[RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Michał Górny-5
Hi,

TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
the former trigger QA warning asking the dev to double-check if it's
'GPL-2-only' or 'GPL-2+'.


GNU Licenses currently don't carry an upgrade clause -- instead, authors
are expected to decide whether they permit upgrade to newer versions of
the license in question, or require users to stick with their version of
choice.

Their decision is normally indicated in copyright notices on top
of source files.  Those that permit upgrade usually state 'either
version N of the License, or (at your option) any later version.', while
others remove the 'or...' or even replace with 'only' (sometimes
removing 'either', sometimes leaving it ;-)).

The truth is, many developers don't go that far to verify it.  Instead,
they usually look at 'COPYING' or 'LICENSE', read the version there
and put 'GPL-2', 'GPL-3' etc. in the ebuild.  It doesn't help that
GitHub does the same and shows the result as easy-to-read note on top of
repo.


For some time I've been reviewing packages I'm (co-)maintaining, as well
as proxy-maint submissions for this particular problem.  However,
surprisingly many projects actually go the 'version N only' route, even
in middle of environments that are 'N+' like Xfce.  As a result, I've
ended up rechecking the same packages over and over again to the point
of starting to add comments saying 'yes, this is GPL-2 only'.

I'd like to propose to employ a more systematic method of resolving this
problem.  I would like to add additional explicit 'GPL-n-only' licenses,
and discourage using short 'GPL-n' in favor of them.  The end result
would be three licenses per every version/variant, e.g.:

  GPL-2-only -- version 2 only
  GPL-2+     -- version 2 or newer
  GPL-2      -- might be either, audit necessary

The main idea is that we'd be able to easily find 'non-audited' packages
with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only
after auditing.  While technically it would still be possible for people
to wrongly set LICENSE to GPL-2-only, I think this explicit distinction
will help people notice that there actually is a deeper difference,
and it will still catch people who just type 'GPL-n' without looking
into the license directory.

For a start, I'd only go for adding the '-only' variants to the most
common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some
FDL versions.  I don't think we need this for the long 'exception'
variants -- I suspect that if someone did research enough to notice
the exception, then most likely he would also notice the 'or newer'.


WDYT?

--
Best regards,
Michał Górny


signature.asc (631 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Matt Turner-5
On Sat, Sep 21, 2019 at 9:09 AM Michał Górny <[hidden email]> wrote:
> TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> the former trigger QA warning asking the dev to double-check if it's
> 'GPL-2-only' or 'GPL-2+'.

I think that's a good idea.

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Ulrich Mueller-2
In reply to this post by Michał Górny-5
>>>>> On Sat, 21 Sep 2019, Michał Górny wrote:

> TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> the former trigger QA warning asking the dev to double-check if it's
> 'GPL-2-only' or 'GPL-2+'.

This has been discussed before. There is no such license as GPL-2-only.

Ulrich

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

William Hubbs
On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> >>>>> On Sat, 21 Sep 2019, Michał Górny wrote:
>
> > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > the former trigger QA warning asking the dev to double-check if it's
> > 'GPL-2-only' or 'GPL-2+'.
>
> This has been discussed before. There is no such license as GPL-2-only.

I am with ulm on this one.
We have GPL-2 and GPL-2+ in the tree. The way I read this,
LICENSE="GPL-2" means GPL 2 only and LICENSE="GPL-2+" means GPL-2+.

William


signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Michael Orlitzky
In reply to this post by Michał Górny-5
On 9/21/19 12:09 PM, Michał Górny wrote:
> Hi,
>
> TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> the former trigger QA warning asking the dev to double-check if it's
> 'GPL-2-only' or 'GPL-2+'.
>

This works only until people start putting

  LICENSE="GPL-2-only"

for things that they haven't sufficiently verified.

If we want to let those people keep committing to the tree, then a
specially-formatted comment might work just as well. It would be harder
to QA (you'd have to parse the comment and associate it with the
variable), but it would save us from having to rename the license every
few years to catch mistakes.

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Michał Górny-5
In reply to this post by William Hubbs
On Sat, 2019-09-21 at 14:26 -0500, William Hubbs wrote:

> On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> > > > > > > On Sat, 21 Sep 2019, Michał Górny wrote:
> > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > > the former trigger QA warning asking the dev to double-check if it's
> > > 'GPL-2-only' or 'GPL-2+'.
> >
> > This has been discussed before. There is no such license as GPL-2-only.
>
> I am with ulm on this one.
> We have GPL-2 and GPL-2+ in the tree. The way I read this,
> LICENSE="GPL-2" means GPL 2 only and LICENSE="GPL-2+" means GPL-2+.
>
Have you read my original mail?

