Re: Draft License Policy Changes for SPDX

Hello,

I plan on moving forward with this and will find competent legal review in
appropriate locations. I will be back
once that's complete with a summary of any changes required.

Warner

On Fri, Sep 10, 2021 at 8:24 AM Warner Losh <imp@bsdimp.com> wrote:

> Greetings,
>
> I've been circulating a draft project policy expanding SPDX license
> marking in the base system. Most projects in the open source world have
> moved to having a copyright and SPDX-License-Identifier in the source files
> (aka SPDX-only files) with the license understood from context, policy and
> industry practice. The goal of my draft is to allow SPDX-only files, while
> coping with our long legacy. I'm also trying to consolidate multiple
> policy-like statements in our documentation into one place.
>
> Originally, we had a license in every file and there was a fair amount of
> variation between them. A few years ago we started marking some files with
> SPDX-License-Identifier lines to assist automated tools discovering
> licenses. In addition, the ports license infrastructure uses these
> identifiers for third party software that we install there. Even without a
> formal policy, several SPDX-only files exist in base imported from other
> projects.
>
> The draft policy formalizes our current practices. It updates the
> project's policy to explicitly allow SPDX-only files. It documents industry
> and FreeBSD project practice. Hundreds of other open source projects have
> been using it for years. The FreeBSD project has had SPDX-only files for
> many years. A formal policy for how to interpret SPDX-only markings will
> provide clarity and improve certainty about their meaning.
>
> I've consulted with many people that have experience integrating software
> into FreeBSD with some knowledge of licenses. I've also talked to the SPDX
> lawyers for their justification for SDPX-only as well as what we do for our
> mixed situation. I've chatted informally with an IP lawyer not connected
> with SPDX for their views. I've surveyed other projects for what they do.
> All of this has informed the draft.
>
> The summary of the changes are actually rather simple:
>  1. If a file has both a SPDX-License-Identifier and the full text of a
> license, the full text takes precedence.
>  2. If a file has only SDPX-only, then the license text is from the SPDX
> database with details on how to fill in the blanks if needed.
>  3. Do not move any full-text or mixed files in the tree to SPDX-only
> unless you are the copyright holder or acting on their behalf.
>
> I've created a review for the policy. https://reviews.freebsd.org/D29543
> has the changes for the new policy. As we'll want to check copies of the
> text of the licenses into the tree for compliance with SPDX and adjacent
> standards, I'll prepare a diff for that too once things are a bit more
> along.
>
> I'm calling for feedback before I give this to the lawyers to approve. I'd
> thought I had a lawyer lined up to review this over the summer, but that
> seems to have fallen through. I'm lining up someone new in parallel.
> There's an outstanding issue around slight wording differences between our
> license and the SPDX database that I need to resolve with the lawyer, as
> well as having them review the policy so that it's unambiguous how one
> discovers the license for an SPDX-only file.
>
> Information about the SPDX project can be found at https://spdx.org. The
> specification can be found at https://spdx.github.io/spdx-spec/.
>
> Thanks!
>
> Warner
>
> P.S. SDPX is now an ISO standard! It was approved yesterday:
> https://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
> has more information.
>