appendix-IV: Refactor the license expression appendix

[wking]

This is a large diff, but I aimed for restructuring/polishing without changing the end result. I did make a few minor, intentional changes:

• Extended license-id to include appendix I.3 (deprecated licenses). We don't want folks using these in license expressions (because they're deprecated), but they are valid (or we would have removed them instead of just deprecating them). That means that in some cases the nature of a string is unclear. For example GPL-1.0+ could be the depreacted license-id, or it could be a simple-expression using the non-deprecated GPL-1.0 license-id and the + operator. I don't think that's a problem though, because I can't think of a case where the ambiguity would matter.

• I've allowed + for license-ref (it used to be only for license-id). There could be external licenses which offer a choice between only-this-version and or-later grants, and allowing + for license-ref makes it easier to support those licenses as they transition into the SPDX License List. This isn't a big deal, but it avoids needing separate license-refs for the only-this-version and or-later grants if you need both.

• I've added explicit whitespace handling, vs. the previous version which just discussed it in the text. That way the ABNF is the sole source of normative syntax information.

• I've added enclosed-license-expression, so consumers like the tag:value format can suggest/require it. This allows for more precision in consumers (e.g. appendix V should be updated to require enclosed-license-expression), but I've left those other sections alone for this commit. Ideally the tag:value line would be moved to a separate section that defined the tag-value format, but we don't have such a section yet.

Also, it seems odd that there's no way to define an external license exception (LicenseExceptionRef?). But I haven't touched that in this commit.

The RDF/XML bindings seem to have some holes around the + and WITH operators. I've left some FIXMEs where I think we need adjustments.

[wking]

Cross linking:

• An old spdx Bugzilla issue with ABNF discussion.
• What does the spec say about parentheses? jslicense/spdx-expression-parse.js#20 with ABNF discussion.

[sschuberth]

FYI, I already had implemented LicenseExpressionParser: Allow "+" as part of license-refs as part of spdx/tools#66, but back then we couldn't reach a consensus about that on the mailing list IIRC, so I closed my PR unmerged.

[goneall]

@sschuberth - Do you recall where we left the conversation? I couldn't easily find the email thread. In reviewing your pull request, the tool changes look reasonable but I don't recall if there was a concern raised earlier.

[wking]

Some previous discussion in [1,2,3,4]. [4] looks like #16. But I haven't gone through those threads carefully enough to post a summary yet. [1]: https://lists.spdx.org/pipermail/spdx-tech/2015-October/002855.html Subject: Is "+" a valid character of a LicenseRef idstring? Date: Wed Oct 28 09:28:20 UTC 2015 [2]: https://lists.spdx.org/pipermail/spdx-tech/2015-November/002874.html Subject: Is "+" a valid character of a LicenseRef idstring? Date: Mon Nov 2 09:56:47 UTC 2015 [3]: https://lists.spdx.org/pipermail/spdx-tech/2015-December/002966.html Subject: [Bug 1333] New: SPDX SPEC fails to discuss whitespace Date: Tue Dec 8 16:54:54 UTC 2015 [4]: https://lists.spdx.org/pipermail/spdx-tech/2015-December/002986.html Subject: [Bug 1326] Inconsistency whether "+" is a valid character in LicenseRef ID strings Date: Tue Dec 22 18:17:39 UTC 2015

[sschuberth]

@goneall, I also couldn't find the email thread again, but AFAIR my PR would need to take the SPDX version into account, which would have made the already quite ugly code even more ugly, so I decided to not further work on this.

[goneall]

After reading through the history, it looks like we decided to deprecate the + in the license ID's which would allow for it to be used in license-ref's for version 2.1 or later.

I'll think about the code a bit more - I agree with @sschuberth that it would be quite messy to check for the version. That being said, we should update the tools to handle this case.

[goneall]

Made a complete pass through and suggested items for FIXME's plus a few additional comments

[goneall]

The following text can be added:
The + operator can be expressed in XML via a <spdx:OrLaterOperator> element, with a single spdx:member property for the license preceeding the + operator.

 <spdx:OrLaterOperator>
      <spdx:member rdf:resource="http://spdx.org/licenses/GPL-2.0"/>
 </spdx:OrLaterOperator>

[wking]

Addressed in cf8decf → 9c8d189.

