LWN: Comments on "What's new in SPDX 2.0"

What's new in SPDX 2.0

kleptog — Sun, 31 May 2015 12:33:10 +0000

There's a situation where they do care. Occasionally when one company is thinking about buying another, they start digging through all the assets with a fine-tooth comb the determine if there are legal liabilities which would affect the price. There are companies which do this work for money so there's obviously demand.

You may be right that the companies don't care about fixing any problems, but the legal departments sure as hell would like all the risks quantified.

What's new in SPDX 2.0

paulj — Sat, 30 May 2015 19:34:45 +0000

There are a number of proprietary software companies that sell source code analysis tools to detect and highlight free/OSS code, sold primarily to other proprietary software companies AIUI. So there certainly are companies out there paying attention, given there seems to be a market.

On the other side, there are also some in free software communities who are very cavalier about complying with the free software licences of other copyright holders of code they are using.

"Dead" link

hugoroy — Fri, 29 May 2015 15:50:07 +0000

Thank you!

"Dead" link

katestewart — Thu, 28 May 2015 00:02:22 +0000

Try: http://wiki.spdx.org/view/File:SPDX_2.0_Collab_Presentati...

"Dead" link

hugoroy — Wed, 27 May 2015 16:43:21 +0000

The link to the presentation from the 2015 Collaboration Summit about ActiveMQ leads to a "Page not found" http://spdx.org/sites/spdx/files/publications/SPDX%202.0%...

I would be interested in reading this :-)

Thanks

What's new in SPDX 2.0

katestewart — Wed, 27 May 2015 00:55:20 +0000

Hmmm... SPDX (1.2 and 2.0) can be expressed as an RDF - or - as a tag:value plain text file (like DEP5). Both forms are acceptible and can be interchanged, so the format the license data is presented in, isn't really an excuse for ignoring.

What's new in SPDX 2.0

etienne — Tue, 26 May 2015 10:28:33 +0000

> I'm skeptical of the notion that corporations pay more attention to software licenses than do free software license junkies.

It seems like a lot of corporations did not change anything in their legal department related to "free" software, compared to the time where they would buy subsystems to other companies (and then have a full personalised contract).
So basically, they wait for someone to complain, send the complain to their legal department which would then wake up (i.e. start spending money) and see if the complain is a treat to the company, i.e. the other side could go to court and win a substancial amount of money, which would ultimately reduce the benefit of the corporation.
At best, corporations ask for software engineers to tell if they can use some free software themself, and most of those software engineers did not even read attentively the GPL... and anyway the product has to be on the shop shelves yesterday.
Maybe someone should go to court and demand stop selling some mobile phone, and demand the recall of all phones sold during the last 3 or 4 years because such company has lost the right to use the GPLv2 at that date for this unreplaceable package... the request will probably go directly to the bin because that corporation participate to "massive data collection" to protect against terrorists, and so should be treated as an army supplier which never bother about licenses and pattents.

What's new in SPDX 2.0

nix — Mon, 25 May 2015 17:44:21 +0000

Not quite. In the future embedded developers will have nicely structured XML licencing information to completely ignore and get horribly out of date, rather than the pain of having to ignore plain text files.

What's new in SPDX 2.0

dr@jones.dk — Mon, 25 May 2015 14:21:03 +0000

Related to this, there's an ongoing project to register Debian assets as ADMS.SW - an RDF (a.k.a. Linked Data) vocabulary linking FOAF, Trove and SPDX and more: http://rdf.debian.net/

What's new in SPDX 2.0

louie — Fri, 22 May 2015 23:05:59 +0000

It is misleading to speak of "big corporations" as if they are consistent. But yes, many of them do assess things on a per-file basis with automated tools. Fedora and Debian ultimately are per-package and manual, and those are pretty much the only volunteer communities who do license analysis in any sort of rigorous way - language/framework-specific package repos have essentially zero quality control on licensing information.

What's new in SPDX 2.0

ewan — Thu, 21 May 2015 17:36:11 +0000

Indeed. But at least in the future embedded developers will have nicely structured XML licencing information to completely ignore, rather than the pain of having to ignore plain text files.

What's new in SPDX 2.0

xnox — Thu, 21 May 2015 16:48:51 +0000

Debian comes to mind... with automatic checksuming all files in the source tarball and reject uploads based on known "non-DFSG" free files. Such copyright policing is yet to be seen elsewhere.

Not sure if SPDX would help debian wide. We do have https://www.debian.org/doc/packaging-manuals/copyright-fo...

What's new in SPDX 2.0

mstone_ — Thu, 21 May 2015 11:45:26 +0000

I'm skeptical of the notion that corporations pay more attention to software licenses than do free software license junkies.