--
Best regards,
Michał Górny


signature.asc (631 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Michał Górny-5
In reply to this post by Michael Orlitzky
On Sat, 2019-09-21 at 15:56 -0400, Michael Orlitzky wrote:

> On 9/21/19 12:09 PM, Michał Górny wrote:
> > Hi,
> >
> > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > the former trigger QA warning asking the dev to double-check if it's
> > 'GPL-2-only' or 'GPL-2+'.
> >
>
> This works only until people start putting
>
>   LICENSE="GPL-2-only"
>
> for things that they haven't sufficiently verified.
>
> If we want to let those people keep committing to the tree, then a
> specially-formatted comment might work just as well. It would be harder
> to QA (you'd have to parse the comment and associate it with the
> variable), but it would save us from having to rename the license every
> few years to catch mistakes.
Honestly, do you believe having the choice of 'GPL-2' and 'GPL-2-only'
people would choose the latter without actually checking the difference?
Because the way I see it, choosing the former is much more likely.

--
Best regards,
Michał Górny


signature.asc (631 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Michael Orlitzky
On 9/21/19 3:59 PM, Michał Górny wrote:
>
> Honestly, do you believe having the choice of 'GPL-2' and 'GPL-2-only'
> people would choose the latter without actually checking the difference?

I've seen twenty people do ten stupider things in the last five minutes.


Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Ulrich Mueller-2
In reply to this post by Michał Górny-5
>>>>> On Sat, 21 Sep 2019, Michał Górny wrote:

> I'd like to propose to employ a more systematic method of resolving this
> problem.  I would like to add additional explicit 'GPL-n-only' licenses,
> and discourage using short 'GPL-n' in favor of them.  The end result
> would be three licenses per every version/variant, e.g.:

>   GPL-2-only -- version 2 only
>   GPL-2+     -- version 2 or newer
>   GPL-2      -- might be either, audit necessary

To elaborate a bit more on this: "GPL-2" already has that well defined
meaning that your proposed "GPL-2-only" has, namely that the package is
licensed under the GNU General Public License, version 2.

Presumably, your change would cause a long transition time, in which we
would have *three* variants for every GPL version (as well as LGPL,
AGPL, FDL), two of them with identical meaning. And after the transition
time, we would have "GPL-2-only" instead of "GPL-2", which is not only
longer but also not accurate.

Plus, it would result in paradoxical entries like "|| ( GPL-2-only
GPL-3-only )" for a package that can be distributed under GPL versions 2
or 3 but no later version.

If the goal of this exercise is to do an audit of ebuilds labelled as
"GPL-2", then a less intrusive approach (which I had already suggested
when this issue had last been discussed) would be to add a comment to
the LICENSE line, either saying "# GPL-2 only" for packages that have
been verified. Or the other way aroung, starting with a comment saying
that it is undecided, which would be removed after an audit. This would
have the advantage not to confuse users, and have no impact on their
ACCEPT_LICENSE settings. (For example, some people exclude AGPL and
would have to add entries for AGPL-3-only.)

Ulrich

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Matt Turner-5
On Sat, Sep 21, 2019 at 1:58 PM Ulrich Mueller <[hidden email]> wrote:

>
> >>>>> On Sat, 21 Sep 2019, Michał Górny wrote:
>
> > I'd like to propose to employ a more systematic method of resolving this
> > problem.  I would like to add additional explicit 'GPL-n-only' licenses,
> > and discourage using short 'GPL-n' in favor of them.  The end result
> > would be three licenses per every version/variant, e.g.:
>
> >   GPL-2-only -- version 2 only
> >   GPL-2+     -- version 2 or newer
> >   GPL-2      -- might be either, audit necessary
>
> To elaborate a bit more on this: "GPL-2" already has that well defined
> meaning that your proposed "GPL-2-only" has, namely that the package is
> licensed under the GNU General Public License, version 2.

We are all aware. But the point is to explicitly put "-only" in the
LICENSE metadata so that ebuild authors are less likely to confuse
GPL-2 vs GPL-2+.

> Presumably, your change would cause a long transition time, in which we
> would have *three* variants for every GPL version (as well as LGPL,
> AGPL, FDL), two of them with identical meaning. And after the transition
> time, we would have "GPL-2-only" instead of "GPL-2", which is not only
> longer but also not accurate.

Sure, but who cares about a long transition time? We still have EAPI=0
ebuilds in tree -- and that's okay since we can quickly and easily
tell what hasn't been transitioned!

