Draft License Policy Changes for SPDX

From: Warner Losh <imp_at_bsdimp.com>
Date: Fri, 10 Sep 2021 08:24:22 -0600
Greetings,

I've been circulating a draft project policy expanding SPDX license marking
in the base system. Most projects in the open source world have moved to
having a copyright and SPDX-License-Identifier in the source files (aka
SPDX-only files) with the license understood from context, policy and
industry practice. The goal of my draft is to allow SPDX-only files, while
coping with our long legacy. I'm also trying to consolidate multiple
policy-like statements in our documentation into one place.

Originally, we had a license in every file and there was a fair amount of
variation between them. A few years ago we started marking some files with
SPDX-License-Identifier lines to assist automated tools discovering
licenses. In addition, the ports license infrastructure uses these
identifiers for third party software that we install there. Even without a
formal policy, several SPDX-only files exist in base imported from other
projects.

The draft policy formalizes our current practices. It updates the project's
policy to explicitly allow SPDX-only files. It documents industry and
FreeBSD project practice. Hundreds of other open source projects have been
using it for years. The FreeBSD project has had SPDX-only files for many
years. A formal policy for how to interpret SPDX-only markings will provide
clarity and improve certainty about their meaning.

I've consulted with many people that have experience integrating software
into FreeBSD with some knowledge of licenses. I've also talked to the SPDX
lawyers for their justification for SDPX-only as well as what we do for our
mixed situation. I've chatted informally with an IP lawyer not connected
with SPDX for their views. I've surveyed other projects for what they do.
All of this has informed the draft.

The summary of the changes are actually rather simple:
 1. If a file has both a SPDX-License-Identifier and the full text of a
license, the full text takes precedence.
 2. If a file has only SDPX-only, then the license text is from the SPDX
database with details on how to fill in the blanks if needed.
 3. Do not move any full-text or mixed files in the tree to SPDX-only
unless you are the copyright holder or acting on their behalf.

I've created a review for the policy. https://reviews.freebsd.org/D29543
has the changes for the new policy. As we'll want to check copies of the
text of the licenses into the tree for compliance with SPDX and adjacent
standards, I'll prepare a diff for that too once things are a bit more
along.

I'm calling for feedback before I give this to the lawyers to approve. I'd
thought I had a lawyer lined up to review this over the summer, but that
seems to have fallen through. I'm lining up someone new in parallel.
There's an outstanding issue around slight wording differences between our
license and the SPDX database that I need to resolve with the lawyer, as
well as having them review the policy so that it's unambiguous how one
discovers the license for an SPDX-only file.

Information about the SPDX project can be found at https://spdx.org. The
specification can be found at https://spdx.github.io/spdx-spec/.

Thanks!

Warner

P.S. SDPX is now an ISO standard! It was approved yesterday:
https://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
has more information.
Received on Fri Sep 10 2021 - 14:24:22 UTC

Original text of this message