From ce6fc97aeeb11109dd9d198e0f8ce9237a71d2cc Mon Sep 17 00:00:00 2001 From: Jilayne Lovejoy Date: Fri, 9 Dec 2022 20:48:39 -0700 Subject: [PATCH 1/8] Create OSI-SPDX-history.md beginning commit for background and logging issues that were (or were not) from when SPDX sought to include every OSI-approve license on the SPDX License List More research and commits are needed, and will take time! Signed-off-by: Jilayne Lovejoy --- DOCS/OSI-SPDX-history.md | 77 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 DOCS/OSI-SPDX-history.md diff --git a/DOCS/OSI-SPDX-history.md b/DOCS/OSI-SPDX-history.md new file mode 100644 index 000000000..a5ef6dd77 --- /dev/null +++ b/DOCS/OSI-SPDX-history.md @@ -0,0 +1,77 @@ +# A History of OSI-approved licenses and the SPDX License List + +(add background here as to history and SPDX endeavoring to add all license ever approved by OSI, matching texts, etc.) + +## Old and "deprecated" licenses + +Because it was the goal of the SPDX License List to include every license that was approved by the OSI, SPDX needed input from the OSI as to the status of many older or previous versions of licenses that weren't explicitly listed on the OSI website. This was done via email. ADD LINKS + +As a result of this collaborative research, the following licenses were confirmed by the OSI as having been OSI-approved, but may not (readily) appear on the OSI website + +* AFL-1.1 +* AFL-1.2 +* AFL-2.0 +* AFL-2.1 +* APSL-1.0 +* APSL-1.1 +* APSL-1.2 +* OSL-2.0 + +## Artistic License variations +The SPDX License List includes three variants of the Artistic License v1.0. They are: + +* Artistic-1.0 +* Artistic-1.0-cl8 +* Artistic-1.0-Perl + + +(remainder copied from https://gist.github.com/mxmehl/1e7a3aed4ff14a8ddfd4aff8ab4de552 which I'll update as I go through the various cateogories/explanations) +## Marked as not OSI compliant in SPDX, but actually on OSI's list + +- [ ] eCos-2.0 +This is an exception and is on the SPDX License List. It is (or was) listed on OSI. Need to find history in archives. + +## Not in SPDX list, but in OSI's list + +* jabberpl: Jabber Open Source License +I recall this had some issues that were never resolved - will have to dig that up + +* CVW: MITRE Collaborative Virtual Workspace License + +## Not in OSI list, but in SPDX's list + +- [ ] CAL-1.0-Combined-Work-Exception +- [ ] MPL-2.0-no-copyleft-exception +- [ ] OFL-1.1-no-RFN +- [ ] OFL-1.1-RFN +These are all licenses that allow legally substantive variations that warranted a distinct SPDX identifiers, but without being a different "version" and thus only listed as one license on the OSI list + +* GPL-3.0-with-GCC-exception + + +* LGPL-2.0 +this is a deprecated SPDX license id, not sure what the question is here? + +- [ ] MIT-Modern-Variant + + + +### False-positives + +- Many mismatches in GPL/LGPL/AGPL because of -only/-or-later/+. I unified those + +# OSI issues + +## Unclear status + +- [ ] EUPL-1.1 is not on OSI's site but only EUPL-1.2. However, the 1.2 entry links to the 1.1 detail site, and there exists an additional 1.2 URL. So OSI's listing seems confused. It's therefore unclear which licenses are approved. + +## Mismatch of IDs in OSI and SPDX + +Probably mistakes on OSI's side + +- [ ] LiLiQ-P vs. LiLiQ-P-1.1 +- [ ] LiLiQ-R vs. LiLiQ-R-1.1 +- [ ] LiLiQ-R+ vs. LiLiQ-Rplus-1.1 +- [ ] UPL vs. UPL-1.0 +- [ ] WXwindows vs. wxWindows From decaa3b6ab9051f41babd3b29481a1f9e41e8f99 Mon Sep 17 00:00:00 2001 From: Jilayne Lovejoy Date: Fri, 9 Dec 2022 21:05:39 -0700 Subject: [PATCH 2/8] add some background and info on Artistic-1.0 --- DOCS/OSI-SPDX-history.md | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/DOCS/OSI-SPDX-history.md b/DOCS/OSI-SPDX-history.md index a5ef6dd77..b0cf16b4f 100644 --- a/DOCS/OSI-SPDX-history.md +++ b/DOCS/OSI-SPDX-history.md @@ -1,12 +1,17 @@ # A History of OSI-approved licenses and the SPDX License List -(add background here as to history and SPDX endeavoring to add all license ever approved by OSI, matching texts, etc.) +In the early days of the SPDX License List, it was decided that the list should include all OSI approved licenses, both current and those approved but now deprecated. The rationale being that once OSI-approved, always OSI-approved and that deprecated licenses may still appear "in the wild". -## Old and "deprecated" licenses +This involved early collaboration between SPDX and OSI (2011) to accurately identify and ensure that all OSI-approved licenses were represented on the SPDX License List. To do so, SPDX needed input from the OSI as to the status of many older or previous versions of licenses that weren't explicitly listed on the OSI website. This was done via email... ADD LINKS + +(add background here as to history and SPDX matching texts, etc.) + +At that time, OSI began using the SPDX license identifiers in their URLs and on the license pages. -Because it was the goal of the SPDX License List to include every license that was approved by the OSI, SPDX needed input from the OSI as to the status of many older or previous versions of licenses that weren't explicitly listed on the OSI website. This was done via email. ADD LINKS -As a result of this collaborative research, the following licenses were confirmed by the OSI as having been OSI-approved, but may not (readily) appear on the OSI website +## Old and "deprecated" licenses + +The following licenses were confirmed by the OSI as having been OSI-approved, but may not (readily) appear on the OSI website * AFL-1.1 * AFL-1.2 @@ -17,15 +22,23 @@ As a result of this collaborative research, the following licenses were confirme * APSL-1.2 * OSL-2.0 +ADD LINKS TO DISCUSSION ON THESE, AS CAN BE FOUND + ## Artistic License variations -The SPDX License List includes three variants of the Artistic License v1.0. They are: +The SPDX License List includes three variants of the Artistic License v1.0. The OSI also explicitly approved two variants: one with clause 8 and without. Because the presence of clause 8 or absence presents a substantive difference, SPDX added them as separate licenses. * Artistic-1.0 * Artistic-1.0-cl8 + +In the course of this research, it was also discovered that the text for the Artistic License 1.0 that was listed on the OSI website did not match the text of the Artistic License used by Perl (despite text on the OSI saying so). ADD LINKS RE THIS DISCUSSION + * Artistic-1.0-Perl +======= +(remainder copied from list at https://gist.github.com/mxmehl/1e7a3aed4ff14a8ddfd4aff8ab4de552 with some preliminary notes - which I'll update as I go through the various cateogories/explanations) + +======= -(remainder copied from https://gist.github.com/mxmehl/1e7a3aed4ff14a8ddfd4aff8ab4de552 which I'll update as I go through the various cateogories/explanations) ## Marked as not OSI compliant in SPDX, but actually on OSI's list - [ ] eCos-2.0 @@ -54,8 +67,6 @@ this is a deprecated SPDX license id, not sure what the question is here? - [ ] MIT-Modern-Variant - - ### False-positives - Many mismatches in GPL/LGPL/AGPL because of -only/-or-later/+. I unified those From 9e8eac0ac6d798ad54da9490b2eae66c31858571 Mon Sep 17 00:00:00 2001 From: Jilayne Lovejoy Date: Sun, 11 Dec 2022 17:02:06 -0700 Subject: [PATCH 3/8] add some info about a bunch of the licenses --- DOCS/OSI-SPDX-history.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/DOCS/OSI-SPDX-history.md b/DOCS/OSI-SPDX-history.md index b0cf16b4f..78fa68d0b 100644 --- a/DOCS/OSI-SPDX-history.md +++ b/DOCS/OSI-SPDX-history.md @@ -11,22 +11,23 @@ At that time, OSI began using the SPDX license identifiers in their URLs and on ## Old and "deprecated" licenses -The following licenses were confirmed by the OSI as having been OSI-approved, but may not (readily) appear on the OSI website +The following licenses were confirmed by the OSI as having been OSI-approved, but may not (readily) appear on the OSI website: * AFL-1.1 * AFL-1.2 * AFL-2.0 * AFL-2.1 -* APSL-1.0 -* APSL-1.1 * APSL-1.2 * OSL-2.0 -ADD LINKS TO DISCUSSION ON THESE, AS CAN BE FOUND +See SPDX-legal email list from April 2012 [here](https://lists.spdx.org/g/Spdx-legal/message/311?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2Cosi%2C20%2C2%2C300%2C22080203) and +[here](https://lists.spdx.org/g/Spdx-legal/message/312?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2Cosi%2C20%2C2%2C300%2C22080204) for confirmation of these licenses having been OSI-approved. ## Artistic License variations The SPDX License List includes three variants of the Artistic License v1.0. The OSI also explicitly approved two variants: one with clause 8 and without. Because the presence of clause 8 or absence presents a substantive difference, SPDX added them as separate licenses. +Also note that Perl link has 10 clause version of license, whereas OSI link has 9 clause with note at top about additional clause. for searching/templating reasons, these should probably be listed as two different licenses. Suggest naming as follows: + * Artistic-1.0 * Artistic-1.0-cl8 From d5fdb9efa24a229fe14cb102583d2a086b1cbc3e Mon Sep 17 00:00:00 2001 From: Jilayne Lovejoy Date: Sun, 11 Dec 2022 18:26:33 -0700 Subject: [PATCH 4/8] more updates --- DOCS/OSI-SPDX-history.md | 64 +++++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/DOCS/OSI-SPDX-history.md b/DOCS/OSI-SPDX-history.md index 78fa68d0b..703b33c7c 100644 --- a/DOCS/OSI-SPDX-history.md +++ b/DOCS/OSI-SPDX-history.md @@ -1,49 +1,58 @@ # A History of OSI-approved licenses and the SPDX License List -In the early days of the SPDX License List, it was decided that the list should include all OSI approved licenses, both current and those approved but now deprecated. The rationale being that once OSI-approved, always OSI-approved and that deprecated licenses may still appear "in the wild". +In the early days it was decided that the SPDX License List should include all licenses that were ever OSI-approved licenses. The rationale being that once OSI-approved, always OSI-approved and that even old or deprecated licenses may still appear "in the wild". -This involved early collaboration between SPDX and OSI (2011) to accurately identify and ensure that all OSI-approved licenses were represented on the SPDX License List. To do so, SPDX needed input from the OSI as to the status of many older or previous versions of licenses that weren't explicitly listed on the OSI website. This was done via email... ADD LINKS - -(add background here as to history and SPDX matching texts, etc.) +This involved early collaboration between SPDX and OSI starting around 2011 and onward. As the SPDX-legal team sought to accurately identify all OSI-approved licenses and their corresonpding text to ensure that representation on the SPDX License List. This