spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard
verified publisher icon spdx

Consolidate fields for license profile

Open swinslow opened this issue 5 years ago • 5 comments

This is a discussion thread for determining which fields should be included in the new SPDX 3.0 "licensing" profile.

Background

In pre-3.0 versions of the spec, all license-related fields are contained within the main spec, and are specified as different properties on each SPDX artifact type. The licensing fields for Packages differ from those for Files, which differ from Snippets.

For 3.0, licensing information will be broken out from the base spec and put in a separate "licensing" profile. There is significant interest in consolidating the fields so that they have common names and meanings for Packages, Files and Snippets.

Initial proposal

The following reflects one proposal from some members of the SPDX tech team, which I've tried to restate succinctly. I'm not endorsing all of it (and I will have some comments on it below), but reflecting it here for discussion.

As used below, "artifact" means either a Package, File or Snippet.

  • Declared License: the license(s) that the authors of the artifact declared to apply to the artifact.
  • Concluded License: the license(s) that the SPDX document creator has concluded apply to the artifact.
  • Distributed License: the license(s) that the creator of the artifact chose to distribute the artifact under.
  • Notice: license notices and other related notices, optionally including copyright statements, that are found in the artifact.
  • License Comments: comments by the SPDX document creator about relevant background references or analysis involved in determining the Concluded License.
  • Declared Copyright: the copyright information that the authors of the artifact declared to apply to the artifact.
  • Concluded Copyright: the copyright information that the SPDX document creator has concluded applies to the artifact.
  • [Declared? Concluded?] Contributor: information added by the SPDX document creator regarding contributors to the artifact, who may or may not be copyright holders.
  • Copyright Comments: comments by the SPDX document creator about relevant background references or analysis involved in determining the Concluded Copyright.

swinslow avatar May 31 '20 18:05 swinslow

For reference, here are the licensing-relevant fields currently in the SPDX spec as of v2.2:

Creation Info:

  • 2.2: Data License
  • 2.7: License List Version

Package:

  • 3.13: Concluded License
  • 3.14: All Licenses Information from Files
  • 3.15: Declared License
  • 3.16: Comments on License
  • 3.17: Copyright Text
  • 3.23: Package Attribution Text

File:

  • 4.5: Concluded License
  • 4.6: License Information in File
  • 4.7: Comments on License
  • 4.8: Copyright Text
  • 4.13: File Notice
  • 4.14: File Contributor
  • 4.15: File Attribution Text

Snippet:

  • 5.5: Snippet Concluded License
  • 5.6: License Information in Snippet
  • 5.7: Snippet Comments on License
  • 5.8: Snippet Copyright Text
  • 5.11: Snippet Attribution text

Other License Information:

  • 6.1: License Identifier
  • 6.2: Extracted Text
  • 6.3: License Name
  • 6.4: License Cross Reference
  • 6.5: License Comment

swinslow avatar May 31 '20 18:05 swinslow

A few initial reactions to the proposal mentioned above:

  • Strongly in favor of aligning on Declared License and Concluded License for all artifact types.
  • I note that this proposal gets rid of the "All licenses information" fields, which were previously just a list of all license identifiers without "AND", "OR", etc. I'm good with getting rid of these fields, but query whether any tool developers have a use for this.
  • I'm less convinced that Distributed License makes sense. It seems like the idea is to distinguish between an inbound vs. an outbound license, particularly where e.g. a third party component under something like BSD-3-Clause OR GPL-2.0-or-later is being redistributed under just GPL-2.0-or-later. But in practice, I am having trouble articulating the use case where this is not appropriately handled by just the Concluded License. Warrants more discussion; I'm willing to be convinced but I'm not there yet.
  • This would add a new Concluded Copyright field, separate from Declared Copyright. Is this appropriate / useful? If so, what should its contents consist of? Presumably this would be relevant where e.g. a copyright holder has not put a copyright notice, but the SPDX document creator wants to document that they are a copyright holder; would this be done using something that looks like a copyright notice, or just free text, or some sort of more complex identities structure?
  • I know that File Contributor is a part of the pre-3.0 spec. Is it more appropriate to be in the licensing profile, or something else like provenance? It isn't necessarily tied to copyright ownership, and it might be equally or more relevant to other use cases outside the licensing world, so this might not be the right profile for it.

swinslow avatar May 31 '20 18:05 swinslow

I think that @tsteenbe @kestewart @iamwillbar @goneall have all been involved in the proposal mentioned above -- tagging them here for visibility so they can weigh in! Others should feel free to speak up also, of course; I wasn't involved in drafting the initial proposal above, so I'm not sure who else was.

Also tagging @jlovejoy @pmadick for visibility from the legal team side.

swinslow avatar May 31 '20 18:05 swinslow

@swinslow and @jlovejoy are working on a first draft of the consolidation of fields to then be presented to the legal team and on a joint tech/legal call

jlovejoy avatar Jul 17 '20 13:07 jlovejoy

Just to update this issue: We had several joint calls to discuss and resolve many of the questions and issues raised here in a couple joint calls in 2020. Meeting minutes can be found at: https://github.com/spdx/meetings/blob/main/joint/2020-09-29.md and https://github.com/spdx/meetings/blob/main/joint/2020-10-08.md The working draft we used for discussion which contains many comments re: decisions, etc. can be seen here: https://docs.google.com/document/d/1k_2tSlFXvW_SbW-I1DcSEoCNBMQJd4FEFIQr6KCJuyU/edit#heading=h.wm4ivu55l9q0

@swinslow then converted what we came up with from these discussions into #503 (which reflects the format as we understood it at that time)

Now that we have a new format and repo for SPDX 3.0 at https://github.com/spdx/spdx-3-model - @swinslow to create a PR there to convert the above into the new/current format. We will then close this issue and discuss or iterate there for any new issues.

jlovejoy avatar Nov 03 '22 14:11 jlovejoy

I believe this has all been decided, so closing this issue.

@swinslow if you disagree, please open a new issue to track anything that needs to be fixed.

goneall avatar Apr 04 '24 17:04 goneall

Agree - the licensing-related profiles in spdx-3-model for 3.0 reflect the outcome of this issue, so +1 to closing. Thank you @goneall!

swinslow avatar Apr 07 '24 13:04 swinslow