Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add <obsoletedBy> to licenses and exceptions #392

Merged
merged 3 commits into from
Mar 24, 2018
Merged

Conversation

wking
Copy link
Contributor

@wking wking commented Feb 21, 2017

From here (whose source I could not find):

As a result, a number of licenses formerly included in the SPDX License List have been deprecated as licenses, and correct usage employs the License Expression Syntax as of v2.0.

So the sole reason for the deprecations seems to be “there's a better way to say that now”.

Telling people “use an expression instead” is less useful than saying “use this expression instead: $SOME_EXPRESSION”. This commit updates the eCos license (the only deprecated license currently in this repository) to do that, using the WITH exception syntax and the eCos exception label defined in SPDX 2.1 (and possibly in earlier versions).

This is related to spdx/tools#73, although discussion there seemed to be doubling down on a deprecated boolean.

@goneall
Copy link
Member

goneall commented May 30, 2017

I like the concept - it would convey important information. I do have a couple of implementation concerns. If we propogate this out to the JSON and RDF representations of the licenses, it would break current implementations which look for the deprecated flag. There may also be cases in the future where we deprecate licenses without a replacement. I would propose that we make this an optional attribute of licenses and exceptions and retain the notes and deprecated fields.

@wking
Copy link
Contributor Author

wking commented May 30, 2017 via email

@wking wking mentioned this pull request May 30, 2017
@goneall
Copy link
Member

goneall commented May 31, 2017

@wking agree with comment on notes being generic. Disagree that isDeprecated is duplicated. You can have a deprecated license without it being obsoleted by another license. obsoleted-by is just providing additional useful data.

@wking
Copy link
Contributor Author

wking commented May 31, 2017 via email

@goneall
Copy link
Member

goneall commented May 31, 2017

In thinking about this a bit more, I wonder if we should take a different approach. obsoleted-by would be used to reference a preferred method of expressing the deprecated license. Could we generalize this to a field to express an alternative license expression? This has been proposed in past threads on the legal email list. Something like "preferredAlternative" or "preferredExpression". Then we would continue to use the deprecated flag to indicate a license has been deprecated and the alternative expression could be used with our without the deprecated licenses.

@wking
Copy link
Contributor Author

wking commented May 31, 2017 via email

@goneall
Copy link
Member

goneall commented May 31, 2017

I wasn't able to locate a link to the discussion (it was a while back). I believe it was related to licenses which were a concatonation of other licenses. We may have a similar scenario once we resolve the GPL-2.0+/GPL-2.0-only discussion.

My primary concern with removing the deprecated flag is that the semantics are clear and the information is very useful. For example, I filter out all deprecated licenses when I show a selection of license choices. In this scenario I don't need to refer to the obsoleted by expression.

@wking
Copy link
Contributor Author

wking commented May 31, 2017 via email

@jlovejoy jlovejoy added this to the Later Release milestone Sep 14, 2017
wking added a commit to wking/license-list-XML that referenced this pull request Dec 27, 2017
The XSD suggests (buggily) that we only want a single <notes> element
(more details on this in the previous commit).  And the information
contained in the <notes> sections I'm removing is redundant, because:

* Licenses with a release date in their <notes> entry had that same
  release date in the license title.  I don't see a need to include
  that release date as unstrucutured information in two places, and
  the license title is clearly the more important location.

* Whether the license is only or or-later is covered explicitly in the
  long name and implicitly in the new deprecation notice (e.g. as
  added in 55b6fc4, Update comments to reflect the new GPL license
  ID's, 2017-12-23, spdx#552).  Once we get explicit obsoleted-by markup
  [1], those deprecation notices will become machine readable.  So I
  don't think we need to call out the versioning again in the notes.

[1]: spdx#392
wking added a commit to wking/license-list-XML that referenced this pull request Dec 27, 2017
The XSD suggests (buggily) that we only want a single <notes> element
(more details on this in the previous commit).  And the information
contained in the <notes> sections I'm removing is redundant, because:

* Licenses with a release date in their <notes> entry had that same
  release date in the license title.  I don't see a need to include
  that release date as unstrucutured information in two places, and
  the license title is clearly the more important location.

