search

PCRE2Project / pcre2

PCRE2 development is now based here.
Other
875 stars 183 forks source link

BSD license "exemption" is unclear #309

Closed richardfontana closed 1 month ago

richardfontana commented 10 months ago

The LICENCE file includes this "exemption":

The second condition in the BSD licence (covering binary redistributions) does
not apply all the way down a chain of software. If binary package A includes
PCRE2, it must respect the condition, but if package B is software that
includes package A, the condition is not imposed on package B unless it uses
PCRE2 independently.

Two lawyers at Red Hat (one of them being me) could not agree on what this was supposed to mean, so I wonder if it should be clarified. This has come up not because of any concern about compliance with the license but because the Fedora project has adopted use of SPDX identifiers for representing license data. SPDX has an approach to assigning identifiers for permissive license exceptions, and at first glance the "exemption" seems to fall into that category.

If the exemption means "if package B includes package A, you can completely ignore clause 2 of the BSD license", that is not obvious. Isn't that just a recipe for nullifying clause 2 through technical means? If on the other hand it means "clause 2 only applies to the 'closest' package using this code", I don't understand the point of the exemption. Because if B includes A includes PCRE2, you will always have to comply with clause 2. If D includes C includes B includes A includes PCRE2, you will still always have to comply with clause 2 by virtue of the fact that A includes PCRE2.

cc: @jlovejoy

carenas commented 10 months ago

The LICENCE file includes this "exemption":

under the following heading "EXEMPTION FOR BINARY LIBRARY-LIKE PACKAGES"

I don't understand the point of the exemption

PCRE2 is used broadly to implement fully (ex: GLib's GRegex) or partially (ex: Rust's regex) a "library" to handle regex that can be used independently; the exception is IMHO aimed for those cases and to remove the "transitory burden" of clause 2, granted that (as explained in the text) package "A" is a library AND package "B" ONLY uses pcre2 through it.

Not sure if SPDX has a way to semantically indicate that or if you have suggestions that would make it more clear.

PhilipHazel commented 10 months ago

Oh dear. I am not a lawyer and I hate having to deal with this stuff. Carlo is right; the exemption is intended to remove the requirement from packages that do not use PCRE2 directly, but happen to include it because another library with which they link does itself include PCRE2. Suggestions for making the wording more clear will be welcomed.

jlovejoy commented 6 months ago

Thanks for the explanation and example. We will likely add this to the SPDX License List as an "exception" since it seems to have wide use. Even if you did update the text, presumably this version would still be out there.

If you do happen to update the exemption text, I would only ask/suggest that you version it so it's clear that there was a previous iteration distinct from the newer one.

Sorry, I don't have a suggestion for better wording, though!