SPDX License indicators


#1

I’m writing this because apparently the opendesktop team is trying to be very correct about licensing and encouraging people to care about this topic more.
There is a lot of confusion in general about licensing, why it is necessary (or not), the ups and downs but foremost: the written implementation of a chosen license.
There are a thousand different ways documented using different wordings, abbreviations and forms to write out different licenses.
This is one of the very disappointing facts that make the license jungle so dense and confusing.

I myself did a few login screens recently, so at least I have to:

  1. Choose a license for my project (difficult)
  2. Include that license as a stand-alone file in my project (easy)
  3. Comment all of my projects files accordingly (average, depending on the license)
  4. Mark or flag the license in a short form on each platform that it appears on and depending on the project in a separate file, like a JSON or INI file (easy, but…you get the point…)
  5. Sometimes other small details

The fourth one is where there is very little consistency throughout the whole internet when in reality there is a standard called SPDX which stands for Software Package Data Exchange® that tries to be:

“[… ] an open standard for communicating software bill of material information (including components, licenses, copyrights, and security references).”

Let’s take the GNU General Public License as an example:

To start off, the current version of the GNU General Public License is three (3).
Now this implies that there are other versions out there, and in fact you will find a bunch of programs licensed with version two (2) or maybe even one (1). But this only really exists because at one point, in the past, the version of the GNU Public License was actually two and one. Projects licensed with the GNU General Public License can explicitly choose to be compatible with future versions of the license. This makes for a huge difference. If you wanted to add in any way to a project which was published with version 2 and version 2 only, then you would have to choose version two as well for your additions.
This mechanism still exists, so if you publish a project with version three only it will not include a future occurring version four, that is if it will ever exist.

Problem arises when you flag your project, let’s say with GPLv3 for example, or GPL3 or GPL-3 or GNU-GPL or GNU-GPL-3 or any other weird combination. There is no real indicator of whether you are giving the right to be compatible with future versions of the license or if people will have to keep using version three when adding to your project.

This may seem ridiculous to some, but in reality the creator of the GNU Public License and pioneer of the copyleft concept Richard Stallman wrote a dedicated blog entry about this to make this issue very clear.

The SPDX license indicators try to normalize this jungle and we all should care for it if only for the sake of the creator of free software licensing.

So first of all get this straight: If you use GPL you need to choose as well whether it is including or excluding possible future versions of the license and flag your project accordingly with the SPDX license indicator: GPL-3.0-only or GPL-3.0-or-later for instance for version three of the license.

This applies to other licenses as well and the team of opendesktop should take this into account on opendesktop everywhere where people need to choose or people read short forms of licensing terms. That is apparently, the drop-down when creating a project or the side bar with project details in the project view for example. The more this is used correctly the less confusion it will generate.

Let’s everybody use SPDX right!


#2

Good post!
We will look into correctly labeling and expanding the list of licenses in the near future.