* Whether the license is only or or-later is covered explicitly in the
  long name and implicitly in the new deprecation notice (e.g. as
  added in 55b6fc4, Update comments to reflect the new GPL license
  ID's, 2017-12-23, spdx#552).  Once we get explicit obsoleted-by markup
  [1], those deprecation notices will become machine readable.  So I
  don't think we need to call out the versioning again in the notes.

[1]: spdx#392
@wking
Copy link
Contributor Author

wking commented Dec 29, 2017

I've just filed #583, which drops isDeprecated (like this PR), but it's leaning on the existing deprecatedVersion attribute instead of this PR's new <obsoleted-by>. If/when #583 lands, I'll rebase this PR to use:

<obsoleted-by deprecatedVersion="3.0">AGPL-3.0-only</obsoleted-by>

where version would be a required attribute of <obsoleted-by>. That would require further spdx/tools changes (probably any schema change will need spdx/tools changes), but it would protect us from providing a deprecation version without a migration plan or a migration plan without a deprecation version.

wking added a commit to wking/license-list-XML that referenced this pull request Jan 11, 2018
The XSD suggests (buggily) that we only want a single <notes> element
(more details on this in the previous commit).  And the information
contained in the <notes> sections I'm removing is redundant, because:

* Licenses with a release date in their <notes> entry had that same
  release date in the license title.  I don't see a need to include
  that release date as unstrucutured information in two places, and
  the license title is clearly the more important location.

* Whether the license is only or or-later is covered explicitly in the
  long name and implicitly in the new deprecation notice (e.g. as
  added in 55b6fc4, Update comments to reflect the new GPL license
  ID's, 2017-12-23, spdx#552).  Once we get explicit obsoleted-by markup
  [1], those deprecation notices will become machine readable.  So I
  don't think we need to call out the versioning again in the notes.

[1]: spdx#392
@wking
Copy link
Contributor Author

wking commented Jan 11, 2018

This is currently milestoned “later release”. If the holdup is concern over dropping deprecated, can we punt that particular issue to #583 and focus this more narrowly on the <obsoleted-by> addition? I think having structured information for the recommended replacement would help as tools start migrating to the license-list 3.0 identifiers. For example, being able to automatically generate warnings that suggest updating GPL-3.0 to GPL-3.0-only would be nice. Issues which discuss warning about deprecated identifiers include rust-lang/cargo#2039 and npm/npm#19558.

@goneall
Copy link
Member

goneall commented Jan 12, 2018

If the holdup is concern over dropping deprecated, can we punt that particular issue to #583 and focus this more narrowly on the addition?

I think this is a good approach. If we separate out the issue on deprecated, we can probably close on the addition of the <obsoleted-by> rather quickly. I agree this would be quite useful.

Since this is a broader change, we should get comments/feedback on the legal and tech mailing lists before closing. At some point, this should be documented in the spec (e.g. in a SPDX specification appendix, but that can be a separate effort.

@wking Do you want to update the title of this issue to reflect this change?

@goneall
Copy link
Member

goneall commented Jan 12, 2018

Suggest changing the element name to <obsoletedBy> to be consistent with the naming conventions of other element names.

Note - we have tried to have the same element names as the license RDFa and license list JSON representations which led to this particular convention.

@wking wking changed the title eCos-2.0: Replace deprecated="true" with <obsoleted-by> Add <obsoletedBy> to licenses and exceptions Jan 12, 2018
wking added a commit to wking/license-list-XML that referenced this pull request Jan 12, 2018
From [1]:

  As a result, a number of licenses formerly included in the SPDX
  License List have been deprecated as licenses, and correct usage
  employs the License Expression Syntax as of v2.0.

So the sole reason for the deprecations seems to be "there's a better
way to say that now".

