[Bug 1292] New: What is the correct license expression for a project with an additional patent license?

Wheeler, David A dwheeler at ida.org
Wed Jun 17 12:37:48 UTC 2015 

Perhaps the "WITH" operator's definition needs to be extended.  Instead of this definition: 
> The WITH operator semantically implies that a given license applies 
> except under certain special circumstances....

Perhaps "WITH" should mean "Modify the license listed on the left, by appending the text referenced on the right".  In short, "WITH" could be used for exceptions, but also for clarifications and other modifications.  There are many common "riders" on licenses that are not licenses themselves, but common modifications/clarifications to them.

Then "AND" continues to mean "must comply with both licenses on the left and right", while "OR" continues to mean "must comply with one of the licenses listed on the left or right".   These don’t modify licenses. 

--- David A. Wheeler



-----Original Message-----
From: spdx-legal-bounces at lists.spdx.org [mailto:spdx-legal-bounces at lists.spdx.org] On Behalf Of Kyle E. Mitchell
Sent: Tuesday, June 16, 2015 1:23 PM
To: Gisi, Mark
Cc: spdx-tech at fossbazaar.org; spdx-legal at lists.spdx.org
Subject: Re: [Bug 1292] New: What is the correct license expression for a project with an additional patent license?

Mark,

Many thanks for your response!

React
-----

In their defense, Facebook's licensing hygiene is actually well above the norm in the JavaScript/Node.js community, which tends to use a single LICENSE file and SPDX ID per project. (Copy-and-paste reuse is also less of a concern. Packages are often << 1KLOC.) The files that end up in the tarball for distribution via package manager are consistently marked:

```bash
$ cd /tmp
$ mkdir react-audit
$ cd react-audit
$ # Install the React package from repository.
$ npm install react
$ # Change to the installation directory.
$ cd node_modules/react
$ # Recursively search for files without "BSD".
$ fgrep -riL BSD .
./addons.js
./lib/EventListener.js
./README.md
./react.js
```

EventListener has an Apache-2.0 header. The other source files are one-line `require` calls, akin to `#import <react>` in the C world.
They're really just shims to make paths work.

The files in the Git repository without license headers are mostly build chain configuration and tests. There are also some code examples under a non-open source license and documentation under a CC license.


SPDX Expression
---------------

It sounds like we're agreed that BSD-3-Clause plus an additional patent grant is a fundamentally different kind of combination of reusable license terms than AND and OR. Is that a case for another combination operator in SPDX expressions?

To try and put a finer point on it:

x AND y := contains code licensed per and code licensed per y

x OR y := contains code licensed per choice of x or y

x PLUS y := contains code licensed per combination of x and y

"PLUS" is just a stand-in here. Another name may be appropriate.

