Re: Use SPDX license identifiers to indicate licenses?

[Lassi Kortela]

[Discussion moved from janitors to hackers]

On 26.10.2020 14.46, Mario Domenech Goulart wrote:
> Hi Lassi,
>
> On Mon, 26 Oct 2020 14:23:00 +0200 Lassi Kortela <lassi@lassi.io> wrote:
>
> > SPDX license identifiers are becoming something of a de facto
> > standard, being used e.g. in Linux kernel source code. Here is the
> > full list of them: <https://spdx.org/licenses/>.
> >
> > Would it be possible to update the ad hoc license identifiers at
> > <https://wiki.call-cc.org/chicken-projects/egg-index-5.html> and in
> > .egg files to use the SPDX ones? This would make it easier to tell the
> > difference between e.g. the various flavors of the BSD license, and
> > could help automated tools figure out licensing in the future.
> >
> > In addition to single license identifiers, SPDX can also do license
> > expressions by combining license identifiers using boolean operators.
>
> I think that would be great.

Nice. I agree with this bit from the IRC logs:

<sjamaan> We could make it an absolute requirement to use a SPDX 
identifier in CHICKEN 5
<sjamaan> For example, henrietta-cache and/or chicken-install could 
simply refuse if no identifier is found

From experience: large projects have the same issues with license 
choice and license indication as they do with coding style. There are 
always a few authors who'd like to use some esoteric license or mark it 
up in some non-standard way (as with coding style, there's always 
someone who dislikes feature X of code formatter Y). But that means 
other people have to eventually spend a lot of time figuring out the 
idiosyncrasies. As with coding style, it's easier to stick to standard 
rules.

The SPDX license list has so many licenses that there's bound to be one 
to anyone's liking, and the work they did in coining standard 
identifiers for all of them greatly simplifies dealing with large 
volumes of source code that originate from many different places.

In fact, in SRFI we also have this problem: pretty regularly someone is 
doing detective work trying to figure out where some file in a reference 
implementation came from and how it is licensed.