Telling people "use an expression instead" is less useful than saying
"use this expression instead: $SOME_EXPRESSION".  This commit updates
the schema to allow us to recommend replacements.  Consumers can use
logic like:

1. Parse a license expression to extract the short identifiers.
2. Look up obsoletedBy entries for the short identifiers.
3. If any obsoletedBy has an 'expression' attribute that matches the
   source, the value of that obsoletedBy is the recommended
   replacement for that expression.  Otherwise, the value of the
   obsoletedBy without an expression attribute is the recommended
   replacement for the short identifier.

For example, the expression:

  GPL-2.0+ WITH GCC-exception-2.0

could be parsed to either of the following short license identifiers:

* GPL-2.0+, in which case there would be a single obsoletedBy with no
  expression attribute:

    <obsoletedBy>GPL-2.0-or-later</obsoletedBy>

  So the recommended replacement for GPL-2.0+ would be
  GPL-2.0-or-later.

* GPL-2.0, in which case there would be two obsoletedBy values:

    <obsoletedBy>GPL-2.0-only</obsoletedBy>
    <obsoletedBy expression="GPL-2.0+">GPL-2.0-or-later</obsoletedBy>

  The one with an 'expression' attribute set to 'GPL-2.0+' matches the
  source, so the recommended replacement for GPL-2.0+ is
  GPL-2.0-or-later.

The presence of an obsoletedBy element is sufficient to mark a
license/expression obsolete (as is the presence of an
deprecatedVersion attribute), so I'm in favor of dropping isDeprecated
to stay DRY.  However, removing isDeprecated (from this repository, we
would still supply it in license-list-data) has proven contentious for
reasons I don't understand.  This commit punts on the removal for now
[2].

[1]: spdx#392 (comment)
[2]: spdx#392 (comment)
wking added a commit to wking/license-list-XML that referenced this pull request Jan 12, 2018
From [1]:

  As a result, a number of licenses formerly included in the SPDX
  License List have been deprecated as licenses, and correct usage
  employs the License Expression Syntax as of v2.0.

So the sole reason for the deprecations seems to be "there's a better
way to say that now".

Telling people "use an expression instead" is less useful than saying
"use this expression instead: $SOME_EXPRESSION".  This commit updates
the schema to allow us to recommend replacements.  Consumers can use
logic like:

1. Parse a license expression to extract the short identifiers.
2. Look up obsoletedBy entries for the short identifiers.
3. If any obsoletedBy has an 'expression' attribute that matches the
   source, the value of that obsoletedBy is the recommended
   replacement for that expression.  Otherwise, the value of the
   obsoletedBy without an expression attribute is the recommended
   replacement for the short identifier.

For example, the expression:

  GPL-2.0+ WITH GCC-exception-2.0

could be parsed to either of the following short license identifiers:

* GPL-2.0+, in which case there would be a single obsoletedBy with no
  expression attribute:

    <obsoletedBy>GPL-2.0-or-later</obsoletedBy>

  So the recommended replacement for GPL-2.0+ would be
  GPL-2.0-or-later.

* GPL-2.0, in which case there would be two obsoletedBy values:

    <obsoletedBy>GPL-2.0-only</obsoletedBy>
    <obsoletedBy expression="GPL-2.0+">GPL-2.0-or-later</obsoletedBy>

  The one with an 'expression' attribute set to 'GPL-2.0+' matches the
  source, so the recommended replacement for GPL-2.0+ is
  GPL-2.0-or-later.

The presence of an obsoletedBy element is sufficient to mark a
license/expression obsolete (as is the presence of an
deprecatedVersion attribute), so I'm in favor of dropping isDeprecated
to stay DRY.  However, removing isDeprecated (from this repository, we
would still supply it in license-list-data) has proven contentious for
reasons I don't understand.  This commit punts on the removal for now
[2].