involved cross-collaboration between SPDX-legal and various OSI representagives, with most communication occurring on the SPDX-legal mailing list, OSI's license-disucss mailing list, or both. At that time, OSI began using the SPDX license identifiers in their URLs and on the license pages. +This page seeks to explain some of the challenges that this reconciliation work encountered, especially where a solution to the challenge may still leave questions for people currently looking at or using both the SPDX License List and the OSI list of approved licenses. -## Old and "deprecated" licenses -The following licenses were confirmed by the OSI as having been OSI-approved, but may not (readily) appear on the OSI website: -* AFL-1.1 -* AFL-1.2 -* AFL-2.0 -* AFL-2.1 -* APSL-1.2 -* OSL-2.0 +## Old and "deprecated" licenses +The following licenses were confirmed by the OSI as having been OSI-approved, even thought these licenses do not or may not (readily) appear on the OSI website: + +* `AFL-1.1` +* `AFL-1.2` +* `AFL-2.0` +* `AFL-2.1` +* `APSL-1.2` +* `OSL-2.0` See SPDX-legal email list from April 2012 [here](https://lists.spdx.org/g/Spdx-legal/message/311?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2Cosi%2C20%2C2%2C300%2C22080203) and [here](https://lists.spdx.org/g/Spdx-legal/message/312?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2Cosi%2C20%2C2%2C300%2C22080204) for confirmation of these licenses having been OSI-approved. ## Artistic License variations -The SPDX License List includes three variants of the Artistic License v1.0. The OSI also explicitly approved two variants: one with clause 8 and without. Because the presence of clause 8 or absence presents a substantive difference, SPDX added them as separate licenses. +The OSI also explicitly approved two variants as stated at the top of the page: one with clause 8 and without. Because the presence or absence of clause 8 presents a substantive difference, SPDX added them as two separate licenses. -Also note that Perl link has 10 clause version of license, whereas OSI link has 9 clause with note at top about additional clause. for searching/templating reasons, these should probably be listed as two different licenses. Suggest naming as follows: +In the course of this research, it was also discovered that the text for the Artistic License 1.0 that was listed on the OSI website did not match the text of the Artistic License used by Perl, despite a note on the OSI webpage saying so. The Artistic License 1.0 on the Perl site has 10 clauses, thus adversion of license, whereas OSI link has 9 clause with note at top about additional clause. -* Artistic-1.0 -* Artistic-1.0-cl8 +As a result SPDX added 3 licenses to accommodate these variations: -In the course of this research, it was also discovered that the text for the Artistic License 1.0 that was listed on the OSI website did not match the text of the Artistic License used by Perl (despite text on the OSI saying so). ADD LINKS RE THIS DISCUSSION +* `Artistic-1.0` +* `Artistic-1.0-cl8` +* `Artistic-1.0-Perl` -* Artistic-1.0-Perl +## License exceptions +In at least one case, the OSI approved a license exception, referred to as [eCos License version 2.0](https://opensource.org/licenses/eCos-2.0) and lists the SPDX identifiers as "eCos-2.0" -======= -(remainder copied from list at https://gist.github.com/mxmehl/1e7a3aed4ff14a8ddfd4aff8ab4de552 with some preliminary notes - which I'll update as I go through the various cateogories/explanations) +However, when SPDX 2.0 came out in YEAR, exceptions were moved to their own part of the SPDX License List, to be used with the `WITH` operator to allow more extensible and varied license expressions. -======= +The current, correct SPDX License expression for the license combination shown on the OSI site would be: `GPL-2.0-or-later WITH eCos-exception-2.0` -## Marked as not OSI compliant in SPDX, but actually on OSI's list +## Licenses that allow for variations by way of a different license notice +These are licesnes that were approved by the OSI in full. These licenses allow legally substantive variations based on use of a different license notice. This variataion warranted distinct SPDX identifiers to indicate whether or not the allowed variation is being triggered. All of these variations include a Note in the SPDX License List entry explaining this. + +* 'CAL-1.0-Combined-Work-Exception' +* 'MPL-2.0-no-copyleft-exception' +* 'OFL-1.1-no-RFN' +* 'OFL-1.1-RFN' + +===== +still need to address these: +==== -- [ ] eCos-2.0 -This is an exception and is on the SPDX License List. It is (or was) listed on OSI. Need to find history in archives. ## Not in SPDX list, but in OSI's list @@ -54,14 +63,9 @@ I recall this had some issues that were never resolved - will have to dig that u ## Not in OSI list, but in SPDX's list -- [ ] CAL-1.0-Combined-Work-Exception -- [ ] MPL-2.0-no-copyleft-exception -- [ ] OFL-1.1-no-RFN -- [ ] OFL-1.1-RFN -These are all licenses that allow legally substantive variations that warranted a distinct SPDX identifiers, but without being a different "version" and thus only listed as one license on the OSI list * GPL-3.0-with-GCC-exception - +what is the quesiton here? * LGPL-2.0 this is a deprecated SPDX license id, not sure what the question is here? From ca9f8794d6576660c67bec0ada0ef103eed3f9ed Mon Sep 17 