> Plus, it would result in paradoxical entries like "|| ( GPL-2-only
> GPL-3-only )" for a package that can be distributed under GPL versions 2
> or 3 but no later version.

That paradoxical entry is pretty clear to me.

> If the goal of this exercise is to do an audit of ebuilds labelled as
> "GPL-2", then a less intrusive approach (which I had already suggested
> when this issue had last been discussed) would be to add a comment to
> the LICENSE line, either saying "# GPL-2 only" for packages that have
> been verified. Or the other way aroung, starting with a comment saying
> that it is undecided, which would be removed after an audit. This would

It's not a one-time audit. Michał has a history of fixing things in
ways that does not allow the issue to return. I imagine that's what
he's doing here, and it would not surprise me at all if something
could be wired into CI to help ensure this.

> have the advantage not to confuse users, and have no impact on their
> ACCEPT_LICENSE settings. (For example, some people exclude AGPL and
> would have to add entries for AGPL-3-only.)

Trivial concern solved with a news item.

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

William Hubbs
In reply to this post by Michał Górny-5
On Sat, Sep 21, 2019 at 09:57:25PM +0200, Michał Górny wrote:

> On Sat, 2019-09-21 at 14:26 -0500, William Hubbs wrote:
> > On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> > > > > > > > On Sat, 21 Sep 2019, Michał Górny wrote:
> > > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > > > the former trigger QA warning asking the dev to double-check if it's
> > > > 'GPL-2-only' or 'GPL-2+'.
> > >
> > > This has been discussed before. There is no such license as GPL-2-only.
> >
> > I am with ulm on this one.
> > We have GPL-2 and GPL-2+ in the tree. The way I read this,
> > LICENSE="GPL-2" means GPL 2 only and LICENSE="GPL-2+" means GPL-2+.
> >
>
> Have you read my original mail?
Yes, and I just did again, and my position is still the same.

William

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Matt Turner-5
In reply to this post by Matt Turner-5
On Sat, Sep 21, 2019 at 9:57 AM Matt Turner <[hidden email]> wrote:
>
> On Sat, Sep 21, 2019 at 9:09 AM Michał Górny <[hidden email]> wrote:
> > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > the former trigger QA warning asking the dev to double-check if it's
> > 'GPL-2-only' or 'GPL-2+'.
>
> I think that's a good idea.

An idea to consider: use SPDX license identifiers (see
https://spdx.org/licenses/)

For GPL 2 they are "GPL-2.0-only" and "GPL-2.0-or-later"

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Ulrich Mueller-2
In reply to this post by Matt Turner-5
>>>>> On Sun, 22 Sep 2019, Matt Turner wrote:

> We are all aware. But the point is to explicitly put "-only" in the
> LICENSE metadata so that ebuild authors are less likely to confuse
> GPL-2 vs GPL-2+.

I don't see how renaming could possibly help with that.

>> Plus, it would result in paradoxical entries like "|| ( GPL-2-only
>> GPL-3-only )" for a package that can be distributed under GPL
>> versions 2 or 3 but no later version.

> That paradoxical entry is pretty clear to me.

Not the same thing. "GPL-2-only+" might be clear as well, which doesn't
imply that it isn't paradoxical.

> It's not a one-time audit. Michał has a history of fixing things in
> ways that does not allow the issue to return. I imagine that's what
> he's doing here, and it would not surprise me at all if something
> could be wired into CI to help ensure this.

If it's not a one time audit, it implies that we will permanently have
three variants. This would be a lot of effort, for a tiny gain. After
all, there is absolutely no difference in ACCEPT_LICENSE filtering
between GPL-2 and GPL-2+.

> Trivial concern solved with a news item.

As I've said before, if the intent is to do a tree-wide audit, then
this should be done in a way that has no impact on users. For example,
by adding a comment, instead of changing the LICENSE variable.

Ulrich

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Ulrich Mueller-2
In reply to this post by Matt Turner-5
>>>>> On Sun, 22 Sep 2019, Matt Turner wrote:

> An idea to consider: use SPDX license identifiers (see
> https://spdx.org/licenses/)

> For GPL 2 they are "GPL-2.0-only" and "GPL-2.0-or-later"

Yeah, they have a history of using silly names. What does 2.0 mean?
There is no such version of the GPL, and with Gentoo versioning rules,
2 is not equal to 2.0.

Another funny thing is that they first introduced a "+" operator, but
then decided not to use it for the GPL family, but append "-or-later"
instead. (And IIUC, "GPL-2.0-only+" is valid in their scheme and
equivalent to "GPL-2.0-or-later".)

