SPDX License Identifier Only and Full Copy?
Chris Johns
chrisj at rtems.org
Fri Feb 21 01:15:51 UTC 2020
On 21/2/20 12:11 pm, Joel Sherrill wrote:
>
>
> On Thu, Feb 20, 2020, 3:49 PM Chris Johns <chrisj at rtems.org
> <mailto:chrisj at rtems.org>> wrote:
>
> On 21/2/20 3:20 am, Gedare Bloom wrote:
> > On Thu, Feb 20, 2020 at 12:58 AM Thomas Doerfler
> > <thomas.doerfler at embedded-brains.de
> <mailto:thomas.doerfler at embedded-brains.de>> wrote:
> >>
> >> Hello,
> >>
> >> I just want to speak up here. I talked with Sebastian today and I really
> >> tend to keep the license text in each file.
> >>
> >> Rational:
> >>
> >> - With the BSD license, anyone can pick any file from the RTEMS repo and
> >> use/modify it in any project (and this is fine). The original authors
> >> (and their copyright) are listed in the file, but the only pointer to
> >> the legal part is the "SPDX identifier". I am not sure whether this is a
> >> legally binding "tag" and whether this tag is clear to any user.
> >>
> >> - Strictly seen, it is not even forbidden to remove the "SPDX
> >> identifier", because it is not part of the BSD-2-clause-license, it's
> >> just a pointer to it. In the end we might result in code drifting around
> >> without license information, which we all do not want to see.
> >>
> > This is a valid point. I also have no desire to be a lawyer.
> >
> > My intuition here is that, even without any licensing information at
> > all in individual files, one can still apply a single license to an
> > entire repository, e.g., BSD or GPL. For historical reasons, and
> > similar arguments as you've made, BSD-style licenses have tended to be
> > copy-pasted to individual files to make them easier to excerpt. We
> > don't have license uniformity, so we do need to individually specify
> > which license(s) apply to each file.
>
> This makes sense. The simplified BSD license states ...
>
> 1. Redistributions of source code must retain the above copyright
> notice, this list of conditions and the following disclaimer.
>
> I do not see how we can centralise this and have the "above copyright" work?
> Also the SPDX site here ...
>
> https://spdx.org/ids-how
>
> ... under the heading "Standard license headers" states ...
>
> When a license defines a recommended notice to attach to files
> under that license (sometimes called a "standard header"), the SPDX
> project recommends that the standard header be included in the files,
> in addition to an SPDX ID.
>
> My reading of this means we should include the license in the source.
>
> We need to consider compliance and machine auditing of the source. The SPDX tag
> is important. Maybe ...
>
> /*
> * SPDX tag suff
> */
> /*
> * Copyright stuff
> *
> * 2-Clause BSD license
> */
>
> > Linux follows a similar philosophy as Sebastian suggests. I think we
> > can also follow Linux in this regards.
> > https://www.kernel.org/doc/html/latest/process/license-rules.html
> >
> > I would suggest we follow their approach to self-document the licenses
> > centrally. I suspect the risk of someone using code without adhering
> > to the license is no greater. Probably they have a higher risk
> > exposure than we do!
>
> I agree with the comments in the Linux license rules text about license text in
> files making it harder to check for compliance.
>
>
> Following Linux is probably a safe approach. I assume there was significant
> legal review of their policy.
Does the Linux kernel rules apply to the 2 clause BSD license we have?
Chris
More information about the devel
mailing list