[goneall]

There is another SPDX class that needs to be described. The With operator:

The WITH operator can be expressed in XML via a <spdx:WithExceptionOperator> element, with an spdx:member property for the license and an spdx:licenseException property for the exception.

 <spdx:WithExceptionOperator>
      <spdx:member rdf:resource="http://spdx.org/licenses/GPL-2.0"/>
      <spdx:licenseException rdf:resource="https://spdx.org/licenses/FLTK-exception">
  </spdx:WithExceptionOperator>

[wking]

The WITH operator can be expressed in XML via a <spdx:WithExceptionOperator> element…

That makes sense to me. But I expect we want to drop the <spdx:LicenseException> element, because as far as I can tell we provide no other way for authors to define exceptions. They can only use exceptions from our list, or they can define a LicenseID-* that includes both the license and the exception. But I see nowhere outside of this appendix that suggests they can define their own exceptions.

[goneall]

The reference for the <spdx:LicenseException> is still of value for those wanting to parse the details out of the exception. We may want to move this to a different section, however, so we don't confuse the reader as to whether they can define license exceptions. Feel free to remove it for now and we can add it back in when we document the other fields.

[goneall]

binary-license-operator -> binary-compound-operator

[wking]

binary-license-operator -> binary-compound-operator

I'll go with binary-expression-operator because the arguments are license-expressions.

[wking]

Addressed in cf8decf → 9c8d189.

[goneall]

SHOULD -> MUST - this is a rule we agreed to to enable machine parsing

[wking]

SHOULD -> MUST - this is a rule we agreed to to enable machine parsing

But 2.1 uses:

For the Tag:value format, any license expression that consists of more than one license identifier and/or LicenseRef, should be encapsulated by parentheses

I think making this stricter without a major version bump is a bit dicey, especially with wild exceptions that don't set those enclosing parens.

On the other hand, the tag:value format is currently poorly spec'ed, so I guess we can always tell broken docs and tools “sorry, but you should have known you were making assumptions about the eventual format once it was spec'ed out”.

[goneall]

@wking Good point - I would like to "correct" the 2.1 spec.

This was highly debated at the time, but I believe there was a consensus to require the parenthesis. I do know that my parser would break without the parenthesis and I believe the syntax is ambiguous making it unreliable for any implementation of a parser for tag/value @kestewart - let me know if you agree we can change this to "must".

[wking]

I do know that my parser would break without the parenthesis and I believe the syntax is ambiguous making it unreliable for any implementation of a parser for tag/value…

Parsers can be patched, but the data they're parsing may be historical (like the wild example I link above). I'm interested in having new parsers be able to parse as many existing declarations as is reasonably possible. I'm less worried about breaking existing parsers.

[goneall]

@wking This was discussed and resolved during 2.1 development that tag/value files need parenthesis if the expression is complex. I consider it a defect in the spec that this wasn't worded as a must. The reference to parsers is just pointing out the implications of not documenting what was agreed to.

Since you disagree, why don't you keep it as should and I'll create my own pull request after yours is complete to change it to must. That way it will not appear that you are requesting a change that you disagree with. We can then pick up the debate on the new pull request.

[pombredanne]

IMHO In most cases parens are not needed and just make the expression heavier and ugly looking for no good reason. I think that rather than mandating them, we should relax their use in upcoming spec versions.

Also in the common case it never makes sense to have multi-line expressions .... so we should IMHO state that expression MUST be a single line. In doing so you make things cleaner and simpler.

[wking]

IMHO In most cases parens are not needed and just make the expression heavier and ugly looking for no good reason.

“We want an unambiguous way to identify the end of this value” is a good reason. Requiring (or at least strongly recommending) enclosing parens is one way to do that. Defining clear folding-whitespace rules (#44, #45) is another way. Forbidding newlines in values is a third way. All of those approaches have pros and cons, especially in the context of (backwards) compatibility.

And debating this particular issue was not a priority for this PR. Just tell me what I need to say here to get this landed, and we can come back and kick this particular point around in follow-up work (e.g. #44 and #45).

[goneall]

I think this is a missing spdx:member which should enclose the ExtractedLicensingInfo

[wking]

Addressed in cf8decf → 9c8d189.

