From 16945c9acdc3c0a6cea6aff6213b1f5170567eaf Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Fri, 3 Jan 2020 09:52:54 +0200 Subject: Add: licence-arithmetic.mdwn --- licence-arithmetic.mdwn | 70 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 licence-arithmetic.mdwn diff --git a/licence-arithmetic.mdwn b/licence-arithmetic.mdwn new file mode 100644 index 0000000..05bd9a7 --- /dev/null +++ b/licence-arithmetic.mdwn @@ -0,0 +1,70 @@ +--- +title: Licence arithmetic +... + +Combining code from different sources in a free or open source +software project requires making sure that the licences of each +component are compatible. As an example, the GNU General Public +Licence version 2 is incompabible with the Apache Licence version 2. +However, GPLv3 is compatible with it. + +Checking things manually is tedious and error prone. For the most +common licences compatibilities are pretty clear, and when each +component declares its licences, a program can check the easy cases. + +Idea: Write a program that can do "licence arithmetic", by checking if +combinations of licences are OK. The program would be given a "licence +expression" giving the licences of its components, and outputs the +effective licence, or "error", or "unknown". + +Use SPDX licence expressions as input and output. +See for a list of licence identifiers. +Assume AND and OR operators, and parentheses. + +Examples: + +* "GPL-2.0-only AND Apache-2" => "error" + * the licenses are known to be incompatible, so the result is not + free software; using it may be OK, but the combination is not + re-distributable +* "GPL-2.0-or-later AND Apache-2" => "GPL-3.0-or-later" + * version 3 of the GPL is, however, compatible with Apache licence + version 2, so using the "or later" of the GPL'd component results + in an effective licence of GPL version 3 or later +* "unknown AND BSD-2-Clause" = "error" + * a component whose licence is unknown cannot be combined with + anything; the result may be useable locally, but it's not + distributable +* "other AND BSD-2-Clause" = "unknown" + * other means the licence is one that SPDX does not have a symbol + for; the result is unknown + +The program should probably read a data file that explains the known +cases. Something like this: + +~~~yaml +rules: + - expr: GPL-2.0-only AND BSD-2-Clause + result: GPL-2.0-only + + - expr: GPL-3.0-or-later AND (BSD-2-Clause OR Apache-2) + result: GPL-3.0-or-later + + - expr: GPL-2.0-or-later AND Apache-2 + result: GPL-3.0-or-later + + - expr: GPL-2.0-only AND Apache-2 + result: error + url: https://url.to.explanation + explanation: "explanation of why the result" +~~~ + +The program would extract the SPDX licence expressions of all +components, combine them with OR, and simplify the result, then check +against it against the rules in its data file. + +# Consult a lawyer + +Software can't give legal advice. It should only be used in entirely +unambiguous cases and even then the result should be checked by a +competent human. -- cgit v1.2.1