Consider adopting/support SPDX licence identifiers

[hvr]

See table at https://spdx.org/licenses (or http://git.spdx.org/?p=license-list.git;a=summary) and or SPDX spec at http://spdx.org/SPDX-specifications/spdx-version-2.0

In addition to a comprehensive list of software-licences, SPDX 2.0 also specifies an "license expression syntax":

This new syntax supports the ability to use a simple “+” operator after a license short identifier to indicate “or later version” (e.g. GPL-2.0+). It also supports the ability to declare an SPDX-identified license exception using the “WITH” operator (e.g. GPL-2.0+ WITH Autoconf-exception-2.0). SPDX has defined a list of license exceptions to use after the “WITH” operator.

This was suggested in http://www.reddit.com/r/haskell/comments/338eg9/could_we_update_distributionversion_to_recognize/cqiyep4

/cc @dcoutts @cartazio

[23Skidoo]

I remember @dcoutts being against adding support for every possible license in existence. But the license expression syntax looks good.

[dcoutts]

Well there's two issues, one is discouraging license proliferation, but the main one is whether we want to move to the license field being a precise specification or just a general indicator. Historically it has been more of a general indicator. If we want it to be precise then we should address it in one go, not piecemeal. So that would include the ability to express dual licensing etc. I'm happy to consider externally specified syntax & semantics.

[hvr]

Regarding dual-licensing, I stumbled over http://wiki.spdx.org/view/SPDX_FAQ which suggests:

Q: How does one represent a file or package that is dual licensed (i.e., a license choice)?
A: SPDX license information can be represented using conjunctive or disjunctive regular expressions. For example, a file that is dual licensed under either the GPL-2.0 or MIT would be represented using the following disjunctive expression: (GPL-2.0 or MIT).

Q: How does one represent a file that is licensed under two or more licenses?
A: SPDX license information can be represented using conjunctive or disjunctive regular expressions. For example, a file that is subject to the Apache-2.0, MIT and GPL-2.0 would be represented using the following conjunctive expression: (Apache-2.0 and MIT and GPL-2.0).

[hvr]

Btw, there's the design aspect of whether we want to accurately describe packages with "configuration conditional licensing", consider as a practical example e.g. zlib.cabal which conditionally uses 3rd party code:

name:            zlib
version:         0.6.1.0
copyright:       (c) 2006-2015 Duncan Coutts
license:         BSD3
...
  if !os(windows)
    -- Normally we use the the standard system zlib:
    extra-libraries: z
  else
    -- However for the benefit of users of Windows (which does not have zlib
    -- by default) we bundle a complete copy of the C sources of zlib-1.2.8
    c-sources:     cbits/adler32.c cbits/compress.c cbits/crc32.c
                   cbits/deflate.c cbits/infback.c
                   cbits/inffast.c cbits/inflate.c cbits/inftrees.c
                   cbits/trees.c cbits/uncompr.c cbits/zutil.c
    include-dirs:  cbits
    install-includes: zlib.h zconf.h

So, in this case, for Windows the effective license would be (in SPDX style): "BSD-3-Clause and Zlib", while on non-Windows installs it would be a plain "BSD-3-Clause"

[amigalemming]

Herbert's example suggests that it should be allowed to mention License within ifs.

[lambda-fairy]

There is an existing implementation at https://hackage.haskell.org/package/spdx

[phadej]

I'd keen to hear reviews of mentioned package :)

[phadej]

Also few comments about SPDX:

• Majority of packages on hackage are under BSD3 license, which should be BSD-3-Clause to conform with spdx
• AllRightsReserved and PublicDomain are problematic. they should be something like LicenseRef-AllRightsReserved - I have no idea if there are any on Hackage (first probably shouldn't be accepted at all).
• It could be possible to use SDPX license identifiers amended with current license ids, BSD3, GPL-2 (spdx has GPL-2.0). OR at least use this approach during transition period with friendly warning encouraging to change to the proper SPDX format.
• some situations are still tricky, e.g. https://hackage.haskell.org/package/cmaes-0.2.2/src/LICENSE
  • IMHO that is (GPL-2.0 OR GPL-3.0) AND MIT which essentially is GPL-2.0 OR GPL-3.0, for the user of the library

and obviously i'm 👍 for this to happen.

Of course one cannot blindly trust the license field in cabal file, we should check actual license-file. But that is a bit different problem. I previously have done an experiment, majority of license files are generated by cabal-install so they are easy to recognise/verify programmatically. Yet I personally didn't had to distribute binaries, so didn't dig further into the problem. Don't know if some commercial users actually have tooling for this. (It doesn't have to be in Cabal).

EDIT there is https://github.com/jaspervdj/cabal-dependency-licenses

[23Skidoo]

So we decided that SPDX is the way forward and @phadej agreed to implement SPDX support for the 2.2 release.