> We had a short discussion on that back in 2016, but we haven't reached
> any consensus.  IRC logs below for context.  Maybe this discussion
> should be held in chicken-hackers instead (chicken-janitors is more like
> a read-only list for keeping track of new tickets).
>
> ------------------------------8<------------------------------
>
> <sjamaan> There's also pstk
> <wasamasa> haven't noticed that one
> <wasamasa> ah, it's in the "Unsupported or redundant" section :<
> <wasamasa> at least it doesn't have a german license :D
> <mario-goulart> Oh, I remember one that had a german license in a pdf file.
> <wasamasa> yes
> <wasamasa> it looks like halfway GPL
> <sjamaan> Is this the Bremer licence?
> <sjamaan> There was a discussion about that on the mailing list once
> <wasamasa> yup
> <sjamaan> 
> http://lists.nongnu.org/archive/html/chicken-users/2008-02/msg00565.html
> <wasamasa> I'm not sure why exactly you'd put *that* on your work, especially 
> it's essentially an
>             amalgamation of previous portable tk-scheme interfaces
> <wasamasa> I think I know now why felix just wrote tcl code opening a socket 
> for communication :D
>
> <sjamaan> Also 
> http://lists.nongnu.org/archive/html/chicken-users/2010-06/msg00003.html
> <sjamaan> Apparently Bremer license is similar to BSD
> <wasamasa> how can this be if it mentions copyleft in its text?
> <sjamaan> wat
> <sjamaan> Maybe it changed
> <mario-goulart> It'd be nice if we could use SPDX ids for eggs in .meta.
> <sjamaan> We could make it an absolute requirement to use a SPDX identifier in 
> CHICKEN 5
> <sjamaan> For example, henrietta-cache and/or chicken-install could simply 
> refuse if no identifier
>            is found
> <wasamasa> "Hierzu geh<81><F6>rt vor allem, dass der Lizenznehmer bearbeitete 
> Versionen der OSCI-Bibliothek
>             wiederum diesen Lizenzbestimmungen unterstellen muss ("Copyleft")."
> <wasamasa> "This includes that the licensee must publish modified versions of 
> the library under
>             these licensing terms ("copyleft")."
> <wasamasa> maybe they just don't get their terms right, I dunno
> <wasamasa> haven't looked at it in detail
> <mario-goulart> sjamaan: +1 for SPDX ids
> <wasamasa> it contains a few interesting clauses, like that modifications to 
> the sources must have
>             an "obtrusive remark" which allows one to reconstruct what has been 
> changed at what time
>             :D
> <sjamaan> mario-goulart: One other advantage of that is that we'd be able to 
> link to the license
>            text directly from the egg list
> <wasamasa> it's as if lawyers have rediscovered version control
> <mario-goulart> sjamaan: yeah, and salmonella could better track license 
> dependencies.
> <mario-goulart> And report invalid dependencies
> <wasamasa> the institution who crafted that license put it in their "Licenses with 
> limited copyleft"
>             section: http://ifross.org/lizenz-center
> <mario-goulart> It can also be nice for products that depend on many eggs, and 
> you want to filter
>                  out some licenses
> <mario-goulart> E.g., GPL3 may be an issue for some projects.
> <Bunny351> Hm... SPDX looks like madness to me...
> <mario-goulart> Bunny351!
> <sjamaan> How so, Bunny351?
> <Bunny351> overengineered W3Cish standardisation mania.
> <sjamaan> It's just about providing a machine-readable license declaration
> <mario-goulart> OpenEmbedded uses it for its recipes and it works quite well, 
> as far as I can tell.
> <Bunny351> but "BSD" is machine readable
> <mario-goulart> Bunny351: we'djust use identifiers, like "BSD" in .meta.
> <sjamaan> I was just gonna say
> <sjamaan> The point is that you wouldn't allow something like "Berkeley"
> <evhan> What if I want to use the Burkley Software Distribution license instead?
> <Bunny351> I think most people don't care, and those who care can figure the 
> exact license out.
> <sjamaan> It's hard to figure out exactly what you're getting when you do 
> "chicken-install srfi-19"
>
> <mario-goulart> indeed.
> <sjamaan> Or "chicken-install pastiche", for that matter
> <Bunny351> there are ways to check, e.g. by looking at the egg index / 
> salmonella reports
> <sjamaan> Yeah, but that's manual and error-prone
> * Bunny351 sighs
> <Bunny351> lunch!
> <mario-goulart> And the id that egg authors use in .meta may not correctly 
> describe the actual
>                  license.  It'd be guesswork.
> <sjamaan> You can still put in the wrong identifier, of course
> <mario-goulart> Some eggs just have "GPL" in .meta.
> <sjamaan> heh
> <mario-goulart> sjamaan: in this case, that's author's reponsability.
> <mario-goulart> In practice, it wouldn't change much for egg authors, as long 
> as they know what they
>                  are soing with regard to the licenses they choose.  It's just 
> a matter of selecting
>                  the right SPDX id.
> <mario-goulart> s/soing/doing/
> <sjamaan> I agree, it's very simple and streamlines things quite a bit
> <wasamasa> no SPDX identifier for the bremer license :D
> <sjamaan> ha!
> <mario-goulart> No problem.  Just use something like "Bremer" in the .meta and 
> ship the license
>                  file.
> <mario-goulart> Weird licenses (those not covered by SPDX) are likely to be 
> less than 1% of the
>                  cases.
> <wasamasa> currently no license file is shipped, right?
> <mario-goulart> Some eggs (specially in github etc) ship a LICENSE file, IIRC.
> <mario-goulart> But it's not the norm.
> <wasamasa> yeah, that's what I mean
> <wasamasa> I've fetched a mirror of all eggs and usually there is none
> <mario-goulart> !
> <mario-goulart> Actually many of them ship a license file (e.g., fuse, git, 
> parley etc).
> <mario-goulart> But they are not _installed_.
>
> ------------------------------>8------------------------------