[AppStream] Generalized SPDX licenses for metadata license

Matthias Klumpp matthias at tenstral.net
Tue Jan 5 14:34:06 UTC 2021 

Am Di., 5. Jan. 2021 um 10:11 Uhr schrieb Richard Hughes <hughsient at gmail.com>:
>
> On Tue, 5 Jan 2021 at 02:33, John Scott <jscott at posteo.net> wrote:
> > Is this the minimum set of licenses which implementations may
> > accept, or the maximum?
>
> It's an enumerated list, i.e. the only licence tag values allowed.
>
> > It would be an artificial restriction for implementations not be allowed to
> > accept others
>
> A deliberate restriction I'm afraid.
>
> > It is my hope that the AppStream specification retains its rationale for
> > choosing permissive licenses, and enumerates its recommendations, but it be
> > stated at least that using any other license identifier, SPDX or otherwise,
> > results in unspecified or implementation-defined behavior.
>
> Various legal teams need to agree on the combined set of licence
> terms, it's not as easy as just adding one line in the spec and hoping
> all the various generators and consumers of AppStream (be they
> software components, or multi-billion dollar corporations) are
> presumably okay with the changes. Changing anything to do with
> licencing needs to be done super carefully.

At the moment, the AppStream specification indeed just says
"permissive licenses" and gives some examples, but the AppStream
implementation has a whitelist of vetted licenses and will not permit
any other license.
TBH, at the moment I am very much inclined to change the specification
to just allow the currently already whitelisted set of licenses, and
do away with the "any permissive" wording from the original draft.
Checking each and every license is time consuming, and given that tiny
license snippets like FSFAP exist to fulfill the permissiveness
requirement, adding any permissive license on the planet seems
pointless. One could argue that we only have to add the "popular"
licenses, but experience has shown that eventually given enough time,
each and every developer will have requested their favourite license
to be added.

And at the moment, I feel safe with the list that has seen some legal
review, and I see zero advantages for adding more licenses to the
whitelist. So unless there is any justification that I am missing, I
think the best solution to remove this discrepancy is to change the
specification to just permit the same whitelist as the implementations
as well.

Cheers,
    Matthias




-- 
I welcome VSRE emails. See http://vsre.info/

More information about the AppStream mailing list