[wking]

I've pushed cf8decf → 9c8d189 addressing some of @goneall's points and including a few more copy-edits. Outstanding issues are:

• Whether we want to keep <spdx:LicenseException> now that we're adding <spdx:WithExceptionOperator> (thread).

• Whether we want SHOULD or MUST for tag:values using enclosed-license-expression (thread).

[wking]

I've pushed 9c8d189 → 922031a dropping <spdx:LicenseException> and adding <spdx:WithExceptionOperator> now that @goneall gave that a green light. We may come back to external extention definitions in follow-up work.

We've also agreed to punt the tag:value enclosed-license-expression SHOULD/MUST to follow-up work.

I'm not aware of any outstanding change requests for this PR.

[goneall]

@wking thanks for all the updates. I like the current state of the files.

@kestewart if you get a chance - could you review as well? I would like to merge this in so that I can re-raise the must/should parenthesis discussions.

[pombredanne]

I've allowed + for license-ref (it used to be only for license-id). There could be external licenses which offer a choice between only-this-version and or-later grants, and allowing + for license-ref makes it easier to support those licenses as they transition into the SPDX License List. This isn't a big deal, but it avoids needing separate license-refs for the only-this-version and or-later grants if you need both.

This does not make sense to me at all. A ref is a ref. This is not an ID. This is easy to implement but just has no clear basis. And it opens a can of worms that make things complicated otherwise. Should you have one text for each of a + and base ref version or only one?

[wking]

On Tue, Nov 14, 2017 at 08:29:58AM +0000, Philippe Ombredanne wrote: > I've allowed + for license-ref (it used to be only for license-id)… This does not make sense to me at all. A ref is a ref. This is not an ID.

I see very little space between license identifiers defined on the license list (e.g. ‘GPL-3.0’) and a license identifier defined by a third party (e.g. ‘LicenseRef-MIT-Style-1’) besides whether you have commit rights to the SPDX license list. In both cases, there is a license, and somebody is giving it a handful of characters as an identifier. I don't see a reason to support operators for identifiers coined by the SPDX but then to not support those same operators for identifiers coined by someone else.

And it opens a can of worms that make things complicated otherwise. Should you have one text for each of a + and base ref version or only one?

Only one. This is somewhat up in the air with [1]'s hard-coded approach which removes the + operator entirely (or maybe just in some cases?). But regardless of how that shakes out, the motivation here is to treat SPDX-created IDs and third-party-created IDs with the same logic. So however many copies of the GPL 2.0 the SPDX wants to keep to support its various versioned grants, third parties should be able to keep that many as well, and use the same operators to craft grants based on their LicenseRef identifiers. [1]: https://wiki.spdx.org/view/Legal_Team/Minutes/2017-11-09#Agenda

[wking]

I've pushed 922031a → eafa739 which restores semantic docs for + (which I'd accidentally dropped with 922031a) and adds a new explanation of the AGPL-1.0+ based on this reasoning.

[wking]

I've pushed 649889f -> afc5c1e, rebasing onto master (around conflicts with eafa739 and b971d8d). I've also adjusted to the new -only and -or-later forms which happend in license list v3.0 and added a paragraph addressing case-senstivity for #63. We should get spdx/license-list-XML#651 landed an a list release cut so we have a nice place to link from the spec when discussing case-uniqueness commitments. Once that happens, I'll rebase this PR again to pick up the nicer link.

[iamwillbar]

@goneall and @kestewart, what are your thoughts on this PR for 2.2 vs 3.0?

[goneall]

@iamwillbar @kestewart I'm thinking 3.0. There are a large number of issues mixed into this one PR. Resolving all of these will likely take a few tech calls.

[wking]

I'm happy to split this up if you want to lay out how you want it divided :)

[goneall]

@wking Thanks for the offer to split it up. I think the controversial items to be excluded would be the + operator changes for licenseRef's and the parenthesis "MUST" requirement.

The fixes to the RDF would be nice to get into the 2.2 release.

@kestewart Can you take a look and let us know if you agree with that split.

[kestewart]

Closing this as stale. If disagree, please reopen.

[goneall]

This PR is rather stale - closing. If we want to refactor, we should refactor the current version in the development/v3.0 branch.