From nobody Sat Sep 11 15:57:34 2021 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C76C017AE172 for ; Sat, 11 Sep 2021 15:57:51 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H6HSv55GBz4Wtx for ; Sat, 11 Sep 2021 15:57:51 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-vk1-xa33.google.com with SMTP id s125so401152vkd.4 for ; Sat, 11 Sep 2021 08:57:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YuJt3Bk3GeMhk23ycj613VYBza6ukqX1R1AKO9b7Vzs=; b=X0mrh5kl+U89RGXNl37v7aA/EWZXQ73AJAKAaSr0AhbE1fLiZBlZV+GHg35tG6YF3q Msr6UOJTqB1exkYniPWf91Rhon72/ON5yVL+gwHNkjDVJ0xMs1fqAUNwG0glX6/uWoUN LBdo+p/xs9pYkPob5k0pS1LdzLDwfA0LTZ5zW6wGqknIaITFT82KVGEnvfaWpwerhLlJ 8YK9QUW3dzTfQL9GMYJGK7HfZ9Q1cK5kEVFc8Xv1ZMEadcmoRw+hixR6RBt9ozD/Swfb AxRPvoas5egU4KA30MfD+hulDdMsPGj1XHt4N+AQQK1tdRUSAOoTtVFuum9k+zPSajWa G3HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YuJt3Bk3GeMhk23ycj613VYBza6ukqX1R1AKO9b7Vzs=; b=n6+3X6+pOgn3ZXDtpqIf9qivedH+tbv9KTrOiq/tI8ykViTdKHw43JBVYFjPKSPvba /o/GPKO087+yFF/kpFMjJ6CkjGCPJbuN0YFsjAF4RD/0Deb/Ou5lIeaYtxQi/U9iBhwM vTmNpMKJn/WWgOKx+q8qyntyHKe0dYTVxo9LZ512+i6qDRZTLPk44jHDoEBr+puYVIfR 7D0snVcSDFm8ixfEpW5Ekn/ZzOMYzZnUGEHaK3w50Fc/DSOL2rXz5+kLgKDFmc40L0l5 SoPuiLZ7Gu1ngvqn1K7NDQN/kJHoVAqgBIRPqPcQc/9724TOWW9NYgQiAq7TljwEm+h2 t8WQ== X-Gm-Message-State: AOAM530bkRnSCSN+TXvJvdDNQpzuc7SvEt+3lJsvLudwqMJoLyY+itRs IP5pfdGENN4qTewXwJivvrgMk9aP5tvCqT5UB3P/cobqOYEawQICGNk= X-Google-Smtp-Source: ABdhPJzSRNaMWg7G2rORsngsfOeTqZmsjff7yxsNullc1fppdHAMRZDduBGDGOgMAz8kkDCqROx4oc3ELymg0kACgng= X-Received: by 2002:a05:6122:d95:: with SMTP id bc21mr1154768vkb.23.1631375865224; Sat, 11 Sep 2021 08:57:45 -0700 (PDT) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 References: <202109111531.18BFVQ80005771@gndrsh.dnsmgr.net> In-Reply-To: <202109111531.18BFVQ80005771@gndrsh.dnsmgr.net> From: Warner Losh Date: Sat, 11 Sep 2021 09:57:34 -0600 Message-ID: Subject: Re: Draft License Policy Changes for SPDX To: "Rodney W. Grimes" Cc: "freebsd-arch@freebsd.org" Content-Type: multipart/alternative; boundary="000000000000f1346005cbba4a77" X-Rspamd-Queue-Id: 4H6HSv55GBz4Wtx X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: Y --000000000000f1346005cbba4a77 Content-Type: text/plain; charset="UTF-8" On Sat, Sep 11, 2021 at 9:31 AM Rodney W. Grimes < freebsd-rwg@gndrsh.dnsmgr.net> wrote: > > Greetings, > > > > I've been circulating a draft project policy expanding SPDX license > marking > > in the base system. Most projects in the open source world have moved to > > having a copyright and SPDX-License-Identifier in the source files (aka > > SPDX-only files) with the license understood from context, policy and > > industry practice. The goal of my draft is to allow SPDX-only files, > while > > coping with our long legacy. I'm also trying to consolidate multiple > > policy-like statements in our documentation into one place. > > > > Originally, we had a license in every file and there was a fair amount of > > variation between them. A few years ago we started marking some files > with > > SPDX-License-Identifier lines to assist automated tools discovering > > licenses. In addition, the ports license infrastructure uses these > > identifiers for third party software that we install there. Even without > a > > formal policy, several SPDX-only files exist in base imported from other > > projects. > > > > The draft policy formalizes our current practices. It updates the > project's > > policy to explicitly allow SPDX-only files. It documents industry and > > FreeBSD project practice. Hundreds of other open source projects have > been > > using it for years. The FreeBSD project has had SPDX-only files for many > > years. A formal policy for how to interpret SPDX-only markings will > provide > > clarity and improve certainty about their meaning. > > > > I've consulted with many people that have experience integrating software > > into FreeBSD with some knowledge of licenses. I've also talked to the > SPDX > > lawyers for their justification for SDPX-only as well as what we do for > our > > mixed situation. I've chatted informally with an IP lawyer not connected > > with SPDX for their views. I've surveyed other projects for what they do. > > All of this has informed the draft. > > > > The summary of the changes are actually rather simple: > > 1. If a file has both a SPDX-License-Identifier and the full text of a > > license, the full text takes precedence. > > 2. If a file has only SDPX-only, then the license text is from the SPDX > > database with details on how to fill in the blanks if needed. > > 3. Do not move any full-text or mixed files in the tree to SPDX-only > > unless you are the copyright holder or acting on their behalf. > ^^^ > > There remains a slippery slope here, there can be an un-named but > valid copyright holder in any file in our system. Do to the fact > that Berne does not require someone to declair a copyright on work > to