherzinger

I agree with the assessment of @carmenbianca, this is also my understanding.

schiessle avatar Apr 29 '24 09:04 schiessle

PR to correct the headers based on your feedback: #12951

Again thanks for the explanations and clarifications 🙏 Highly appreciated!

AndyScherzinger avatar Apr 30 '24 10:04 AndyScherzinger