[1]: spdx#392 (comment)
[2]: spdx#392 (comment)
@wking
Copy link
Contributor Author

wking commented Jan 12, 2018

I've pushed 7b56ba9a7bef17, which:

  • Renames the element from <obsoleted-by><obsoletedBy> following @goneall's suggestion.
  • Rebases onto master, so I had a number of newly-deprecated licenses to add <obsoletedBy> to.
  • Added an XSD entry for the new element (now that we have an XSD :).
  • Added an optional expression attribute, so GFDL-1.1 can point to GFDL-1.1-only or GFDL-1.1-or-later depending on whether it was originally GFDL-1.1+ or not (and similarly for other licenses affected by the -only / -or-later split).
  • Punts on removing isDeprecated (for now).

@wking wking force-pushed the obsoleted-by branch 2 times, most recently from a7bef17 to 390fc63 Compare January 12, 2018 19:28
wking added a commit to wking/license-list-XML that referenced this pull request Jan 12, 2018
From [1]:

  As a result, a number of licenses formerly included in the SPDX
  License List have been deprecated as licenses, and correct usage
  employs the License Expression Syntax as of v2.0.

So the sole reason for the deprecations seems to be "there's a better
way to say that now".

Telling people "use an expression instead" is less useful than saying
"use this expression instead: $SOME_EXPRESSION".  This commit updates
the schema to allow us to recommend replacements.  Consumers can use
logic like:

1. Parse a license expression to extract the short identifiers.
2. Look up obsoletedBy entries for the short identifiers.
3. If any obsoletedBy has an 'expression' attribute that matches the
   source, the value of that obsoletedBy is the recommended
   replacement for that expression.  Otherwise, the value of the
   obsoletedBy without an expression attribute is the recommended
   replacement for the short identifier.

For example, the expression:

  GPL-2.0+ WITH GCC-exception-2.0

could be parsed to either of the following short license identifiers:

* GPL-2.0+, in which case there would be a single obsoletedBy with no
  expression attribute:

    <obsoletedBy>GPL-2.0-or-later</obsoletedBy>

  So the recommended replacement for GPL-2.0+ would be
  GPL-2.0-or-later.

* GPL-2.0, in which case there would be two obsoletedBy values:

    <obsoletedBy>GPL-2.0-only</obsoletedBy>
    <obsoletedBy expression="GPL-2.0+">GPL-2.0-or-later</obsoletedBy>

  The one with an 'expression' attribute set to 'GPL-2.0+' matches the
  source, so the recommended replacement for GPL-2.0+ is
  GPL-2.0-or-later.

The presence of an obsoletedBy element is sufficient to mark a
license/expression obsolete (as is the presence of an
deprecatedVersion attribute), so I'm in favor of dropping isDeprecated
to stay DRY.  However, removing isDeprecated (from this repository, we
would still supply it in license-list-data) has proven contentious for
reasons I don't understand.  This commit punts on the removal for now
[2].

[1]: spdx#392 (comment)
[2]: spdx#392 (comment)
src/GFDL-1.1.xml Outdated
@@ -3,13 +3,11 @@
<license licenseId="GFDL-1.1" isOsiApproved="false"
name="GNU Free Documentation License v1.1"
isDeprecated="true" deprecatedVersion="3.0">
<obsoletedBy>GFDL-1.1-only</obsoletedBy>
<obsoletedBy expression="GFDL-1.1+">GFDL-1.1-or-later</obsoletedBy>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The or-later-ness of this identifier is not clear to me, because (as of list 3.0) the grant for GFDL-1.1 includes “or any later version”. Because there is no ONLY operator, I'm guessing that GFDL-1.1 means GFDL-1.1-only and that you'd need GFDL-1.1+ (pre-3.0) to mean GFDL-1.1-or-later, despite the wording we claimed in <standardLicenseHeader>. But we may want to update the standard license header and/or file an erratum (#598) for clarity going forward.

This issue also affects version 1.2 and 1.3 of the GFDL.

wking added a commit to wking/license-list-XML that referenced this pull request Jan 30, 2018
From [1]:

  As a result, a number of licenses formerly included in the SPDX
  License List have been deprecated as licenses, and correct usage
  employs the License Expression Syntax as of v2.0.

So the sole reason for the deprecations seems to be "there's a better
way to say that now".