00:00:00 2001 From: Jilayne Lovejoy Date: Sun, 11 Dec 2022 22:54:01 -0700 Subject: [PATCH 5/8] Update OSI-SPDX-history.md --- DOCS/OSI-SPDX-history.md | 65 +++++++++++++++++++++++----------------- 1 file changed, 38 insertions(+), 27 deletions(-) diff --git a/DOCS/OSI-SPDX-history.md b/DOCS/OSI-SPDX-history.md index 703b33c7c..c98093323 100644 --- a/DOCS/OSI-SPDX-history.md +++ b/DOCS/OSI-SPDX-history.md @@ -1,17 +1,15 @@ # A History of OSI-approved licenses and the SPDX License List -In the early days it was decided that the SPDX License List should include all licenses that were ever OSI-approved licenses. The rationale being that once OSI-approved, always OSI-approved and that even old or deprecated licenses may still appear "in the wild". +Early on, the SPDX License List should include all licenses that were ever OSI-approved licenses. The rationale being that once OSI-approved, always OSI-approved and that even old or "deprecated" (by way of a newer version or other such circumstance) licenses may still appear "in the wild". (Note: the OSI and SPDX use "deprecated" in different ways.) -This involved early collaboration between SPDX and OSI starting around 2011 and onward. As the SPDX-legal team sought to accurately identify all OSI-approved licenses and their corresonpding text to ensure that representation on the SPDX License List. This involved cross-collaboration between SPDX-legal and various OSI representagives, with most communication occurring on the SPDX-legal mailing list, OSI's license-disucss mailing list, or both. - -At that time, OSI began using the SPDX license identifiers in their URLs and on the license pages. - -This page seeks to explain some of the challenges that this reconciliation work encountered, especially where a solution to the challenge may still leave questions for people currently looking at or using both the SPDX License List and the OSI list of approved licenses. +In 2011, OSI [began using the SPDX license identifiers](https://opensource.org/minutes20110608) in their URLs and on the license pages. +The SPDX-legal team sought to accurately identify all OSI-approved licenses and their corresponding text to ensure representation on the SPDX License List. This involved cross-collaboration between SPDX-legal and various OSI representatives, with most communication occurring on the SPDX-legal mailing list, OSI's license-disucss mailing list, or both. John Cowan, Martin Michlmayr, Karl Fogel, and Luis Villa were among the OSI board members who helped Jilayne Lovejoy from SPDX-legal on researching the various issues. +This page seeks to explain some of the challenges that this reconciliation work encountered, especially where a solution to the challenge may still leave questions for people currently looking at or using both the SPDX License List and the OSI list of approved licenses. Any suggestions that had been made in the past for a possible reconciliation have been reproduced here as well. ## Old and "deprecated" licenses -The following licenses were confirmed by the OSI as having been OSI-approved, even thought these licenses do not or may not (readily) appear on the OSI website: +The following old or "deprecated" licenses were confirmed by the OSI as having been OSI-approved, even though these licenses do not or may not (readily) appear on the OSI website any longer: * `AFL-1.1` * `AFL-1.2` @@ -23,68 +21,81 @@ The following licenses were confirmed by the OSI as having been OSI-approved, ev See SPDX-legal email list from April 2012 [here](https://lists.spdx.org/g/Spdx-legal/message/311?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2Cosi%2C20%2C2%2C300%2C22080203) and [here](https://lists.spdx.org/g/Spdx-legal/message/312?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2Cosi%2C20%2C2%2C300%2C22080204) for confirmation of these licenses having been OSI-approved. +Suggestion: Consider listing all licenses ever approved on OSI website to retain a full historical record. + ## Artistic License variations -The OSI also explicitly approved two variants as stated at the top of the page: one with clause 8 and without. Because the presence or absence of clause 8 presents a substantive difference, SPDX added them as two separate licenses. +The OSI explicitly approved two variants of [Artistic License 1.0](https://opensource.org/licenses/Artistic-1.0) as stated at the top of the page: with clause 8 and without. Because the presence or absence of clause 8 presents a substantive difference, SPDX added them as two separate licenses. -In the course of this research, it was also discovered that the text for the Artistic License 1.0 that was listed on the OSI website did not match the text of the Artistic License used by Perl, despite a note on the OSI webpage saying so. The Artistic License 1.0 on the Perl site has 10 clauses, thus adversion of license, whereas OSI link has 9 clause with note at top about additional clause. +In the course of this research, it was discovered that the text for the Artistic License 1.0 that was listed on the OSI website did not match the text of the Artistic License [used by Perl](https://dev.perl.org/licenses/artistic.html), which has 10 clauses, clause 5, 6, 7, and 8 being different from those on the OSI site. It is still unclear to this day what was originally submitted to OSI or where the text at