1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
Combining code from different sources in a free or open source
software project requires making sure that the licences of each
component are compatible. As an example, the GNU General Public
Licence version 2 is incompabible with the Apache Licence version 2.
However, GPLv3 is compatible with it.
Checking things manually is tedious and error prone. For the most
common licences compatibilities are pretty clear, and when each
component declares its licences, a program can check the easy cases.
Idea: Write a program that can do "licence arithmetic", by checking if
combinations of licences are OK. The program would be given a "licence
expression" giving the licences of its components, and outputs the
effective licence, or "error", or "unknown".
Use SPDX licence expressions as input and output.
See <https://spdx.org/licenses/> for a list of licence identifiers.
Assume AND and OR operators, and parentheses.
Examples:
* "GPL-2.0-only AND Apache-2" => "error"
* the licenses are known to be incompatible, so the result is not
free software; using it may be OK, but the combination is not
re-distributable
* "GPL-2.0-or-later AND Apache-2" => "GPL-3.0-or-later"
* version 3 of the GPL is, however, compatible with Apache licence
version 2, so using the "or later" of the GPL'd component results
in an effective licence of GPL version 3 or later
* "unknown AND BSD-2-Clause" = "error"
* a component whose licence is unknown cannot be combined with
anything; the result may be useable locally, but it's not
distributable
* "other AND BSD-2-Clause" = "unknown"
* other means the licence is one that SPDX does not have a symbol
for; the result is unknown
The program should probably read a data file that explains the known
cases. Something like this:
~~~yaml
rules:
- expr: GPL-2.0-only AND BSD-2-Clause
result: GPL-2.0-only
- expr: GPL-3.0-or-later AND (BSD-2-Clause OR Apache-2)
result: GPL-3.0-or-later
- expr: GPL-2.0-or-later AND Apache-2
result: GPL-3.0-or-later
- expr: GPL-2.0-only AND Apache-2
result: error
url: https://url.to.explanation
explanation: "explanation of why the result"
~~~
The program would extract the SPDX licence expressions of all
components, combine them with OR, and simplify the result, then check
against it against the rules in its data file.
# Consult a lawyer
Software can't give legal advice. It should only be used in entirely
unambiguous cases and even then the result should be checked by a
competent human.
|