K

On Tue, Jun 16, 2015 at 07:46:13AM +0000, Gisi, Mark wrote:
> From a compliance perspective Facebook/React project presents a common 
> nightmare situation. For example some files explicit state (e.g.,
> React.js):
>
>  * Copyright 2013-2015, Facebook, Inc.  All rights reserved.
>  *
>  * This source code is licensed under the BSD-style license found in 
> the
>  * LICENSE file in the root directory of this source tree. An 
> additional grant
>  * of patent rights can be found in the PATENTS file in the same directory.
> 
> While other files have no copyright/license notice (e.g., 
> Gruntfile.js, vendor/jasmine/diff.js, jasmine.js, src/test/all.js,
> ...) . Does that mean the Patent license is only available to some 
> files but not others. The project's license hygiene is questionable.
>
> >> Better to roll the BSD-3-Clause and additional patent grant into 
> >> one "Facebook BSD License", akin to the Apple MIT variant (AML)?
> 
> This would be preferred if such a list identifier existed. Until that 
> days comes, one could roll both licenses up into a single license 
> reference (e.g., LicenseRef-Facebook-BSD-Patent).
>
> The WITH operator semantically implies that a given license applies 
> except under certain special circumstances. Therefore I am not sure an 
> exception makes sense here.
>
> AND typically implies two sets of license terms apply. Not sure yet if 
> it makes sense to make FB-Patents-2.0 a full-fledged license (a 
> decision for the legal team). Alternatively one could use BSD-3-Clause 
> AND LicenseRef-FB-Patent.
>
> For now I think LicenseRef-Facebook-BSD-Patent is an adequate 
> representation.
>
> - Mark
> 
> -----Original Message-----
> From: spdx-tech-bounces at lists.spdx.org 
> [mailto:spdx-tech-bounces at lists.spdx.org] On Behalf Of Kyle E. 
> Mitchell
> Sent: Monday, June 15, 2015 12:01 PM
> To: Sam Ellis
> Cc: spdx-tech at fossbazaar.org; spdx-legal at lists.spdx.org
> Subject: Re: [Bug 1292] New: What is the correct license expression for a project with an additional patent license?
> 
> Many thanks for your generous reply, and for sending so quickly.
> 
> Forgive me if I'm behind on general discussions about the purpose and function of SPDX expressions. I understood their purpose rather more as a coding system for what terms purportedly apply than a way to state a fully formed legal conclusion.
> 
> I suppose I tended toward this view especially given that American lawyers are known to differ on what various standard licenses actually do. The license plus additional patent grant situation exacerbates these problems, I think, in a few ways:
> 
> 1. There likely won't be any record of acceptance of either the
>    BSD-3-Clause terms or the patent grant terms. Defendants will claim
>    to have accepted whatever licenses grant protection they need once
>    hauled into court.
> 
> 2. The existence of the additional patent grant might very well affect
>    an American court's view of what (if any) patent license is implied
>    by BSD-3-Clause. General principles of contract interpretation will
>    read both licenses, as contemporaneous agreements on the same subject
>    matter, together.
> 
> 3. The patent license and BSD license are separate files in the source
>    code repository, and I think it clear that clause 1 of the BSD
>    license does _not_ require redistribution with a copy of the
>    additional patent license.
> 
> 4. On the other hand, the additional grant is entitled "Additional
>    Grant...", and the read-me file and other documentation repeatedly
>    mention the application of both licenses.
> 
> One upshot is that a program designed to check SPDX metadata against a white list of licenses may very well want to assess the "BSD-3-Clause"
> in (BSD-3-Clause) differently than in (BSD-3-Clause AND/OR/WITH FB-Patents-2.0).
> 
> If the answer here is to allow variants with each of AND, OR, and WITH, does that mean that the additional patent grant should hypothetically seek both a license identifier and a license exception identifier?
> Better to roll the BSD-3-Clause and additional patent grant into one "Facebook BSD License", akin to the Apple MIT variant (AML)?
> 
> Many thanks,
> K
> 
> On Mon, Jun 15, 2015 at 12:38:02PM +0100, Sam Ellis wrote:
> > > Subject: [Bug 1292] New: What is the correct license expression 
> > > for a project with an additional patent license?
> > > https://bugs.linuxfoundation.org/show_bug.cgi?id=1292
> > 
> > I will take the opportunity to offer an opinion to the forums on 
> > this question that is raised above:
> >
> > I think first and foremost this is a question around interpretation 
> > of the licenses. Only when you have that interpretation can you 
> > decide how to represent that using SPDX syntax. I see two possible
> > interpretations:
> >
> > One interpretation is that that using the software you must agree to 
> > both the BSD-3-Clause and the patent grant and have no choice in the 
> > matter.
> >
> > Another interpretation is that you must agree to the use of the 
> > BSD-3-Clause license, but you have a choice as to whether or not to 
> > accept the patent grant. If you accept the patent grant then it is 
> > the same outcome as above. If you choose to not take the patent 
> > grant then you run the risk that the software does use some Facebook 
> > patents and you are now infringing them.
> >
> > In terms of SPDX representation, I would suggest the former case 
> > comes out as one of these two:
> > 
> > (BSD-3-Clause AND FB-Patents-2.0)
> > (BSD-3-Clause WITH FB-Patents-2.0)
> > 
> > And for the second interpretation I would suggest one of these two:
> > 
> > (BSD-3-Clause OR (BSD-3-Clause AND FB-Patents-2.0)) (BSD-3-Clause OR 
> > (BSD-3-Clause WITH FB-Patents-2.0))
> > 
> > As to whether to use the AND or WITH variants, I again think this 
> > comes down to the interpretation of the patent grant. Does the 
> > patent grant stand alone as a fully formed license (in which case 
> > choose AND) or does it depend on some other license (in which case choose WITH)?
> >
> > In summary I think SPDX license expressions can adequately represent 
> > all of these cases. The question that SPDX can’t answer is which 
> > legal interpretation to choose.
> > 
> > -- IMPORTANT NOTICE: The contents of this email and any attachments 
> > are confidential and may also be privileged. If you are not the 
> > intended recipient, please notify the sender immediately and do not 
> > disclose the contents to any other person, use it for any purpose, 
> > or store or copy the information in any medium. Thank you.
> >
> > ARM Limited, Registered office 110 Fulbourn Road, Cambridge CB1 9NJ, 
> > ARM Registered in England & Wales, Company No: 2557590 Holdings plc, 
> > ARM Registered office 110 Fulbourn Road, Cambridge CB1 9NJ, 
> > Registered ARM in England & Wales, Company No: 2548782
> > 
> 
> --
> Kyle Mitchell, attorney
> San Francisco, California
> +1 (415) 864 - 9913
> _______________________________________________
> Spdx-tech mailing list
> Spdx-tech at lists.spdx.org
> https://lists.spdx.org/mailman/listinfo/spdx-tech

--
Kyle Mitchell, attorney
San Francisco, California
+1 (415) 864 - 9913
_______________________________________________
Spdx-legal mailing list
Spdx-legal at lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-legal

More information about the Spdx-legal mailing list