https://opensource.org/licenses/Artistic-1.0 (either with or without clause 8) has been used in actual code. As a result SPDX added 3 licenses to accommodate these variations: - * `Artistic-1.0` * `Artistic-1.0-cl8` * `Artistic-1.0-Perl` +OSI added a separate page for `Artistic-1.0-Perl` but the notation describing the variant is still confusing. + +Suggestion: OSI add the SPDX ids, `Artistic-1.0` and `Artistic-1.0-cl8` to [this page](https://opensource.org/licenses/Artistic-1.0) and update the notation to something like, “OSI approved this variant of Artistic License 1.0, (Artistic-1.0) with 9 clauses, as well as a variant that contains an additional clause 8 (Artistic-1.0-cl8). There is also the variant used by Perl (Artistic-1.0-Perl), which has differences from the text here in clauses 5, 6, 7 and 8.” +And add the SPDX id, `Artistic-1.0-Perl` on [this page](https://opensource.org/licenses/Artistic-Perl-1.0) and update that note accordingly as well. + ## License exceptions -In at least one case, the OSI approved a license exception, referred to as [eCos License version 2.0](https://opensource.org/licenses/eCos-2.0) and lists the SPDX identifiers as "eCos-2.0" +In at least one case, the OSI approved a license exception, referred to as [eCos License version 2.0](https://opensource.org/licenses/eCos-2.0) and lists the SPDX identifiers as "eCos-2.0". This is probably because this license was originally on the SPDX License List as a stand alone license. However, when SPDX 2.0 came out in May 2015, exceptions were moved to their own part of the SPDX License List to be used with the `WITH` operator to allow more extensible and varied license expressions, see https://spdx.org/licenses/eCos-2.0.html and now see https://spdx.org/licenses/eCos-exception-2.0.html -However, when SPDX 2.0 came out in YEAR, exceptions were moved to their own part of the SPDX License List, to be used with the `WITH` operator to allow more extensible and varied license expressions. +Note that OSI has the GPL-2.0-or-later license notice on its page for the eCos exception, which would use the SPDX license expression: `GPL-2.0-or-later WITH eCos-exception-2.0`. Did OSI _only_ approve this exception for GPL-2.0-or-later? -The current, correct SPDX License expression for the license combination shown on the OSI site would be: `GPL-2.0-or-later WITH eCos-exception-2.0` +Suggestion: Update the [eCos](https://opensource.org/licenses/eCos-2.0) page to use the current `eCos-exception-2.0` identifier and change the URL to https://opensource.org/licenses/eCos-exception-2.0. Clarify what versions of GPL it is approved for. ## Licenses that allow for variations by way of a different license notice These are licesnes that were approved by the OSI in full. These licenses allow legally substantive variations based on use of a different license notice. This variataion warranted distinct SPDX identifiers to indicate whether or not the allowed variation is being triggered. All of these variations include a Note in the SPDX License List entry explaining this. -* 'CAL-1.0-Combined-Work-Exception' -* 'MPL-2.0-no-copyleft-exception' -* 'OFL-1.1-no-RFN' -* 'OFL-1.1-RFN' - -===== -still need to address these: -==== +* `CAL-1.0-Combined-Work-Exception` +* `MPL-2.0-no-copyleft-exception` +* `OFL-1.1-no-RFN` +* `OFL-1.1-RFN` +Suggestion: OSI could add the variant SPDX ids to the license pages. ## Not in SPDX list, but in OSI's list -* jabberpl: Jabber Open Source License -I recall this had some issues that were never resolved - will have to dig that up +* [Jabber Open Source License](https://opensource.org/licenses/jabberpl) - This is a case where the text on the OSI site is not the same as the archived text at http://archive.jabber.org/core/JOSL.pdf SPDX would consider these two texts as different licenses, and was trying to clarify with the OSI which text was submitted and approved by OSI. Martin Michlmayr and Jilayne discussed this back in 2013 (https://lists.spdx.org/g/Spdx-legal/topic/22080295#475), but never reached a resolution. Jilayne emailed the OSI Board about this issue in July 2019. + +Suggestion: SPDX could recognize both variants on the SPDX License List and note the one that is specifically OSI-approved is the one that matches that exact text on the OSI site? This would require distinct names and identifiers. * CVW: MITRE Collaborative Virtual Workspace License -## Not in OSI list, but in SPDX's list +still need to research issue here +# from Max's list - still to address: +## Not in OSI list, but in SPDX's list * GPL-3.0-with-GCC-exception + what is the quesiton here? * LGPL-2.0 + this is a deprecated SPDX license id, not sure what the question is here? -- [ ] MIT-Modern-Variant +* MIT-Modern-Variant ### False-positives - Many mismatches in GPL/LGPL/AGPL because of -only/-or-later/+. I unified those +what do you mean my mismatches? and "unified those"? + # OSI issues ## Unclear status -- [ ] EUPL-1.1 is not on OSI's site but only EUPL-1.2. However, the 1.2 entry links to the 1.1 detail site, and there exists an additional 1.2 URL. So OSI's listing seems confused. It's therefore unclear which licenses are approved. +* EUPL-1.1 is not on OSI's site but only EUPL-1.2. However, the 1.2 entry links to the 1.1 detail site, and there exists an additional 1.2 URL. So OSI's listing seems confused. It's therefore unclear which licenses are approved. + +need to do some research on this one ## Mismatch of IDs in OSI and SPDX +Probably mistakes on OSI's side. -Probably mistakes on OSI's side +These may be cases of the licenses being submitted to SPDX before OSI approved them and no one at OSI realized. Or they were submitted at a similar time and never cross-checked on the final SPDX id. - [ ] LiLiQ-P vs. LiLiQ-P-1.1 - [ ] LiLiQ-R vs. LiLiQ-R-1.1 From e5d3f98e64af265d8d2cd653ad0bc5c2227f0c05 Mon Sep 17 00:00:00 2001 From: Jilayne Lovejoy Date: Mon, 1 Jul 2024 11:56:08 -0600 Subject: [PATCH 6/8] few easy updates --- DOCS/OSI-SPDX-history.