On 8/8/24 04:38, Erwan LE-RAY - foss wrote: > Hello, > > > I would like to get clarification on OSI approved GPLV2 SPDX identifiers. > > OSI website (https://opensource.org/licenses?ls=GPL-2 > <https://opensource.org/licenses?ls=GPL-2>) indicates that only GPL-2.0 is > approved by OSI (GPL2.0+, GPL2.0-only and GPL2.0-or-later are not listed), > whereas SPDX website (https://spdx.org/licenses/ <https://spdx.org/licenses/>) > indicates that GPL-2.0 and GPL-2.0+ are deprecated, replaced by GPL-2.0-only > and > GPL-2.0-or-later. GPL-2.0-only and GPL-2.0-or-later identifiers are tagged as > approved by OSI (last column). > > > Could you please clarify if GPL-2.0-only and GPL-2.0-or-later identifiers are > really approved by OSI, as indicated by SPDX webpage?
SPDX is a separate organization from OSI. OSI doesn't maintain a database of license short identifiers, and my understanding is OSI only approves licenses, not combinations of licenses. SPDX's database entry is indicating that the licenses being identified are approved by OSI. GPLv2 is a license, GPLv3 is a license, and products may ship under one or more of those licenses. SPDX identifiers are a little weird/inexact in that they treat some common combinations of licenses as if it were a license. If the project ships under GPLv2 only, SPDX has an identifier for that. If it ships under GPLv2 and GPLv3 (allowing the recipient to select which one's terms they prefer to abide by), SPDX has an identifier for that even though that isn't a license, it's two different licenses both being offered on the same copyrighted material. Various projects are also dual licensed with GPL+BSD, or GPL+Apache, but doing that is not common enough to have an SPDX identifier. The FSF officially recommended that people dual license GPL code that way for many years, so that's why it's common enough to get an identifier. In theory "or later" is carte blance to use any future FSF issued license when Microsoft acquires them and comes up with a proprietary GPLv4 "pay us to look at this" license, but nobody seriously expects FSF to outlive Richard Stallman and he's 71 so GPLv4 is unlikely to come up (modulo acquisition of the assets by private equity through probate, or similar). But the threat of doing that led Linus Torvalds to famously clarify that Linux is "GPLv2 only" in 2000: https://lkml.iu.edu/hypermail/linux/kernel/0009.1/0096.html And clarified his position ~10 years later: https://www.youtube.com/watch?v=PaKIZ7gJlRU Similar clarification became quite popular (explicitly saying GPLv3 does NOT apply to this GPLv2 project, despite the FSF's recommendations), to the point SPDX came out with an identifier for such projects, but it's not a LICENSE. The licenses are GPLv3 and GPLv3, and OSI approves licenses. Rob _______________________________________________ The opinions expressed in this email are those of the sender and not necessarily those of the Open Source Initiative. Official statements by the Open Source Initiative will be sent from an opensource.org email address. License-discuss mailing list License-discuss@lists.opensource.org http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
