[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Use SPDX license identifiers to indicate licenses?
|
From: |
Mario Domenech Goulart |
|
Subject: |
Re: Use SPDX license identifiers to indicate licenses? |
|
Date: |
Mon, 26 Oct 2020 18:37:09 +0100 |
Hi Lassi,
On Mon, 26 Oct 2020 15:25:48 +0200 Lassi Kortela <lassi@lassi.io> wrote:
> [Discussion moved from janitors to hackers]
>
> On 26.10.2020 14.46, Mario Domenech Goulart wrote:
>>
>> On Mon, 26 Oct 2020 14:23:00 +0200 Lassi Kortela <lassi@lassi.io> wrote:
>>
>>> SPDX license identifiers are becoming something of a de facto
>>> standard, being used e.g. in Linux kernel source code. Here is the
>>> full list of them: <https://spdx.org/licenses/>.
>>>
>>> Would it be possible to update the ad hoc license identifiers at
>>> <https://wiki.call-cc.org/chicken-projects/egg-index-5.html> and in
>>> .egg files to use the SPDX ones? This would make it easier to tell the
>>> difference between e.g. the various flavors of the BSD license, and
>>> could help automated tools figure out licensing in the future.
>>>
>>> In addition to single license identifiers, SPDX can also do license
>>> expressions by combining license identifiers using boolean operators.
>>
>> I think that would be great.
>
> Nice. I agree with this bit from the IRC logs:
>
> <sjamaan> We could make it an absolute requirement to use a SPDX
> identifier in CHICKEN 5
> <sjamaan> For example, henrietta-cache and/or chicken-install could
> simply refuse if no identifier is found
I'm not sure chicken-install would be the right place to validate the
license field, as it would add a dependency on the SPDX database to the
core tools. Also, we'd need some code to interpret SPDX expressions,
which to the best of my knowledge doesn't exist for Scheme (yet).
I think a good start would be recommending egg authors to use SPDX
identifiers in the license field of their eggs. We can progressively
add more strict checks against the version identifiers in our daily test
runs [1] as we get more tools to do that. By using that approach we'd
also free the core tools from the dependency on the SPDX database.
Our daily test runs already perform some very primitive checks related
to licenses:
* check whether the license field is specified at all (some eggs don't
even do that)
* check whether we have GPL violations (e.g., a BSD egg which has a GPL
in its dependency chain) -- that's pretty much guessology, as we don't
have a standard to specify licenses.
Results of those checks are reported in the "Warnings" section of
salmonella reports (e.g., [2] -- using the report for CHICKEN 4 eggs as
example because it has a more diverse set of cases).
Not really a check, but the license of eggs is also displayed in the
graphical representation of the dependency graphs of eggs (e.g. [3]).
That can be useful for egg users which are concerned about the licenses
they use.
> From experience: large projects have the same issues with license
> choice and license indication as they do with coding style. There are
> always a few authors who'd like to use some esoteric license or mark
> it up in some non-standard way (as with coding style, there's always
> someone who dislikes feature X of code formatter Y). But that means
> other people have to eventually spend a lot of time figuring out the
> idiosyncrasies. As with coding style, it's easier to stick to standard
> rules.
>
> The SPDX license list has so many licenses that there's bound to be
> one to anyone's liking, and the work they did in coining standard
> identifiers for all of them greatly simplifies dealing with large
> volumes of source code that originate from many different places.
Indeed. I think SPDX is probably the best standard if we do want to go
in the direction of checking licenses. In the exceptional cases where
the license cannot be found in the SPDX database, we can always require
the license file to be somehow linked to the identifier used in the
`license` field in the .egg file. Something like:
(license "MSL" "my-special-license.txt")
Currently the format is
(license <id>)
where <id> is a free string. We could support a second field to specify
a file that must exist in the source code of the egg, as checked out by
chicken-install.
> In fact, in SRFI we also have this problem: pretty regularly someone
> is doing detective work trying to figure out where some file in a
> reference implementation came from and how it is licensed.
I asked John Cowan that question myself. :-)
[1] https://tests.call-cc.org/
[2]
https://salmonella-linux-x86-64.call-cc.org/chicken-4-debugbuild/gcc/linux/x86-64/2020/10/25/salmonella-report/
[3]
https://salmonella-linux-x86-64.call-cc.org/chicken-4-debugbuild/gcc/linux/x86-64/2020/10/25/salmonella-report/dep-graphs/spiffy.html
All the best.
Mario
--
http://parenteses.org/mario