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/DOCS/OSI-SPDX-history.md b/DOCS/OSI-SPDX-history.md index c98093323..0da9f4afc 100644 --- a/DOCS/OSI-SPDX-history.md +++ b/DOCS/OSI-SPDX-history.md @@ -1,12 +1,15 @@ # A History of OSI-approved licenses and the SPDX License List -Early on, the SPDX License List should include all licenses that were ever OSI-approved licenses. The rationale being that once OSI-approved, always OSI-approved and that even old or "deprecated" (by way of a newer version or other such circumstance) licenses may still appear "in the wild". (Note: the OSI and SPDX use "deprecated" in different ways.) +In the first releases of the SPDX License List, it was determined that the SPDX License List should include all licenses that were ever OSI-approved. The rationale being that once OSI-approved, always OSI-approved and that even old or "deprecated" (by way of a newer version or other such circumstance) licenses may still appear "in the wild". (Note: the OSI and SPDX use "deprecated" in different ways.) In 2011, OSI [began using the SPDX license identifiers](https://opensource.org/minutes20110608) in their URLs and on the license pages. The SPDX-legal team sought to accurately identify all OSI-approved licenses and their corresponding text to ensure representation on the SPDX License List. This involved cross-collaboration between SPDX-legal and various OSI representatives, with most communication occurring on the SPDX-legal mailing list, OSI's license-disucss mailing list, or both. John Cowan, Martin Michlmayr, Karl Fogel, and Luis Villa were among the OSI board members who helped Jilayne Lovejoy from SPDX-legal on researching the various issues. -This page seeks to explain some of the challenges that this reconciliation work encountered, especially where a solution to the challenge may still leave questions for people currently looking at or using both the SPDX License List and the OSI list of approved licenses. Any suggestions that had been made in the past for a possible reconciliation have been reproduced here as well. +This page seeks to explain some of the challenges that this reconciliation work encountered, especially where a solution to the challenge may still leave questions for people currently looking at or using both the SPDX License List and the OSI list of approved licenses. Any suggestions that had been made in the past but not implemented or that would aid in clarifiction have been added here as well. + +If or as things get updated, we will try to update this page in a timely manner. +(last update: July 1, 2024) ## Old and "deprecated" licenses The following old or "deprecated" licenses were confirmed by the OSI as having been OSI-approved, even though these licenses do not or may not (readily) appear on the OSI website any longer: @@ -21,7 +24,7 @@ The following old or "deprecated" licenses were confirmed by the OSI as having b See SPDX-legal email list from April 2012 [here](https://lists.spdx.org/g/Spdx-legal/message/311?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2Cosi%2C20%2C2%2C300%2C22080203) and [here](https://lists.spdx.org/g/Spdx-legal/message/312?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2Cosi%2C20%2C2%2C300%2C22080204) for confirmation of these licenses having been OSI-approved. -Suggestion: Consider listing all licenses ever approved on OSI website to retain a full historical record. +Suggestion: Consider listing all licenses ever approved on OSI website to retain a full historical record (even if noted as superceded). ## Artistic License variations The OSI explicitly approved two variants of [Artistic License 1.0](https://opensource.org/licenses/Artistic-1.0) as stated at the top of the page: with clause 8 and without. Because the presence or absence of clause 8 presents a substantive difference, SPDX added them as two separate licenses. @@ -46,7 +49,7 @@ Note that OSI has the GPL-2.0-or-later license notice on its page for the eCos e Suggestion: Update the [eCos](https://opensource.org/licenses/eCos-2.0) page to use the current `eCos-exception-2.0` identifier and change the URL to https://opensource.org/licenses/eCos-exception-2.0. Clarify what versions of GPL it is approved for. ## Licenses that allow for variations by way of a different license notice -These are licesnes that were approved by the OSI in full. These licenses allow legally substantive variations based on use of a different license notice. This variataion warranted distinct SPDX identifiers to indicate whether or not the allowed variation is being triggered. All of these variations include a Note in the SPDX License List entry explaining this. +These are licenses that were approved by the OSI in full. These licenses allow legally