dhcpcd-discuss

Home Other Lists Thread Index Date Index Search
Thread Prev Thread Next Date Prev Date Next Thread Index Date Index

Re: [PATCH] Add SPDX identifiers

Yegor Yefremov

Tue Jul 02 08:10:26 2019
On Sat, Jun 29, 2019 at 10:39 AM Roy Marples <roy@xxxxxxxxxxxx> wrote:
>
> On 29/06/2019 07:42, Yegor Yefremov wrote:
> > On Fri, Jun 28, 2019 at 10:22 AM Roy Marples <roy@xxxxxxxxxxxx> wrote:
> >>
> >> On 21/06/2019 10:46, yegorslists@xxxxxxxxxxxxxx wrote:
> >>> From: Yegor Yefremov <yegorslists@xxxxxxxxxxxxxx>
> >>>
> >>> Software Package Data Exchange identifiers help to detect source file
> >>> licenses and hence simplify the FOSS compliance process.
> >>
> >> Just wondering how this works with the compat directory?
> >> On NetBSD-current for example, non of it is used, but on Linux all of it
> >> is used.
> >
> > You're right. I've missed this folder. I'll add the SPDX identifiers
> > there.
>
> src/dev folder too.
>
>
> > As you've mentioned, they will be of relevance only for Linux.
> >
> >  From briefly looking at the code it contains at least BSD-2c and
> > BSD-3c license texts :-)
>
> OpenBSD as well. I think SPDX classifies that as ISC.
> There is also the matter of consttime_memequal which is licensed as
> Public Domain which SPDX seems to avoid:
> https://wiki.spdx.org/view/Legal_Team/Decisions/Dealing_with_Public_Domain_within_SPDX_Files
>
> Anyway, my question was more along the lines of how SPDX works.
> If no compat is used then it should be marked as BSD-2 only - but it
> can't tell this without running configure.
>
> So should we even mark the compat folder with SPDX?
>
> I don't know enough about the intent or scope of SPDX to answer this and
> it wasn't clear on their website.
> This is why I'm hesitant to go down this route - you need to know the
> license dhcpcd builds with, not just what it bundles as a whole which
> makes the intent of SPDX almost useless for dhcpcd.

I would also like to have a definitive guide for a FOSS compliance.
There is an interesting paper [1] about making FOSS projects compliant
but its merely a motivation and not a definitive guide.

AFAIK SPDX identifiers help to identify source file license and not
what will be built and shipped (there should be other tools taking
care of that and using SPDX identifiers). Having them (identifiers)
makes a compliance process easier, especially for the projects having
source parts under different licenses.

As for the Public Domain I'd say it should be mentioned in a central
README file and be also marked in the header of the source file.

[1] https://www.linuxfoundation.org/publications/2018/03/license-scanning-compliance-programs-foss-projects/

Regards,
Yegor
Follow-Ups:
Re: [PATCH] Add SPDX identifiersRoy Marples
References:
[PATCH] Add SPDX identifiersyegorslists
Re: [PATCH] Add SPDX identifiersRoy Marples
Re: [PATCH] Add SPDX identifiersYegor Yefremov
Re: [PATCH] Add SPDX identifiersRoy Marples
Archive administrator: postmaster@marples.name