spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard
verified publisher icon spdx

License expression semicolon operator

Open goneall opened this issue 6 years ago • 4 comments

The Wiki page for File Notice Examples refers to a semi-colon operator which is not in the spec and is not currently supported by most license expression parsers.

We should either add it to the spec or remove it from the example page.

goneall avatar May 22 '19 18:05 goneall

https://wiki.spdx.org/view/FileNoticeExamples#Package_Examples

The wiki page, for convenience's sake.

carmenbianca avatar May 27 '19 13:05 carmenbianca

I think the ; was proposed by @MarkGisi as a way to combine different licenses in a package... I seem to remember a discussion in a conference about the differences with AND but do not remember the details -- nor any resolution.

zvr avatar May 27 '19 18:05 zvr

The short answer is the ‘;’ example was included to provide a use case that was not possible to represent with the license expression semantics. Dennis provides a summary here: https://lists.spdx.org/g/Spdx-legal/message/1127 The inability for the SPDX legal team to address the issue caused us to move away from SPDX license expressions for packages in our bill of materials report. I have pointed out on several occasions that file licensing (i.e., source,/binary) and package licensing are different with respect to i) semantics, ii) structure and iii) derivative work considerations, where the semantics of the AND operator fails to accommodate this difference. For example, considering the slightly more extreme example where a package contains two independent programs; one under the GPL-2.0 and a separate proprietary application. There is nothing legally inappropriate about that. I would like to represent the package license as: GPL-2.0; LicenseRef-1 As opposed to: GPL-2.0 AND LicenseRef-1

A more common example is when a package contains a GPL-2.0 program and an LGPL-2.1 library. It is important to represent the packages as: GPL-2.0; LGPL-2.0

Or an example where the package contains a GPL-2.0 program, an Apache program and a LGPL-2.1 library which is used by both programs yet the programs are independent. I would like to represent the package license as: GPL-2.0; Apache-2.0; LGPL-2.1 Or (GPL-2.0 AND LGPL-2.1); (Apache AND LGPL-2.1) And NOT: GPL-2.0 AND Apache-2.0 AND LGPL-2.1

I hope this helps clarify the purpose of the ‘;’ use case.

MarkGisi avatar May 27 '19 21:05 MarkGisi

@MarkGisi Thanks for the background! Something we should take back up again. There is a related issue #124 regarding NPM packages.json using license expressions.

goneall avatar May 28 '19 16:05 goneall

Moving to 3.1 for consideration.

cc: @swinslow

goneall avatar Apr 04 '24 17:04 goneall

I'm inclined to close this issue, as I don't think there's been any further discussion about it in nearly the past 5 years.

Personally, I continue to view ";" as indistinguishable in effect from "AND". The purpose of the license expression is to communicate which licenses, or combinations of licenses, apply to a software artifact at the particular level of specificity that is being expressed.

In other words:

  • If a Package contains both GPL-2.0 and LGPL-2.1 content, then the license expression for the Package is properly given as GPL-2.0 AND LGPL-2.1.
  • If there's a concern that this introduces confusion as to which licenses apply to which parts of the Package, there are multiple ways to address that:
    • Define sub-Packages representing the corresponding subsets of the top-level Package, specify GPL-2.0 for one and LGPL-2.1 for the other, and use a CONTAINS Relationship to express that they are contained within the top-level Package.
    • Or, if the difference exists at a File level, define Files within the Package and specify the GPL vs. LGPL licenses that apply to those specific files.

Looking back at the earlier comments referenced in this thread), I think there may be a misperception that someone should be able to look at an "AND" expression and automatically conclude whether it expresses a "legally compliant" or "legally compatible" combination of licenses. I don't think this is intended. A software Package might contain some files under GPL-2.0-only and others under GPL-3.0-only. The license expression for this Package is properly given as "GPL-2.0-only AND GPL-3.0-only". Even if those licenses are not considered "compatible" with one another, actually answering that question is a matter of both legal interpretation and analyzing the manner of interactions between the various components within the Package.

Parts of this can be reflected using certain Relationship types, but I don't think there is a need to encode this within the license expression string itself. The only purpose of the license expression is to state "for this software artifact, at this level of specificity, here are the licenses that apply."

Given all of this, I really can't articular a difference between the effect of ";" and "AND", so I'm not inclined to complicate the syntax by introducing a new operator.

Since there is nothing here that is covered in 3.0, I'm going to go ahead and close this issue. If there is a community desire to re-engage on this discussion for 3.1, we can consider re-opening the issue. Thank you!

swinslow avatar Apr 07 '24 14:04 swinslow

Sorry, I neglected to mention: Since the old wiki is no longer active and has been set to read-only mode, I don't think there's an action here to update that wiki page. If it's necessary, we can look into whether it's feasible to re-open the wiki for editing, but I'm hesitant to do that as I imagine there's plenty of other old / outdated content elsewhere on the wiki as well :)

swinslow avatar Apr 07 '24 14:04 swinslow