substantive variations based on use of a different license notice. This variataion warranted distinct SPDX identifiers to indicate whether or not the allowed variation is being triggered. All of these variations include a Note in the SPDX License List entry explaining this. * `CAL-1.0-Combined-Work-Exception` * `MPL-2.0-no-copyleft-exception` @@ -59,7 +62,7 @@ Suggestion: OSI could add the variant SPDX ids to the license pages. * [Jabber Open Source License](https://opensource.org/licenses/jabberpl) - This is a case where the text on the OSI site is not the same as the archived text at http://archive.jabber.org/core/JOSL.pdf SPDX would consider these two texts as different licenses, and was trying to clarify with the OSI which text was submitted and approved by OSI. Martin Michlmayr and Jilayne discussed this back in 2013 (https://lists.spdx.org/g/Spdx-legal/topic/22080295#475), but never reached a resolution. Jilayne emailed the OSI Board about this issue in July 2019. -Suggestion: SPDX could recognize both variants on the SPDX License List and note the one that is specifically OSI-approved is the one that matches that exact text on the OSI site? This would require distinct names and identifiers. +Suggestion: SPDX could recognize both variants on the SPDX License List and note the one that is specifically OSI-approved. This would require clarification from OSI as to which one was approved and make any updates to its site accordingly. If both variants were OSI-approve, then a new entry would be warranted on the OSI site. * CVW: MITRE Collaborative Virtual Workspace License From 96b2dfaf7ad04d8fab609f65184bb50f41bb236d Mon Sep 17 00:00:00 2001 From: Jilayne Lovejoy Date: Mon, 1 Jul 2024 21:27:05 -0600 Subject: [PATCH 7/8] remove some of original list of issues --- DOCS/OSI-SPDX-history.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/DOCS/OSI-SPDX-history.md b/DOCS/OSI-SPDX-history.md index 0da9f4afc..24ba630cb 100644 --- a/DOCS/OSI-SPDX-history.md +++ b/DOCS/OSI-SPDX-history.md @@ -71,21 +71,11 @@ still need to research issue here # from Max's list - still to address: ## Not in OSI list, but in SPDX's list -* GPL-3.0-with-GCC-exception -what is the quesiton here? - -* LGPL-2.0 - -this is a deprecated SPDX license id, not sure what the question is here? * MIT-Modern-Variant -### False-positives - -- Many mismatches in GPL/LGPL/AGPL because of -only/-or-later/+. I unified those -what do you mean my mismatches? and "unified those"? # OSI issues From 63e4f474b3c8460284d1262c71e64de3126b7a51 Mon Sep 17 00:00:00 2001 From: Jilayne Lovejoy Date: Mon, 1 Jul 2024 22:31:18 -0600 Subject: [PATCH 8/8] rest of updated --- DOCS/OSI-SPDX-history.md | 52 ++++++++++++++++------------------------ 1 file changed, 21 insertions(+), 31 deletions(-) diff --git a/DOCS/OSI-SPDX-history.md b/DOCS/OSI-SPDX-history.md index 24ba630cb..2701d28c8 100644 --- a/DOCS/OSI-SPDX-history.md +++ b/DOCS/OSI-SPDX-history.md @@ -1,6 +1,6 @@ # A History of OSI-approved licenses and the SPDX License List -In the first releases of the SPDX License List, it was determined that the SPDX License List should include all licenses that were ever OSI-approved. The rationale being that once OSI-approved, always OSI-approved and that even old or "deprecated" (by way of a newer version or other such circumstance) licenses may still appear "in the wild". (Note: the OSI and SPDX use "deprecated" in different ways.) +In the first releases of the SPDX License List, it was determined that the SPDX License List should include all licenses that were ever OSI-approved. (A policy that SPDX-legal maintains to this day.) The rationale being that once OSI-approved, always OSI-approved and that even old or "deprecated" (by way of a newer version or other such circumstance) licenses may still appear "in the wild". (Note: the OSI and SPDX use the term "deprecated" in different ways.) In 2011, OSI [began using the SPDX license identifiers](https://opensource.org/minutes20110608) in their URLs and on the license pages. @@ -8,9 +8,13 @@ The SPDX-legal team sought to accurately identify all OSI-approved licenses and This page seeks to explain some of the challenges that this reconciliation work encountered, especially where a solution to the challenge may still leave questions for people currently looking at or using both the SPDX License List and the OSI list of approved licenses. Any suggestions that had been made in the past but not implemented or that would aid in clarifiction have been added here as well. -If or as things get updated, we will try to update this page in a timely manner. +Since that time, the OSI began more actively reviewing licenses and the website got updated in various ways; and SPDX adopted new policies, such as the license expression syntax. As a result, other issues have appeared in term of "matching" up the licenses that appear on both lists. + +This document is an effort to capture the history, as well as acknowledge and identify some issues, which in some cases, may have suggested resolutions. This list may not be exhaustive. As things get updated, we will try to update this page in a timely manner. (last update: July 1, 2024) +# Outstanding issues + ## Old and "deprecated" licenses The following old or "deprecated" licenses were confirmed by the OSI as having been OSI-approved, even though these licenses