Ulrich

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Matt Turner-5
On Sat, Sep 21, 2019 at 4:46 PM Ulrich Mueller <[hidden email]> wrote:

>
> >>>>> On Sun, 22 Sep 2019, Matt Turner wrote:
>
> > An idea to consider: use SPDX license identifiers (see
> > https://spdx.org/licenses/)
>
> > For GPL 2 they are "GPL-2.0-only" and "GPL-2.0-or-later"
>
> Yeah, they have a history of using silly names. What does 2.0 mean?
> There is no such version of the GPL, and with Gentoo versioning rules,
> 2 is not equal to 2.0.
>
> Another funny thing is that they first introduced a "+" operator, but
> then decided not to use it for the GPL family, but append "-or-later"
> instead. (And IIUC, "GPL-2.0-only+" is valid in their scheme and
> equivalent to "GPL-2.0-or-later".)

Yes, from the page I cited it seems that they decided that
differentiating with only a '+' character was a bad idea -- the exact
thing Michał is suggesting we stop doing.

> Release 3.0 replaced previous Identifiers for GNU licenses with more explicit Identifiers to reflect the "this version only" or "any later version" option specific to those licenses. As such, the previously used Identifiers for those licenses are deprecated as of v3.0.

Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Michał Górny-5
In reply to this post by William Hubbs
On Sat, 2019-09-21 at 17:45 -0500, William Hubbs wrote:

> On Sat, Sep 21, 2019 at 09:57:25PM +0200, Michał Górny wrote:
> > On Sat, 2019-09-21 at 14:26 -0500, William Hubbs wrote:
> > > On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> > > > > > > > > On Sat, 21 Sep 2019, Michał Górny wrote:
> > > > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > > > > the former trigger QA warning asking the dev to double-check if it's
> > > > > 'GPL-2-only' or 'GPL-2+'.
> > > >
> > > > This has been discussed before. There is no such license as GPL-2-only.
> > >
> > > I am with ulm on this one.
> > > We have GPL-2 and GPL-2+ in the tree. The way I read this,
> > > LICENSE="GPL-2" means GPL 2 only and LICENSE="GPL-2+" means GPL-2+.
> > >
> >
> > Have you read my original mail?
>
> Yes, and I just did again, and my position is still the same.
>
I know what we have now and what it means.  The mail includes long
explanation why this doesn't work.  Repeating what we have now does not
bring any argument to the discussion, except for anger/demotivation
because it feels like you've completely ignored most of the mail
and just reject it on the basis of 'it's not what we have now'.

--
Best regards,
Michał Górny


signature.asc (631 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Kent Fredric-2
In reply to this post by Ulrich Mueller-2
On Sat, 21 Sep 2019 22:58:03 +0200
Ulrich Mueller <[hidden email]> wrote:

> If the goal of this exercise is to do an audit of ebuilds labelled as
> "GPL-2", then a less intrusive approach (which I had already suggested
> when this issue had last been discussed) would be to add a comment to
> the LICENSE line, either saying "# GPL-2 only" for packages that have
> been verified. Or the other way aroung, starting with a comment saying
> that it is undecided, which would be removed after an audit. This would
> have the advantage not to confuse users, and have no impact on their
> ACCEPT_LICENSE settings. (For example, some people exclude AGPL and
> would have to add entries for AGPL-3-only.)

An adjuct idea:

Given things like "License" can get changed by upstream, and is prone
to deviating from what we have in the ebuild, and given the only way to
automate testing that requires being unable to unpack the archive and
grep for various things ...

Maybe we instead should be considering a per-package file that
indicates some kind of audit trail?

< dev-qt/qtwebengine/audit >
------------
# audit_ident  aduit_param [....]
license 2019-09-22 5.12.5
------------

Where for example,  the license audit is:

   @NAME: license
   @PARAMS: DATE VERSION
   @DESCRIPTION:
      Certify a UTC DATE and VERSION used as reference, that you explicitly
      and intentionally carefully reviewed upstreams sources against
      the LICENSE field, ensuring you used the appropriate license and
      combinations, for instance: ensuring you wrote "GPL-2" only when
      upstreams license clearly omits the "or later" clause, and using
      "GPL-2+" in where the clause is present.

Where you specify the version of the package at the time you carefully
audited it last.

At least that way, you can automate doing spot checks for license being
current and then yell at somebody to re-check it.

This seems like a more reliable approach than hoping the right value
was used and nothing has changed without anyone noticing in the interim.

And this tool could be used to expand the sort of scope of things QA
can check for, by ensuring that things that can't be checked
automatically, can at least have some sort of record indicating when
they were checked last (where git commit log will indicate who
performed the check)

Though there's lots of bikeshed potential here.

