"MIT and GPL" may be wrongly detected as mit-OR-gpl-plus

[DerAndere1]

Description

According to the mit_or_gpl.RULE, the string "Dual licensed under the MIT and GPL licenses." is interpreted as "mit OR gpl-1.0-plus".

Expected behaviour: The string "Dual licensed under the MIT and GPL licenses." should be interpreted as "mit AND gpl-1.0-plus".

This bug was introduced with commit https://github.com/nexB/scancode-toolkit/pull/258/commits/9e37150e7950ffa761c7a7c232142f6ddc78180b .

Note that "dual licensed under MIT and GPL" generally means that the licensee must comply with both licenses when using the file (conjunctive AND). This is different from "mit OR gpl-1.0-plus" which means that the licensee can choose one of the licenses (disjunctive OR).

Reference: https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60

How To Reproduce

Read the source code added with commit https://github.com/nexB/scancode-toolkit/pull/258/commits/9e37150e7950ffa761c7a7c232142f6ddc78180b

System configuration

• What OS are you running on? Windows (Any will be affected)
• What version of scancode-toolkit was used to generate the scan file? any after commit https://github.com/nexB/scancode-toolkit/pull/258/commits/9e37150e7950ffa761c7a7c232142f6ddc78180b (untested)
• What installation method was used to install/run scancode? (other)

[pombredanne]

@DerAndere1 Thank you for this report. I reckon this looks like a bug and can be confusing and should be better explained. The wording "Dual licensed under the MIT and GPL licenses." is an invention of the JQuery project that is 10+ years old and was poorly worded and came with an explanation that this is choice and not that both licenses apply. See for instance https://stackoverflow.com/questions/2758409/jquery-jquery-ui-and-dual-licensed-plugins-dual-licensing for some discussion.

You can see the historical JQuery explanation here: https://web.archive.org/web/20081013132125/http://jquery.com:80/docs/About/License/

jQuery is currently available for use in all personal or commercial projects under both MIT and GPL licenses. This means that you can choose the license that best suits your project, and use it accordingly.

This is further reinforced by the fact that the common acceptance when you say some FOSS is "dual licensed" is to mean that you have a choice of licenses, and not that all the license apply.

In the specific case of the license detection rule you reported as problematic and that was introduced by https://github.com/nexB/scancode-toolkit/commit/9e37150e7950ffa761c7a7c232142f6ddc78180b as you rightly found, this also explained in the about page of the the SyntaxHighlighter tool that triggered that specific formulation to be added as a license detection rule (and as a test here https://github.com/nexB/scancode-toolkit/commit/9e37150e7950ffa761c7a7c232142f6ddc78180b#diff-b7d51c2e6f1f740aab6f8c91dcd29924R3 )

See http://alexgorbatchev.com/SyntaxHighlighter/about.html#license

License You may use any SyntaxHighlighter project under the terms of either the MIT License or the GNU General Public License (GPL) Version 3. The MIT License is recommended for most projects. It is simple and easy to understand and it places almost no restrictions on what you can do with a SyntaxHighlighter project. If the GPL suits your project better you are also free to use a SyntaxHighlighter project under that license. You don’t have to do anything special to choose one license or the other and you don’t have to notify anyone which license you are using. You are free to use a SyntaxHighlighter project in commercial projects as long as the copyright header is left intact.

Note that JQuery is rather popular and has fostered the creation of many JavaScript projects (several as JQuery plugins). Naturally, a large number of these projects have adopted the same license as JQuery.

And lastly, JQuery has since moved to use only the MIT license. To the best of my understanding, they were able to do so easily enough because:

1. their license was a choice of MIT or GPL, so they picked MIT
2. the MIT is both sublicenseable and compatible with the GPL meaning that it can be incorporated in GPL-licensed code and projects without compatibility problems

So in the end reporting this as "MIT or GPL" is not a bug but just capturing the not obvious but true meaning of these words.

That said, there are about 50K mentions of this wording there https://www.google.com/search?q="Dual+licensed+under+the+MIT+and+GPL+licenses." and about 350K mentions there "Dual licensed under the MIT and GPL licenses." and 49K there https://searchcode.com/?q=%22Dual+licensed+under+the+MIT+and+GPL+licenses.%22

Ideally we would want to check all of these to be sure.... I did not do this but I have seen this license many many times and to this day there was not a single case where the documented intention of the author was not a choice of MIT or GPL.

I hope this helps!

[Joerki]

Dear @pombredanne, Thanks for your explanation. I agree to you.

The bug is a bit older, current meaningful description of OR and AND is here:

https://spdx.github.io/spdx-spec/v3.0/annexes/SPDX-license-expressions/

OR is disjunctive, means "Dual-licensing". AND is inclusive, means "multi-licensing".

I suggest to close this bug to prevent further confusion whether this is a defect of the application or not. Finally, the intention cannot be safely interpreted! The authors need to fix it in their terms, my opinion, because we cannot say if they mean either "dual" or "multi" or "OR" or "AND".

Best regards, Jörg

[pombredanne]

@Joerki you wrote:

I suggest to close this bug to prevent further confusion whether this is a defect of the application or not. Finally, the intention cannot be safely interpreted! The authors need to fix it in their terms, my opinion, because we cannot say if they mean either "dual" or "multi" or "OR" or "AND".

Actually, the approach here is to adopt the community norms and practices. Each of these are ecosystem-specific and well accepted within each of these confines. For instance, Rust usage of MIT/Apache to mean MIT or Apache, or the case here in the JS ecosystem.

So we can report correct licenses in this context. I would be fine to close this issue, as I think this is not a bug and that ScanCode does the right thing as validated by its numerous users, including several lawyers from every continent.

We could however report a modified, lowered relevance for these few cases that look ambiguous but are not when considering the established community norms. Here this could mean adding this line to the rule: relevance: 99 stating that the relevance of the rule should treated as 99/100 rather than the default 100/100.

Let's keep this open then.

[pombredanne]

@Joerki also I visited https://en.wikipedia.org/w/index.php?title=Dual-licensing&redirect=no that redirects to https://en.wikipedia.org/wiki/Multi-licensing At a quick glance, the article seems to say that Multi-licensing is the same as Dual-licensing.

Note also that the definition of OR and AND in conjunctive and disjunctive SPDX license expressions (that I helped to define) is not the same as established community norms to use seemingly ambiguous and and or wordings in non-structured license notices.

May be we could draft a definitive blog post to explain all this better? What do you think?