Comments (10)
Just stumbled upon these issues (#49 and #50). In ClearlyDefined we are using SPDX identifiers like crazy (that's literally all we support) and have found there are four distinct cases:
- There is a valid SPDX identifier. Great. Use it
- There is some sort of license-ish thing but we can't figure out what it is or it does not have an SPDX id. == NOASSERTION
- We looked as best we could and could not find anything license related == NONE
- Did not look. == Leave the value blank, null, whatever
In the overall compliance workflow this corresponds to
- Great. I can analyze the license terms and carry on
- Sigh, I need to track down that license info, break out the lawyers and figure things out
- Dang! Really? It's 2019 and there is no license?! Better go contact the project team and see what's up
- Hmmm, I have basic work to do
These distinctions also help in the "curation" process to let subsequent users of the data understand the work that has (or has not) been done.
As for including these in expressions, we found the need to allow for these in expressions to support expression aggregation, simplification and comparison.
For example, we find some repo that has files with a mess of different licenses. We'd want to aggregate these by AND'ing them all together. At the same time you'd want to simplify to remove redundant expression clauses. Since any given file could have NOASSERTION or NONE license value, that should be carried through to get a possible final expression like MIT AND NOASSERTION AND NONE
. The end user can then understand what work they have to do (see above).
@dabutvin did some work in ClearlyDefined expression parsing and satisfaction down this path.
from spdx-spec.
Use case from Gary: how know part of the information, but not all, so useful to understand what still need to be done. ie. may know that 20 different license apply, but there is part un-analyzed. So this is a good way to represent. There are other ways to represent.
from spdx-spec.
Steve ok with if there are use cases in the practice. Key don't want to mandate it as every package has "AND NOASSERTION". We don't want to see this abused. If empty file use case discussed - and it should not require "AND NOASSERTION" at the package level. Ok to put on the file.
Note: not clear about using "OR NOASSERTION" what use case would this represent?
from spdx-spec.
OR NOASSERTION
, at the very least comes up through typos and the like. For example, 'GPL-3.0 OR MTI. Here the MTI should have been MIT but was mistyped. If we are to mechanically reason about this it would be great to convert it to
GPL-3.0 OR NOASSERTION`. That way it just flows through the system like any other expression and in the end the user sees the NOASSERTION and deals with it as described above.
from spdx-spec.
Moving this to be discussed for 3.0 as it may result in incompatibilities, and assigning to Steve to weigh in on.
from spdx-spec.
Just commented on similar topic in #49 (comment):
Reviewing these older issues, I don't see a benefit to adding NOASSERTION into the license expression syntax. It is already defined with a particular meaning in e.g. the Declared License / Concluded License fields.
from spdx-spec.
Just commented on a similar topic in #49:
From a tooling perspective, a license expression for a declared license is commonly constructed through machine analysis of discovered licenses and inserting the appropriate AND
and OR
's. If during that analysis a license is identified as NONE
or NOASSERTION
, it would be useful to include that information in the resultant license expression.
If we did not support NONE
and NOASSERTION
in the license expression, what would be the proposed result in the above scenario? If you declare the entire package or file as NONE
or NOASSERTION
you loose a lot of valuable information on the discovered licenses. If you don't include the NONE
or NOASSERTION
than you may miss an important flag that some manual review of the analysis is required.
from spdx-spec.
Thanks @goneall -- I just commented in the other thread (here) but just to close the loop here too, I'm convinced that the use case you described is worth supporting. I withdraw my earlier objection :)
My only comment in this case (as compared to NONE
) is similar to one that I think I voiced when we discussed this on a tech team call last year (see above). For NOASSERTION
in particular, I'd encourage that we should make it clear in the drafting that it is not mandatory to use NOASSERTION
in license expressions.
Mostly I want to avoid establishing a practice where e.g. any time an SPDX document creator isn't sure that they are accounting for every byte in a file, that they believe it's required to add AND NOASSERTION
to every expression. I think that could result in unnecessarily complicating common license expressions with minimal additional benefit. Put another way, I'd generally expect that using AND NOASSERTION
or OR NOASSERTION
should typically be the exception rather than the rule, and it might be worth explicitly stating that in the spec.
from spdx-spec.
Mostly I want to avoid establishing a practice where e.g. any time an SPDX document creator isn't sure that they are accounting for every byte in a file, that they believe it's required to add AND NOASSERTION to every expression.
Completely agree - if it became a common practice it would loose meaning. If it is used in an expression, it would be a really good practice to include a license comment to describe why.
from spdx-spec.
It looks like the SPDX 3.0 license expression still does not include NOASSERTION. Since this would not be a breaking change, I'm moving this to the 3.1 milestone.
from spdx-spec.
Related Issues (20)
- SpecVerion should be SpecVersion
- ABNF grammar of Annex D and case-sensitivity
- Current Version on spdx.dev is still 2.3 HOT 5
- List not displayed correctly in 4.2 RDF Serialization HOT 1
- Wrong display for strikethrough text HOT 1
- Copyright information in mkdocs.yml need an update for v3.
- Deadlinks for /Core/DateTime, /Core/PresenceType, etc. HOT 2
- ontology/ directory is no longer updated - suggest deletion HOT 6
- The SPDX 3.0 HTML page does not have the version selection dropdown HOT 3
- The PDF version of the 3.0 specification is broken HOT 1
- Several TODOs in specification version 3.0.0 HOT 2
- Consider more prominently presenting Annex B in the 3.0 spec documentation
- https://spdx.github.io/spdx-spec/latest/ redirects to v2.3 HOT 1
- publish_common.yml made a reference to non-existing mike version (1.2.0)
- Version selector dropdown: Removing RC versions of the versions with stable release?
- Inclusion of Glossary in the spec document? HOT 1
- The software Profile contains the property `None` HOT 1
- The 3.0 spec really want you have the Core tree expanded HOT 2
- The diagrams from the model aren't showing up for the 3.0 spec HOT 2
- Setting up spdx.github.io website without project name
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spdx-spec.