Just planting seeds :)


attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Richard Yao-2
In reply to this post by Michał Górny-5

> On Sep 21, 2019, at 12:09 PM, Michał Górny <[hidden email]> wrote:
>
> Hi,
>
> TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> the former trigger QA warning asking the dev to double-check if it's
> 'GPL-2-only' or 'GPL-2+'.
>
>
> GNU Licenses currently don't carry an upgrade clause -- instead, authors
> are expected to decide whether they permit upgrade to newer versions of
> the license in question, or require users to stick with their version of
> choice.
>
> Their decision is normally indicated in copyright notices on top
> of source files.  Those that permit upgrade usually state 'either
> version N of the License, or (at your option) any later version.', while
> others remove the 'or...' or even replace with 'only' (sometimes
> removing 'either', sometimes leaving it ;-)).
>
> The truth is, many developers don't go that far to verify it.  Instead,
> they usually look at 'COPYING' or 'LICENSE', read the version there
> and put 'GPL-2', 'GPL-3' etc. in the ebuild.  It doesn't help that
> GitHub does the same and shows the result as easy-to-read note on top of
> repo.
>
>
> For some time I've been reviewing packages I'm (co-)maintaining, as well
> as proxy-maint submissions for this particular problem.  However,
> surprisingly many projects actually go the 'version N only' route, even
> in middle of environments that are 'N+' like Xfce.  As a result, I've
> ended up rechecking the same packages over and over again to the point
> of starting to add comments saying 'yes, this is GPL-2 only'.
>
> I'd like to propose to employ a more systematic method of resolving this
> problem.  I would like to add additional explicit 'GPL-n-only' licenses,
> and discourage using short 'GPL-n' in favor of them.  The end result
> would be three licenses per every version/variant, e.g.:
>
>  GPL-2-only -- version 2 only
>  GPL-2+     -- version 2 or newer
>  GPL-2      -- might be either, audit necessary
>
> The main idea is that we'd be able to easily find 'non-audited' packages
> with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only
> after auditing.  While technically it would still be possible for people
> to wrongly set LICENSE to GPL-2-only, I think this explicit distinction
> will help people notice that there actually is a deeper difference,
> and it will still catch people who just type 'GPL-n' without looking
> into the license directory.
My read of this and the comments is that it boils down to getting people to do the right thing and ensuring that they did. If anyone does not already understand this, we need to have a talk with them about it.

Also, for things like the Linux kernel where some files lack the or later version clause, this is going to end up with us doing GPL-2-only and GPL-2+ at the same time. Is this really what we want to do there?

>
>
> For a start, I'd only go for adding the '-only' variants to the most
> common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some
> FDL versions.  I don't think we need this for the long 'exception'
> variants -- I suspect that if someone did research enough to notice
> the exception, then most likely he would also notice the 'or newer'.
>
>
> WDYT?
>
> --
> Best regards,
> Michał Górny
>


Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Jason Zaman-2
In reply to this post by Ulrich Mueller-2
On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> >>>>> On Sat, 21 Sep 2019, Michał Górny wrote:
>
> > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > the former trigger QA warning asking the dev to double-check if it's
> > 'GPL-2-only' or 'GPL-2+'.
>
> This has been discussed before. There is no such license as GPL-2-only.

Yes there is:
https://spdx.org/licenses/GPL-2.0-only.html
https://spdx.org/licenses/GPL-2.0-or-later.html

The "GPL-2.0" one is deprecated:
https://spdx.org/licenses/GPL-2.0.html

If SPDX moved to having two names "-only" and "-or-later" then we should
too.

-- Jason


Reply | Threaded
Open this post in threaded view
|

Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing

Matt Turner-5
On Mon, Sep 23, 2019 at 6:42 PM Jason Zaman <[hidden email]> wrote:

>
> On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote:
> > >>>>> On Sat, 21 Sep 2019, Michał Górny wrote:
> >
> > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having
> > > the former trigger QA warning asking the dev to double-check if it's
> > > 'GPL-2-only' or 'GPL-2+'.
> >
> > This has been discussed before. There is no such license as GPL-2-only.
>
> Yes there is:
> https://spdx.org/licenses/GPL-2.0-only.html
> https://spdx.org/licenses/GPL-2.0-or-later.html

Just so everything is clear: Ulrich is just making an extremely
pedantic point that the there's no version of the GPL-2 license itself
with the "only" in it. Strange, now that I think about it I don't
remember a "GPL-2+" license either...

12