lein-licenses
lein-licenses copied to clipboard
"Public Domain" is not a license, and should not be reported as such
"Public Domain" is not a license, and so shouldn't be reported as such (see this post for details).
While not wanting to propose or suggest any particular solution, one possibility might be to convert the fallback mechanism into an override mechanism, so that any "Public Domain" licenses can be overridden on a library-by-library basis with the correct alternative.
A lot of greglook's libraries, for example, are reported by lein-licenses as "Public Domain" but are actually licensed using The Unlicense. If the fallbacks were an override, this could be overridden on a case-by-case basis.
May I ask what your usecase is?
Reading the blogpost, I see
Any legal judgments required when dealing with open source – regarding ownership, infringement, compliance, breach, etc. – are necessarily left to individual users and their legal counsel.
which is exactly what this library was built for: to collect information on code ownership for legal & compliance purposes. Because of that, Public Domain seems like a valid option.
are reported by lein-licenses as "Public Domain" but are actually licensed using The Unlicense.
Again, it looks like these two are the same in this case, especially considering that author himself decided to use them ~interchangeably.
Finally, overloading fallbacks doesn’t sound right to me. Even if there is a reason to introduce overrides, I believe they should be contained to a separate mechanism.
My use case is that I work for an Open Source software foundation, and we have to validate the licenses of all inbound contributions (including transitive dependencies) before we can legally accept them. We have good coverage across a number of popular languages already, and had hoped to use lein-licenses to assist us in validating Clojure+leiningen projects. Note that our validations always involve people - all we use lein-licenses and similar tools for is to extract the license(s) from a given work.
The issue with Public Domain is that it is not a license - it's a legally distinct concept that has nothing to do with licensing. Worse, Public Domain happens to be legally dubious - point 4 of the referenced article sums this up nicely (emphasis added):
As a result of this lack of uniformity, attempts to make Public Domain grants are at this time largely ad hoc, and vary widely in approach. They range from simple statements (“this work is hereby placed in the Public Domain”) to extensive claims about signed affidavits from all contributors disclaiming ownership over their work. More confusingly, some supposed “Public Domain” grants are actually worded like licenses, and appear to retain rights and grant permissions. In other words, it is difficult for third parties and downstream recipients to really know if – and to what extent – such claims over the change in legal status of a work are valid, enforceable, revocable, etc., and making such determinations is largely a legal judgment call.
In our case, our legal counsel (who happens to be an Open Source licensing specialist) has advised us that Public Domain statements are irrelevant - we are to look for and validate licenses only. This is not at all unusual btw - the Linux Foundation takes much the same approach (as demonstrated by the SPDX Linux Collaborative Project).
greglook's libraries are a great example of where lein-licenses gives us a false negative - it reports that those libraries are licensed with "Public Domain", which happens to be both legally nonsensical ("Public Domain" is not a license), and an incomplete picture of what's actually going on. Those libraries are both granted to the Public Domain and licensed with The Unlicense (one of many perfectly reasonable combinations), and it's the latter that we're interested in knowing (since it has legal relevance).
I should note that issue #4 is potentially another way to resolve this - if lein-licenses reported on all available licenses (ideally using SPDX 2.0 license expressions) as well as "Public Domain", then we could ignore "Public Domain" at our leisure.
A similar issue is showing up for [org.ow2.asm/asm-all "4.2"]
, which lein-licenses
reports as BSD
, when in fact it's BSD-3-Clause
(to use the SPDX license identifier). There is no such license as BSD
(it's a family of differing licenses), and currently lein-licenses doesn't provide a way to force an override to the correct BSD variant (i.e. 3 clause).