do not or may not (readily) appear on the OSI website any longer: @@ -42,11 +46,15 @@ Suggestion: OSI add the SPDX ids, `Artistic-1.0` and `Artistic-1.0-cl8` to [this And add the SPDX id, `Artistic-1.0-Perl` on [this page](https://opensource.org/licenses/Artistic-Perl-1.0) and update that note accordingly as well. ## License exceptions -In at least one case, the OSI approved a license exception, referred to as [eCos License version 2.0](https://opensource.org/licenses/eCos-2.0) and lists the SPDX identifiers as "eCos-2.0". This is probably because this license was originally on the SPDX License List as a stand alone license. However, when SPDX 2.0 came out in May 2015, exceptions were moved to their own part of the SPDX License List to be used with the `WITH` operator to allow more extensible and varied license expressions, see https://spdx.org/licenses/eCos-2.0.html and now see https://spdx.org/licenses/eCos-exception-2.0.html +In at least two cases, the OSI approved a license exception: +* [eCos License version 2.0](https://opensource.org/licenses/eCos-2.0) and lists the SPDX identifiers as `eCos-2.0` +* [wxWindows Library License](https://spdx.org/licenses/wxWindows.html) and lists the SPDX identifier as `wxWindows` +This is probably because these licenses were originally on the SPDX License List as a stand alone licenses. However, when SPDX 2.0 came out in May 2015, exceptions were moved to their own part of the SPDX License List to be used with the `WITH` operator to allow more extensible and varied license expressions, see https://spdx.org/licenses/eCos-2.0.html and now see https://spdx.org/licenses/eCos-exception-2.0.html +and https://spdx.org/licenses/wxWindows.html and now see https://spdx.org/licenses/WxWindows-exception-3.1.html Note that OSI has the GPL-2.0-or-later license notice on its page for the eCos exception, which would use the SPDX license expression: `GPL-2.0-or-later WITH eCos-exception-2.0`. Did OSI _only_ approve this exception for GPL-2.0-or-later? -Suggestion: Update the [eCos](https://opensource.org/licenses/eCos-2.0) page to use the current `eCos-exception-2.0` identifier and change the URL to https://opensource.org/licenses/eCos-exception-2.0. Clarify what versions of GPL it is approved for. +Suggestion: Update the pages to use the current SPDX identifier for the exception (or the full SPDX license expression). Clarify what versions of GPL it is approved for. ## Licenses that allow for variations by way of a different license notice These are licenses that were approved by the OSI in full. These licenses allow legally substantive variations based on use of a different license notice. This variataion warranted distinct SPDX identifiers to indicate whether or not the allowed variation is being triggered. All of these variations include a Note in the SPDX License List entry explaining this. @@ -55,6 +63,7 @@ These are licenses that were approved by the OSI in full. These licenses allow l * `MPL-2.0-no-copyleft-exception` * `OFL-1.1-no-RFN` * `OFL-1.1-RFN` +* GNU license family, see https://github.com/OpenSourceOrg/licenses/issues/87 Suggestion: OSI could add the variant SPDX ids to the license pages. @@ -64,34 +73,15 @@ Suggestion: OSI could add the variant SPDX ids to the license pages. Suggestion: SPDX could recognize both variants on the SPDX License List and note the one that is specifically OSI-approved. This would require clarification from OSI as to which one was approved and make any updates to its site accordingly. If both variants were OSI-approve, then a new entry would be warranted on the OSI site. -* CVW: MITRE Collaborative Virtual Workspace License - -still need to research issue here - -# from Max's list - still to address: -## Not in OSI list, but in SPDX's list - - - -* MIT-Modern-Variant - - - -# OSI issues - -## Unclear status - -* EUPL-1.1 is not on OSI's site but only EUPL-1.2. However, the 1.2 entry links to the 1.1 detail site, and there exists an additional 1.2 URL. So OSI's listing seems confused. It's therefore unclear which licenses are approved. +* [CVW: MITRE Collaborative Virtual Workspace License](https://opensource.org/license/cvw) - Needs further research as to when it was OSI approved and how it didn't get on SPDX License List as well. -need to do some research on this one +## Other issues +* [The W3C® SOFTWARE NOTICE AND LICENSE](https://opensource.org/license/w3c) - uses SPDX id, `W3C-20150513` but licnese text does not seem to match?? +* -## Mismatch of IDs in OSI and SPDX -Probably mistakes on OSI's side. +## OSI site missing SPDX id +* [OCLC-2.0](https://opensource.org/license/oclc2-php) - see https://spdx.org/licenses/OCLC-2.0.html - is marked as OSI-approved on SPDX License List +* https://opensource.org/license/python-2-0 uses the right SPDX id in the URL (which is from many years ago), but has the wrong SPDX on the actual page text -These may be cases of the licenses being submitted to SPDX before OSI approved them and no one at OSI realized. Or they were submitted at a similar time and never cross-checked on the final SPDX id. -- [ ] LiLiQ-P vs. LiLiQ-P-1.1 -- [ ] LiLiQ-R vs. LiLiQ-R-1.1 -- [ ] LiLiQ-R+ vs. LiLiQ-Rplus-1.1 -- [ ] UPL vs. UPL-1.0 -- [ ] WXwindows vs. wxWindows +Also see https://github.com/OpenSourceOrg/licenses/issues/62 for other issues that have been addressed - thanks Gary O'Neall!