Telling people "use an expression instead" is less useful than saying
"use this expression instead: $SOME_EXPRESSION".  This commit updates
the schema to allow us to recommend replacements.  Consumers can use
logic like:

1. Parse a license expression to extract the short identifiers.
2. Look up obsoletedBy entries for the short identifiers.
3. If any obsoletedBy has an 'expression' attribute that matches the
   source, the value of that obsoletedBy is the recommended
   replacement for that expression.  Otherwise, the value of the
   obsoletedBy without an expression attribute is the recommended
   replacement for the short identifier.

For example, the expression:

  GPL-2.0+ WITH GCC-exception-2.0

could be parsed to either of the following short license identifiers:

* GPL-2.0+, in which case there would be a single obsoletedBy with no
  expression attribute:

    <obsoletedBy>GPL-2.0-or-later</obsoletedBy>

  So the recommended replacement for GPL-2.0+ would be
  GPL-2.0-or-later.

* GPL-2.0, in which case there would be two obsoletedBy values:

    <obsoletedBy>GPL-2.0-only</obsoletedBy>
    <obsoletedBy expression="GPL-2.0+">GPL-2.0-or-later</obsoletedBy>

  The one with an 'expression' attribute set to 'GPL-2.0+' matches the
  source, so the recommended replacement for GPL-2.0+ is
  GPL-2.0-or-later.

The presence of an obsoletedBy element is sufficient to mark a
license/expression obsolete (as is the presence of an
deprecatedVersion attribute), so I'm in favor of dropping isDeprecated
to stay DRY.  However, removing isDeprecated (from this repository, we
would still supply it in license-list-data) has proven contentious for
reasons I don't understand.  This commit punts on the removal for now
[2].

[1]: spdx#392 (comment)
[2]: spdx#392 (comment)
wking added a commit to wking/license-list-XML that referenced this pull request Jan 30, 2018
From [1]:

  As a result, a number of licenses formerly included in the SPDX
  License List have been deprecated as licenses, and correct usage
  employs the License Expression Syntax as of v2.0.

So the sole reason for the deprecations seems to be "there's a better
way to say that now".

Telling people "use an expression instead" is less useful than saying
"use this expression instead: $SOME_EXPRESSION".  This commit updates
the schema to allow us to recommend replacements.  The recommended
consumer algorithm is documented in the schema annotation.

The maxOccurs="unbounded" value shows up in an XSD 1.1 spec example
[2], and both minOccurs and maxOccurs must be set explicitly for
obsoletedBy to override the defaults (1 for both attributes [3]).

The presence of an obsoletedBy element is sufficient to mark a
license/expression obsolete (as is the presence of an
deprecatedVersion attribute), so I'm in favor of dropping isDeprecated
to stay DRY.  However, removing isDeprecated (from this repository, we
would still supply it in license-list-data) has proven contentious for
reasons I don't understand.  This commit punts on the removal for now
[4].

[1]: spdx#392 (comment)
[2]: https://www.w3.org/TR/xmlschema11-1/#all-mg
[3]: https://www.w3.org/TR/xmlschema11-1/#declare-element
[4]: spdx#392 (comment)
@wking
Copy link
Contributor Author

wking commented Jan 30, 2018

Rebased around #586 and #599 with 390fc639ba7946. The Node tests are currently choking with:

Entity: line 65: element element: Schemas parser error : Element '{http://www.w3.org/2001/XMLSchema}element': Invalid value for maxOccurs (must be 0 or 1).

which is mentioned in albanm/node-libxml-xsd#12. But maxOccurs="unbounded" is in XSD 1.0 too, so this may just be a libxml bug.

@wking
Copy link
Contributor Author

wking commented Jan 30, 2018

Maybe we need a wrapper to attach a <sequence> too (like we have for <crossRefs>). I'd rather avoid that if possible, but I'll fall back to it if we can't find a way to allow multiple <obsoletedBy> entries within an <all>.

@wking
Copy link
Contributor Author

wking commented Jan 30, 2018

Ah, despite unbounded being in the 1.0 spec, maxOccurs was restricted to 1 inside <all> in XSD 1.0. The restriction was lifted in 1.1. The backing libxml issue is here.

