aboutcode-org / scancode-toolkit

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
https://github.com/aboutcode-org/scancode-toolkit/releases/
2.11k stars 546 forks source link

npsl-exception-0.93 is a license not an exception #3864

Open ben-c8y opened 3 months ago

ben-c8y commented 3 months ago

The file https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/npsl-exception-0.93.LICENSE lists this as an exception, but a look at the license text shows it's actually a license in its own right not an exception that could be added to an existing license.

This is also how it is used in practice e.g. https://rpmfind.net/linux/RPM/fedora/updates/39/aarch64/Packages/n/nmap-ncat-7.95-1.fc39.aarch64.html states the license is LicenseRef-NPSL-0.94 which seems to refer to this license.

The is_exception field should be set to false.

DennisClark commented 3 months ago

The various versions of the npsl-* licenses contain this significant (and awkward) paragraph:

2. General Terms

Covered Software is licensed to you under the terms of the GPL
(Exhibit A), with all the exceptions, clarifications, and additions
noted in this Main License Body. Where the terms in this Main License
Body conflict in any way with the GPL, the Main License Body terms
shall take precedence. These additional terms mean that You may not
distribute Covered Software or Derivative Works under plain GPL terms
without special permission from Licensor.

Note Covered Software is licensed to you under the terms of the GPL. It is certainly possible that software projects might choose to declare the npsl as the license, but I think it really makes more sense to use a full expression such as gpl-2.0 WITH npsl-exception-0.93 so that the texts of both are fully declared and understood.

ben-c8y commented 3 months ago

Thanks for the explanation. I didn't spot that when I was looking over the license. Wow wouldn't life be simpler if more third party authors could could just pick a standard license? ;-)

Yeah I can see very good arguments on both sides - "gpl-2.0 WITH npsl-exception-0.93" does seem valid, but also since the liensedb text for this item actually includes the text of GPL 2 (as exhibit A), arguably this item is itself a complete license not just an exception. However probably the best thing is to leave it as-is to avoid breaking anyone who's relying on the current designation, i.e. leave it as an exception.

But given it's a confusing case, perhaps you would you consider adding a note/comment to help people understand that due to the embedded GPL license, "gpl-2.0 WITH npsl-exception-0.93" is the expected way to use this item?

DennisClark commented 3 months ago

@AyanSinhaMahapatra I have updated the Reference Notes in DejaCode for the four npsl-exception-0.9* licenses to append the following remark, adjusting the version number with each one:

Although the text is presented as a standalone license, the recommended usage is "gpl-2.0 WITH npsl-exception-0.95".

Please synchronize with the LicenseDB when you have time, thanks.