infact hold a valid copyright. I believe that the FreeBSD src > code has a vary large quantity of such code in the base system. > > I doubt very much there are very many files that could hold muster > to the claim of singular copyright holder as in "the copyright holder" > above. > > > > > I've created a review for the policy. https://reviews.freebsd.org/D29543 > > has the changes for the new policy. As we'll want to check copies of the > > text of the licenses into the tree for compliance with SPDX and adjacent > > standards, I'll prepare a diff for that too once things are a bit more > > along. > > > > I'm calling for feedback before I give this to the lawyers to approve. > I'd > > thought I had a lawyer lined up to review this over the summer, but that > > seems to have fallen through. I'm lining up someone new in parallel. > > There's an outstanding issue around slight wording differences between > our > > license and the SPDX database that I need to resolve with the lawyer, as > > well as having them review the policy so that it's unambiguous how one > > discovers the license for an SPDX-only file. > > I ask that you pose 1 question to any consulted lawyer, "What is the > 'safest' thing that the project/foundation could do here". One should > never pose the question in the form "is this legal", as almost anything > is legal until it isnt in the IP arena. Ie, you can get away with a > lot, that does not make whst your doing legal. Also you might mention > the term "seperable" in the context that the copyright and spdx tags > and the license text itself all become seperate items only attached > by reference. > The important question to ask here is that were there to be a dispute, would it be clear to a trial judge or arbiter what license was controlling? And would that answer be the same world wide? Is it clear what the license is? That's been the thrust of the informal discussions I've had. > Information about the SPDX project can be found at https://spdx.org. The > > specification can be found at https://spdx.github.io/spdx-spec/. > > > > Thanks! > > > > Warner > > > > P.S. SDPX is now an ISO standard! It was approved yesterday: > > > https://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials > > has more information. > > This is about using the tags to provide Meta data, something I am all > fore, it is NOT about using a SPDX tag to replace a license in a file. > The earlier two links talk about it. This is indeed the metadata part of the standard that SPDX publishes. > I would also suggest one pair particularly close attention to this > wording and think about why GNU has this things on its "How to use > the GPL page": > https://www.gnu.org/licenses/gpl-howto.en.html The Linux kernel has thousands of files marked only with SPDX-License-Identifiers. It does this by having the following (and more text) in their 'proccess/license-rules.rst' file. This proposal is similar: ... BEGIN QUOTE Linux kernel licensing rules ============================ The Linux Kernel is provided under the terms of the GNU General Public License version 2 only (GPL-2.0), as provided in LICENSES/preferred/GPL-2.0, with an explicit syscall exception described in LICENSES/exceptions/Linux-syscall-note, as described in the COPYING file. This documentation file provides a description of how each source file should be annotated to make its license clear and unambiguous. It doesn't replace the Kernel's license. ... END QUOTE The vast majority of files no longer have the boilerplate you quoted. And in fact, even that suggested boilerplate varies significantly from file to file and project to project if you look at the whole body of open source. It's one of the reasons the rest of the industry is standardizing on simple tags: to prevent this proliferation. > > In the brief summary section bullet 5: > Put a license notice in each file. > > Then later when they expand what that means: > The license notices > > Each file's copying permission statement (also called the license > notice) should come right after its copyright notices. For a one-file > program, the statement (for the GPL) should look like this, to use GPL > version 3 or later: > > This program is free software: you can redistribute it and/or > modify > it under the terms of the GNU General Public License as > published by > the Free Software Foundation, either version 3 of the License, > or > (at your option) any later version. > > This program is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. > > You should have received a copy of the GNU General Public > License > along with this program. If not, see < > https://www.gnu.org/licenses/>. > > > > That text is significantly MORE than a SPDX tag, or a simple "SEE COPYING". > Correct. This isn't about that, but rather following an industry standard. Warner > Regards, > -- > Rod Grimes > rgrimes@freebsd.org > --000000000000f1346005cbba4a77--