@wking
Copy link
Contributor Author

wking commented Mar 23, 2018

@goneall, thoughts about maxOccurs="unbounded" support? Should I duck by following <crossRefs> and adding a wrapper? Maybe:

<obsoletedBy>
  <alternative>…</alternative>
  <alternative>…</alternative>
</obsoletedBy>

@goneall
Copy link
Member

goneall commented Mar 23, 2018

Should I duck by following and adding a wrapper?

I kind of like the structure of the wrapper. This could allow us to add more meaning to the nested element names. For example, we could have <alternativeExpression>...</alternativeExpression> for a license expression and <alternativeId>...</alternativeId> for alternative license ID's. It would also allow us to expand to additional reasons for obsoleting a license that we have not yet thought of.

@wking
Copy link
Contributor Author

wking commented Mar 23, 2018 via email

wking added 2 commits March 23, 2018 21:11
From [1]:

  As a result, a number of licenses formerly included in the SPDX
  License List have been deprecated as licenses, and correct usage
  employs the License Expression Syntax as of v2.0.

So the sole reason for the deprecations seems to be "there's a better
way to say that now".

Telling people "use an expression instead" is less useful than saying
"use this expression instead: $SOME_EXPRESSION".  This commit updates
the schema to allow us to recommend replacements.  The recommended
consumer algorithm is documented in the schema annotation.

The maxOccurs="unbounded" value shows up in an XSD 1.1 spec example
[2], and both minOccurs and maxOccurs must be set explicitly for
obsoletedBy to override the defaults (1 for both attributes [3]).

The presence of an obsoletedBy element is sufficient to mark a
license/expression obsolete (as is the presence of an
deprecatedVersion attribute), so I'm in favor of dropping isDeprecated
to stay DRY.  However, removing isDeprecated (from this repository, we
would still supply it in license-list-data) has proven contentious for
reasons I don't understand.  This commit punts on the removal for now
[4].

[1]: spdx#392 (comment)
[2]: https://www.w3.org/TR/xmlschema11-1/#all-mg
[3]: https://www.w3.org/TR/xmlschema11-1/#declare-element
[4]: spdx#392 (comment)
Taking advantage of the schema change from the previous commit.
@wking
Copy link
Contributor Author

wking commented Mar 24, 2018

I've pushed 9ba79467a56340, rebasing onto master again and adding an <obsoletedByes> wrapper. That lets me stick with <obsoletedBy> for the individual elements, which will make it easier for consumers to migrate when we eventually get an XSD 1.1 validator and can revert 7a56340.

@wking
Copy link
Contributor Author

wking commented Mar 24, 2018

@goneall, Travis is happy here :). Want to take a final look when you get time?

Copy link
Member

@goneall goneall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one suggestion - when I first read the "obsoletedByes" it looked like obsoleted B 'yes' - could we change this to "obsoletedBys" to avoid this miss-interpretation.

@wking
Copy link
Contributor Author

wking commented Mar 24, 2018

...could we change this to "obsoletedBys"...

Done.

The Node tests were choking with:

  Entity: line 65: element element: Schemas parser error : Element
  '{http://www.w3.org/2001/XMLSchema}element': Invalid value for
  maxOccurs (must be 0 or 1).

which is mentioned in [1].  Despite unbounded being in the 1.0 spec,
maxOccurs was restricted to 1 inside <all> in XSD 1.0. The
restriction was lifted in 1.1 [2].  The backing libxml issue is [3].

This commit works around the limitation by adding a wrapping
<obsoletedBys> to mirror our existing <crossRefs> wrapping
<crossRef>.  In both cases, the wrapper adds no useful semantics, but
we need it to get the tests passing until we can find an XSD 1.1
validator.

[1]: albanm/node-libxml-xsd#12
[2]: https://www.w3.org/TR/xmlschema11-1/#ch_models
[3]: https://bugzilla.gnome.org/show_bug.cgi?id=765936
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants