SPDX License Identifier Only and Full Copy?

Fri Feb 21 08:31:10 UTC 2020

Hello,

I think the GPL and the BSD licenses had a different approach from the
start:
- GPL always came with a separate "COPYING" file (and the GPL sources
pointed to it)
- BSD always/most of the times was included in the headers

Lokking at how the linux kernel team handles this therefore only has a
limited weight. So I tend to keep the BSD license text in the source
code files.

Keep in mind: We want to make sure the license topic is properly handled
and clear. What is the harm to be conservative here and spend some extra
lines of header in the files?

Kind regards,
Thomas.

Am 21.02.20 um 02:15 schrieb Chris Johns:
> 
> 
> On 21/2/20 12:11 pm, Joel Sherrill wrote:
>>
>>
>> On Thu, Feb 20, 2020, 3:49 PM Chris Johns <chrisj at rtems.org
>> <mailto:chrisj at rtems.org>> wrote:
>>
>>     On 21/2/20 3:20 am, Gedare Bloom wrote:
>>     > On Thu, Feb 20, 2020 at 12:58 AM Thomas Doerfler
>>     > <thomas.doerfler at embedded-brains.de
>>     <mailto:thomas.doerfler at embedded-brains.de>> wrote:
>>     >>
>>     >> Hello,
>>     >>
>>     >> I just want to speak up here. I talked with Sebastian today and I really
>>     >> tend to keep the license text in each file.
>>     >>
>>     >> Rational:
>>     >>
>>     >> - With the BSD license, anyone can pick any file from the RTEMS repo and
>>     >> use/modify it in any project (and this is fine). The original authors
>>     >> (and their copyright) are listed in the file, but the only pointer to
>>     >> the legal part is the "SPDX identifier". I am not sure whether this is a
>>     >> legally binding "tag" and whether this tag is clear to any user.
>>     >>
>>     >> - Strictly seen, it is not even forbidden to remove the "SPDX
>>     >> identifier", because it is not part of the BSD-2-clause-license, it's
>>     >> just a pointer to it. In the end we might result in code drifting around
>>     >> without license information, which we all do not want to see.
>>     >>
>>     > This is a valid point. I also have no desire to be a lawyer.
>>     >
>>     > My intuition here is that, even without any licensing information at
>>     > all in individual files, one can still apply a single license to an
>>     > entire repository, e.g., BSD or GPL. For historical reasons, and
>>     > similar arguments as you've made, BSD-style licenses have tended to be
>>     > copy-pasted to individual files to make them easier to excerpt. We
>>     > don't have license uniformity, so we do need to individually specify
>>     > which license(s) apply to each file.
>>
>>     This makes sense. The simplified BSD license states ...
>>
>>      1. Redistributions of source code must retain the above copyright
>>         notice, this list of conditions and the following disclaimer.
>>
>>     I do not see how we can centralise this and have the "above copyright" work?
>>     Also the SPDX site here ...
>>
>>      https://spdx.org/ids-how
>>
>>     ... under the heading "Standard license headers" states ...
>>
>>      When a license defines a recommended notice to attach to files
>>      under that license (sometimes called a "standard header"), the SPDX
>>      project recommends that the standard header be included in the files,
>>      in addition to an SPDX ID.
>>
>>     My reading of this means we should include the license in the source.
>>
>>     We need to consider compliance and machine auditing of the source. The SPDX tag
>>     is important. Maybe ...
>>
>>     /*
>>      * SPDX tag suff
>>      */
>>     /*
>>      * Copyright stuff
>>      *
>>      * 2-Clause BSD license
>>      */
>>
>>     > Linux follows a similar philosophy as Sebastian suggests. I think we
>>     > can also follow Linux in this regards.
>>     > https://www.kernel.org/doc/html/latest/process/license-rules.html
>>     >
>>     > I would suggest we follow their approach to self-document the licenses
>>     > centrally. I suspect the risk of someone using code without adhering
>>     > to the license is no greater. Probably they have a higher risk
>>     > exposure than we do!
>>
>>     I agree with the comments in the Linux license rules text about license text in
>>     files making it harder to check for compliance.
>>
>>
>> Following Linux is probably a safe approach. I assume there was significant
>> legal review of their policy.
> 
> Does the Linux kernel rules apply to the 2 clause BSD license we have?
> 
> Chris
> 

-- 
--------------------------------------------
embedded brains GmbH
Thomas Doerfler
Dornierstr. 4
D-82178 Puchheim
Germany
email: Thomas.Doerfler at embedded-brains.de
Phone: +49-89-18 94 741-12
Fax:   +49-89-18 94 741-09
PGP: Public key available on request.
For our privacy statement, see
https://embedded-brains.de/en/data-privacy-statement/