On Thu, 13 Oct 2022 11:32:08 +0100, Adam Dinwoodie wrote:
On Wed, Oct 12, 2022 at 04:28:36PM -0600, Brian Inglis wrote:
On 2022-10-12 18:59 UTC, Adam Dinwoodie wrote:
> On Wed, Oct 12, 2022 at 07:58:56PM +0200, Achim Gratz wrote:
> > Adam Dinwoodie writes:
> > > ERROR: invalid hints git-filter-repo-2.38.0-1-src.hint
> > > ERROR: package 'git-filter-repo': errors in license expression: ['Unknown
license key(s): LicenseRef-inherit-git, LicenseRef-inherit-libgit2,
LicenseRef-inherit-libgit2-examples']
> > > ERROR: errors while parsing hints for package 'git-filter-repo'
> > > ERROR: error parsing /sourceware/cygwin-staging/home/Adam
Dinwoodie/noarch/release/git-filter-repo/git-filter-repo-2.38.0-1-src.hint
> > > ERROR: error while reading uploaded arch noarch packages from maintainer
Adam Dinwoodie
> > > SUMMARY: 5 ERROR(s)
> > > ```
> > > So it looks like the issue is the way I've encoded the non-standard
> > > licensing options. "LicenseRef-"(idstring) seems to be the way to
> > > encode this sort scenario, per [1] and [2], but that doesn't seem to be
> > > acceptable to calm.
> > > [1]:
https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/
> > > [2]: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
> > As it should, since "inherit-git" or any of the other variations doesn't
> > seem to be a valid license expression per the above.
> I'm trying to use "LicenseRef-inherit-git" and similar, not just
> "inherit-git", to be clear.
> From
https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/
...
> From https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
...
>
> Both of these seem to say that "LicenseRef-inherit-git" and similar is
> exactly the way to describe a license that isn't covered by the SPDX
> License List, at least unless I'm grossly misunderstanding how
> license-ref is defined in the ABNF and/or what the LICENSE value in the
> cygport file is supposed to store.
> > > Are there any suggestions about how to resolve this? I don't think I
> > > can just use the standard license strings: even if we used GPL-2.0-only
> > > in place of LicenseRef-inherit-git -- incorrect as that's the license
> > > *currently* used by Git, but the license for git-filter-repo explicitly
> > > incorporates any future OSS license Git might use -- that still leaves
> > > the problem of LicenseRef-inherit-libgit2, which is currently GPL 2.0
> > > with an exception that's not covered by any of the SPDX standard
> > > exceptions.
> > Well I think you can, the license explicitely says you can chose any of
> > them as you see fit, so you can pick one today and another tomorrow if
> > you are so inclined.
> Yes, that's true. I'm not a fan of making decisions for sub-licensees
> that I don't need to make, though; under the same logic, there would be
> no need for the "OR" syntax in SPDX at all...
AFAICS git uses BSD-3-Clause-Clear, BSL-1.0, GPL-2.0-or-later,
LGPL-2.0-or-later, and MIT, where are the exception and inherit-git/libgit2
from?
Does your inherit-git/libgit2 refer to "...under the terms of the 'git'
package..." statements, and is that kind of reference really required,
rather than just taking the reference to be the explicit licences?
Yes, exactly. Specifically, the "whatever open source licecense that
git.git or libgit2 use now or in future" part. That "now or in future"
is a significant bit of license flexibility, IMO, in the same way that
"GPLv3" and "GPLv3 or later" are significantly different license terms,
even if right now they're effectively identical.
See discussion and resolution about libgit2:
https://github.com/spdx/license-list-XML/issues/1585
there may be other similar exceptions or discussions that apply.
As I said before, I can just take Achim's suggestion of exercising my
right as a licensee to pick specific licenses from the selection
available. But I'd rather not set things up such that folk getting
their code via me do so under more restrictive license terms than if
they'd obtained the source and/or binaries directly, at least unless
there's an overwhelmingly good reason for that.
Agreed that, like SPDX, we don't want to be judging or choosing licences, just
documenting what applies: apparently why they want consistent licence texts.
For custom exceptions, and from SPDX discussion, I think you could use WITH
LicenseRef-cygwin-exception-... or similar wording, whatever is currently
preferred.
That's not my reading of the spec. Looking at the ABNF at [0], a
license-expression using a "WITH" statement has to be of the form
`simple-expression "WITH" license-exception-id`, and
`license-exception-id` can only be an SPDX-defined license identifier.
The `"LicenseRef-"(idstring)` style is only valid as a
`simple-expression`, i.e. with no "WITH" or before a "WITH".
[0]: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
From that same document:
If the applicable exception is not found on the SPDX License Exception
List, then use a single <license-ref> to represent the entire license
terms (including the exception).
That is, where a license has an exception that isn't on SPDX's exception
list, the solution is to use a single user-defined license to cover the
entire license agreement, exception and all.
(Plus, AIUI, LicenseRef-cygwin-exception-... would still be rejected by
calm, for the same reason that LicenseRef-inherit-git is rejected by
calm.)
https://github.com/spdx/license-list-XML/issues/1022
https://github.com/spdx/spdx-spec/issues/153
https://github.com/spdx/spdx-spec/issues/386
Discussions about proposal to add ExceptionRef-... decided that rules should
allow LicenseRef-exception-... or with namespace LicenseRef-cygwin-exception-...
but because both AboutCode/scancode and Fedora are mass submitting GitHub Issues
about all their licences not in the SPDX list, other issues requiring more
discussion like PD, exceptions, etc. may not be officially addressed soon.
They are now trying to fast-path issues that should not require discussion
effectively by acclaim, getting signoff from 2 lawyers and a non-lawyer, to add
to the list, reducing the volume for discussion on the list.
For those interested, issues are generated on:
https://github.com/spdx/license-list-XML/issues
which are discussed on:
https://lists.spdx.org/g/Spdx-legal
https://lists.spdx.org/g/Spdx-legal/rss
and successes archived on:
https://tools.spdx.org/app/
published in quarterly releases on:
https://github.com/spdx/license-list-XML
--
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
