Re: standards/60308 (Make is missing SPDX license indetifiers)

To: standards-manager%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,riastradh%NetBSD.org@localhost,pasanen.tuukka%gmail.com@localhost
Subject: Re: standards/60308 (Make is missing SPDX license indetifiers)
From: riastradh%NetBSD.org@localhost
Date: Tue, 9 Jun 2026 15:48:42 +0000 (UTC)

Synopsis: Make is missing SPDX license indetifiers

State-Changed-From-To: open->feedback
State-Changed-By: riastradh%NetBSD.org@localhost
State-Changed-When: Tue, 09 Jun 2026 15:48:41 +0000
State-Changed-Why:
Thanks for the patch.  I'm a little confused about the goal, though.
You filed this under `standards/'.  Can you cite the current standard
that is applicable here?

I went looking at what I thought was the current applicable standard,
the SPDX spec at https://spdx.dev, but the latest version 3.0.1 has
completely removed all references to the `SPDX-License-Identifier' tags
in source code.  No syntax defined, no recommendations to use them in
source code.  It was all removed in this commit two years ago:

> commit 2acae715e971f8b84da8ea85f93849bdcf89c5ab
> Author: Alexios Zavras <github%zvr.gr@localhost>
> Date:   Sun Aug 11 17:59:07 2024 +0200
> 
>     Fixes the annexes
> 
>     Signed-off-by: Alexios Zavras <github%zvr.gr@localhost>
> ...
>  ...using-SPDX-short-identifiers-in-source-files.md |  73 --

https://github.com/spdx/spdx-spec/commit/2acae715e971f8b84da8ea85f93849bdcf89c5ab

I can't tell from the very terse commit message whether that was just
an editorial mistake or a deliberate decision to remove all that (no
idea where to find minutes of any deliberation), but since nobody's put
it back in two years I have to assume it was deliberate.

There's an ISO standard, ISO/IEC 5962:2021, based on SPDX spec 2.2(?),
which still has Annex E `Using SPDX license list short identifiers in
source files' defining the `SPDX-License-Identifier' syntax.  But it's
apparently being updated to SPDX spec 3.0, according to
<https://www.iso.org/standard/81870.html>, so presumably it too will
remove that.

Also the web site at https://spdx.dev is full of 404 links, including
links that were baked into the ISO standard document itself, like
<https://spdx.org/spdx-license-list/matching-guidelines>,
<https://spdx.org/spdx-license-list/license-list-overview>, and
<https://spdx.dev/ids-where>.

So I'm not at all confident in the long-term value or seriousness of
this SPDX business.  And I have had plenty of personal experience
already wasting time based on wrong SPDX-License-Identifier tags that
were automatically applied across Linux.  We're open to the proposition
of adding these tags if they are actually reliable and useful, but the
track record of SPDX as a standard is not very convincing right now,
and we may need more convincing than just the offer of patches.

Prev by Date: Re: port-hpcarm/60283
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: port-evbarm/60319: usb devices do not attach on BeagleBone Black
Next by Thread: lib/60320: libsaslc: gssapi mech should support loading keytabs
Indexes:

Home | Main Index | Thread Index | Old Index