spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard
verified publisher icon spdx

Expand §8.3.4 Annotation Type with new values (LICENSE, PATENT, COPYRIGHT, EXPORT, TRADEMARK) and change cardinality

Open kestewart opened this issue 8 years ago • 7 comments

Thomas: Expand §8.3.4 Annotation Type with new values “LICENSE” | “PATENT”. Enables annotator to more precisely indicate type of annotation Discussed use case brought up by customers - will save research. OpenCV is case cited. Be able to annotate that a patent has expired, etc. Use LICENSE when its not 100% clear, so may want to provide information about equivalence or not with another. Zlib 1.0.6 and another close to it.
Different lawyers handle different roles, want to give lawyers comments that apply to the appropriate reviewers. Thomas: Copyrighter holder may be out of business, so may want to have a “COPYRIGHT” as well. Discussion of who adds the and roles between Alexios & Thomas. Desire to permit multiple TYPES to be used with ANNOTATION

  1. Add in new values LICENSE, PATENT, COPYRIGHT, EXPORT, TRADEMARK as valid types.
  2. Permit cardinality from one to many.
    Gary ok with cardinality change, sees as useful for automation. Looking at this as a 2.2 feature.

kestewart avatar Sep 12 '17 16:09 kestewart

TO BE DISCUSSED FURTHER: Do we want LICENSE here in this, as we can’t point Annotation to License at this point in the model for this. Adding Annotations to Licenses? Will this hold up in the data model. Open question is how you can express for a complex license expression?

kestewart avatar Sep 12 '17 16:09 kestewart

Export will be about ECC information, such as in:

https://github.com/openssl/openssl/blob/master/README (last paragraph)

in a file?

There is another file case which could be considered for marking in a similar mode, not citing examples here, but files exists in OSS which say in their header like

  • This file is confidential, proprietary or both
  • can be used only with (written) permission by copyright owner

-> how about marking such file for avoiding this for use?

mcjaeger avatar Jul 11 '18 09:07 mcjaeger

If you have some concrete examples of e.g. what the fields would look like in practice, for these use cases, that would be helpful to see. I might not be understanding the request here, and also might misunderstand the use case for Annotations. =) But here's my gut reaction on these.

  • For COPYRIGHT and LICENSE, what would be the reason for adding this sort of information via Annotations? Rather than using e.g. the PackageLicenseConcluded / PackageLicenseComments fields (and similar equivalents, for copyrights and each of those for Files)?

  • For PATENT, the current SPDX spec takes a pretty definite stance that patent info won't be addressed:

1.5 What is not covered in the specification? . . . 1.5.3 ​Any identification of any patent(s) which may or may not relate to the package.

  • For TRADEMARK, I don't know that it's explicit, but I'd feel pretty similarly. Trademarks are relevant in the context of goods and services being offered in commerce. That means that pretty much any questions around use of trademarks, and whether a use is "okay" or not, is going to be context-specific. Feels to me like it's outside the scope of SPDX documents' purpose of defining a software bill of materials.

  • For EXPORT, I could see some relevance here, in terms of flagging Packages or Files that could contain encryption code. (I note that this is a very US-centric view of export controls...) Though from the OpenSSL statement that was linked above as an example, that's just pointing to a generic statement that some countries have export controls and you should talk to a lawyer. What would be the sort of field / data that you'd imagine would go here, from an export perspective? And, should those be in an Annotation or in an export-specific field in the Package and File sections?

swinslow avatar Jun 11 '19 18:06 swinslow

Moving to 3.0 based on discussion on weekly call.

kestewart avatar Mar 10 '20 17:03 kestewart

Possibly we should also consider adding in "STANDARD" as the AI & FUSA profiles will reference this.

Also, Arm has gone about creating "Standards" fields in Comments, so let's see if we want to have it as annotation, or include directly as package property.

kestewart avatar Aug 11 '22 20:08 kestewart

Since this is a non-breaking change, moving to 3.1

goneall avatar Apr 04 '24 21:04 goneall

My views on this remain the same as described in my comment above. I'm adding a few clarifications below for ongoing developments in the course of 3.0 development:

  • LICENSE: Although not an Annotation, the new licensing model in 3.0 instead uses Relationships to communicate licensing information. So my assumption is that this sufficiently addresses the goals for this one.
  • COPYRIGHT: By contrast, copyrightText remains a property on a SoftwareArtifact so it would presumably still be defined concurrently with defining the SoftwareArtifact.
  • PATENT / TRADEMARK: I continue to view this as inappropriate for an SPDX document / metadata, and I'm -1 to any changes in SPDX scope to incorporate this.
  • EXPORT: I believe the contemplated new "operations" profile might be aiming to track certain metadata relating to export control matters (e.g. cryptography).

I won't close this issue, as from the comments above it sounds like there may be some aspects of it that are relevant to other profiles. But I don't see anything in here that will lead to changes to the licensing-related fields or profiles (and certainly not for 3.0).

swinslow avatar Apr 07 '24 13:04 swinslow