From nobody Fri Sep 10 14:24:22 2021 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B307A17B771D for ; Fri, 10 Sep 2021 14:24:34 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-ua1-x941.google.com (mail-ua1-x941.google.com [IPv6:2607:f8b0:4864:20::941]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H5dRj6Txbz4Wsn for ; Fri, 10 Sep 2021 14:24:33 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-ua1-x941.google.com with SMTP id l24so1315480uai.1 for ; Fri, 10 Sep 2021 07:24:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=+CiLYzi2dny4AZn/QmztI9p8SUMFEx0Q5IoLsFXj0OQ=; b=qdKeh/Jkwk1xDsEmmLOgjuyxz8rcXAYnhANnlNMsCRF76h1xabyIsJE5FtQ7haxdAM YT8aLfGbk6aoNpz21Qz/LPya4KNcHhP91ovVhNBJKMKIAk4vb4tpgnZzVhY8eHcK7jDY jZ58XwbEaax/5/DF/dlDLnNIyXQuNzUhghiT8TJT9DnZrA6Nu4WvcYMIPaovkPamNciM ut8EVHISinbu1T0jtfhit3WHf3+8ZbGS1yfl1kCqawzFLjEHxmv1s3gt4RwN1/Qtwdfz U4W6STXQy74JReE2Adk8RssSdOFM8qqC/NOE7JpK+oYDwyfT/jXWJsPeikgwpcpzfVQT BLow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+CiLYzi2dny4AZn/QmztI9p8SUMFEx0Q5IoLsFXj0OQ=; b=R259jSQSlkjVahue3uZdEbLY7H0oPpGnac8SVBQFtlLghwueMPp9LjsN8urOXnABEQ vgL875hcUm6i/QO/Sm1/aotyniW1M8CWjWkk4ytcx4FCEcBdc1vZBB0ajfVoz/OUC03v s6mU1OuccCyjENYiEKO38M04sHH1ULIlvIWzvjueR6m0xgt/rwVSSWwXv2QwrG2y5ID2 zHhOnkNCQ8O9D9GyH6tddp4+eKrlb5RbxXzMnZd6tMvQm+NH57YU4PKSK++itKDwIQt5 zgQmX19wc08PRfHVoBFrW7gJA+ex9HiUeickgZt5Qm3YdVUqlceTJUJUID7LweXXouJl WREw== X-Gm-Message-State: AOAM5326NiDTMj4n8pNaI5WXE2u24WPqmzeUR2j9vH6FSNzbiBhKX3Bw uEQDu1L4yPn0qaTYIlq35CLPCPgUMNWZto7Cdz2IXd7ySZ+QSdcRBp4= X-Google-Smtp-Source: ABdhPJxeYOpuWJ/Tix9JH7lJDC1NSYkvyT2hEN8rN/uvC6etPjZdzqfg2xWJsgARcyPHugBPt0MyaCI24/tFV5VxvF8= X-Received: by 2002:a9f:23d0:: with SMTP id 74mr5800750uao.69.1631283873062; Fri, 10 Sep 2021 07:24:33 -0700 (PDT) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 From: Warner Losh Date: Fri, 10 Sep 2021 08:24:22 -0600 Message-ID: Subject: Draft License Policy Changes for SPDX To: "freebsd-arch@freebsd.org" Content-Type: multipart/alternative; boundary="000000000000c831df05cba4dfdf" X-Rspamd-Queue-Id: 4H5dRj6Txbz4Wsn X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bsdimp-com.20150623.gappssmtp.com header.s=20150623 header.b="qdKeh/Jk"; dmarc=none; spf=none (mx1.freebsd.org: domain of wlosh@bsdimp.com has no SPF policy when checking 2607:f8b0:4864:20::941) smtp.mailfrom=wlosh@bsdimp.com X-Spamd-Result: default: False [-1.07 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; R_DKIM_ALLOW(-0.20)[bsdimp-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org]; DMARC_NA(0.00)[bsdimp.com]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_SHORT(0.93)[0.926]; DKIM_TRACE(0.00)[bsdimp-com.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::941:from]; TO_DN_EQ_ADDR_ALL(0.00)[]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[imp@bsdimp.com,wlosh@bsdimp.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[imp@bsdimp.com,wlosh@bsdimp.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: Y --000000000000c831df05cba4dfdf Content-Type: text/plain; charset="UTF-8" Greetings, I've been circulating a draft project policy expanding SPDX license marking in the base system. Most projects in the open source world have moved to having a copyright and SPDX-License-Identifier in the source files (aka SPDX-only files) with the license understood from context, policy and industry practice. The goal of my draft is to allow SPDX-only files, while coping with our long legacy. I'm also trying to consolidate multiple policy-like statements in our documentation into one place. Originally, we had a license in every file and there was a fair amount of variation between them. A few years ago we started marking some files with SPDX-License-Identifier lines to assist automated tools discovering licenses. In addition, the ports license infrastructure uses these identifiers for third party software that we install there. Even without a formal policy, several SPDX-only files exist in base imported from other projects. The draft policy formalizes our current practices. It updates the project's policy to explicitly allow SPDX-only files. It documents industry and FreeBSD project practice. Hundreds of other open source projects have been using it for years. The FreeBSD project has had SPDX-only files for many years. A formal policy for how to interpret SPDX-only markings will provide clarity and improve certainty about their meaning. I've consulted with many people that have experience integrating software into FreeBSD with some knowledge of licenses. I've also talked to the SPDX lawyers for their justification for SDPX-only as well as what we do for our mixed situation. I've chatted informally with an IP lawyer not connected with SPDX for their views. I've surveyed other projects for what they do. All of this has informed the draft. The summary of the changes are actually rather simple: 1. If a file has both a SPDX-License-Identifier and the full text of a license, the full text takes precedence. 2. If a file has only SDPX-only, then the license text is from the SPDX database with details on how to fill in the blanks if needed. 3. Do not move any full-text or mixed files in the tree to SPDX-only unless you are the copyright holder or acting on their behalf. I've created a review for the policy. https://reviews.freebsd.org/D29543 has the changes for the new policy. As we'll want to check copies of the text of the licenses into the tree for compliance with SPDX and adjacent standards, I'll prepare a diff for that too once things are a bit more along. I'm calling for feedback before I give this to the lawyers to approve. I'd thought I had a lawyer lined up to review this over the summer, but that seems to have fallen through. I'm lining up someone new in parallel. There's an outstanding issue around slight wording differences between our license and the SPDX database that I need to resolve with the lawyer, as well as having them review the policy so that it's unambiguous how one discovers the license for an SPDX-only file. Information about the SPDX project can be found at https://spdx.org. The specification can be found at https://spdx.github.io/spdx-spec/. Thanks! Warner P.S. SDPX is now an ISO standard! It was approved yesterday: https://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials has more information. --000000000000c831df05cba4dfdf--