Date: Fri, 22 Oct 2021 22:13:35 -0600 From: Warner Losh <imp@bsdimp.com> To: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: Draft License Policy Changes for SPDX Message-ID: <CANCZdfqYxg8Juaw0-XBEL54ejS2rFn=w_Wm7%2BPKqPaCFdT04-g@mail.gmail.com> In-Reply-To: <CANCZdfpqdVK5M6jUkPnHwkwPYXH2A5EG6TOz6osUDuqcfxFUKg@mail.gmail.com> References: <CANCZdfpqdVK5M6jUkPnHwkwPYXH2A5EG6TOz6osUDuqcfxFUKg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000009e2cfa05cefd5aea Content-Type: text/plain; charset="UTF-8" Hello, I plan on moving forward with this and will find competent legal review in appropriate locations. I will be back once that's complete with a summary of any changes required. Warner On Fri, Sep 10, 2021 at 8:24 AM Warner Losh <imp@bsdimp.com> wrote: > Greetings, > > I've been circulating a draft project policy expanding SPDX license > marking in the base system. Most projects in the open source world have > moved to having a copyright and SPDX-License-Identifier in the source files > (aka SPDX-only files) with the license understood from context, policy and > industry practice. The goal of my draft is to allow SPDX-only files, while > coping with our long legacy. I'm also trying to consolidate multiple > policy-like statements in our documentation into one place. > > Originally, we had a license in every file and there was a fair amount of > variation between them. A few years ago we started marking some files with > SPDX-License-Identifier lines to assist automated tools discovering > licenses. In addition, the ports license infrastructure uses these > identifiers for third party software that we install there. Even without a > formal policy, several SPDX-only files exist in base imported from other > projects. > > The draft policy formalizes our current practices. It updates the > project's policy to explicitly allow SPDX-only files. It documents industry > and FreeBSD project practice. Hundreds of other open source projects have > been using it for years. The FreeBSD project has had SPDX-only files for > many years. A formal policy for how to interpret SPDX-only markings will > provide clarity and improve certainty about their meaning. > > I've consulted with many people that have experience integrating software > into FreeBSD with some knowledge of licenses. I've also talked to the SPDX > lawyers for their justification for SDPX-only as well as what we do for our > mixed situation. I've chatted informally with an IP lawyer not connected > with SPDX for their views. I've surveyed other projects for what they do. > All of this has informed the draft. > > The summary of the changes are actually rather simple: > 1. If a file has both a SPDX-License-Identifier and the full text of a > license, the full text takes precedence. > 2. If a file has only SDPX-only, then the license text is from the SPDX > database with details on how to fill in the blanks if needed. > 3. Do not move any full-text or mixed files in the tree to SPDX-only > unless you are the copyright holder or acting on their behalf. > > I've created a review for the policy. https://reviews.freebsd.org/D29543 > has the changes for the new policy. As we'll want to check copies of the > text of the licenses into the tree for compliance with SPDX and adjacent > standards, I'll prepare a diff for that too once things are a bit more > along. > > I'm calling for feedback before I give this to the lawyers to approve. I'd > thought I had a lawyer lined up to review this over the summer, but that > seems to have fallen through. I'm lining up someone new in parallel. > There's an outstanding issue around slight wording differences between our > license and the SPDX database that I need to resolve with the lawyer, as > well as having them review the policy so that it's unambiguous how one > discovers the license for an SPDX-only file. > > Information about the SPDX project can be found at https://spdx.org. The > specification can be found at https://spdx.github.io/spdx-spec/. > > Thanks! > > Warner > > P.S. SDPX is now an ISO standard! It was approved yesterday: > https://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials > has more information. > --0000000000009e2cfa05cefd5aea--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfqYxg8Juaw0-XBEL54ejS2rFn=w_Wm7%2BPKqPaCFdT04-g>