Re: Meta-question on GPL compliance of this activity

[Thomas Gleixner <tglx@linutronix.de>]

[-- Attachment #1: Type: text/plain, Size: 3591 bytes --]

On Wed, 22 May 2019, J Lovejoy wrote:
> > On May 22, 2019, at 3:10 PM, John Sullivan <johns@fsf.org> wrote:
> >> When a license defines a recommended notice to attach to files under
> >> that license (sometimes called a "standard header"), the SPDX project
> >> recommends that the standard header be included in the files, in
> >> addition to an SPDX ID.
> > 
> >> Additionally, when a file already contains a standard header or other
> >> license notice, the SPDX project recommends that those existing notices
> >> should not be removed. The SPDX ID is recommended to be used to
> >> supplement, not replace, existing notices in files.
> > 
> >> Like copyright notices, existing license texts and notices should be
> >> retained, not replaced ‐ especially a third party's license notices.
> > 
> 
> that text is from the SPDX website and is very generalized, conservative
> and non-contextual. The reality we live in today is that people are
> choosing to use the SPDX identifiers in their files instead of the full
> license text (for MIT) or the standard license notice (for Apache-2.0 or
> GPL), etc. - this is good because SPDX identifiers are more concise and
> easier for tooling to parse. Even when there is a standard license
> header recommended, like the GPL has done, it doesn’t get faithfully
> reproduced which causes headaches for tooling to parse even when the
> intent is clear. This is what Thomas is dealing with and you can see the
> many examples of this on the many other emails on this list.

Just to add some more context why we are doing this:

The first and most important reason is that - as demonstrated with this
work already - the tools are lost on identifying the correct meaning of all
the 700+ variations of expressing just GPL licensing terms. We're not
talking about the other 80+ license variants (some of them are of dubious
nature) yet.

Right now as things stand it is simply _impossible_ for SMBs to do proper
license compliance on the kernel. That's a situation which we cannot
proliferate forever and waiting for everyone and his dog to clean that up
on their own will take at the current rate and interest 10 years plus. In
fact it will never finish because people are not longer reachable,
companies are gone ...

As long as that persists any company who cannot afford to pay the price for
wading through that mess manually is going to be an easy target for
licensing trolls.

But even companies who can afford it win a nice excuse why they did not
comply as its possible for them to demonstrate that they did all what they
could, but the unholy mess is responsible for them to fail. That has been
used as an argument successfully already :(

If we keep all the silly variants of license references/notices around and
just add SPDX identifieres then we are back to square one with this. For
compliance you have to scan EVERYTHING which looks like license
information. So then you end up with the same heuristic guesswork to figure
out whether the SPDX identifiers are matching the random mess we left in
place. IOW, we just kept the status quo and the SPDX identifier degenrated
to a hint.

I appreciate that lawyers are trying to minimize the risk, but can we
pretty please be pragmatic and keep the priority on making compliance
possible in the first place? That serves everyone, the contributors and the
down stream users.

FWIW, the same procedure (smaller scale) has been conducted on the u-boot
project a few years ago already and to the best of my knowledge nobody has
come forth and made a fuzz about that approach.

Thanks,

	Thomas