Conversation
And here's the release notes in the license repo, the list of commits, and a complete diff of the text changes, however useful it may be. |
|
@kemitchell Go for it! |
|
I assume this PR should be closed then? |
|
@feross, my mistake here. I didn't recall that this is a PR. Reopen? |
|
@kemitchell I don't recall this getting accepted (or reviewed) -- guessing that was tagged in error. Has there been an issue filed for reviewing this one? The only thing I'm seeing was a mention of a prior version of this license in the thread that was about one of the Parity versions. If you or the license steward can file an issue with details about the license, I'll tag it for discussion for the 3.10 release cycle and I'll bring it up during one of the upcoming legal team calls. One way to create an issue for this with the relevant info is to fill out the form at http://13.57.134.254/app/submit_new_license/ (yes, we need to get an actual domain name set up for this). |
|
Re-opened. |
|
Whilst this license satisfies a number of the technical factors for inclusion, I believe that there are some issues that would prevent it from being a suitable fit for the SPDX license list. This license clearly does not comply with any of the free or open source definitions listed on the inclusion principles, due to its severe limitations on commercial use. The 9 example projects given on the license steward's website are not representative of the use of this license: one has been changed to the MIT license, and others are under older versions of the Prosperity license. The largest project listed, Drone, is substantially open source with only 'enterprise' features under the Prosperity license. I did find a number of other projects using the license, but nothing stood out as very significant to me. Unlike with the Parity license by the same author (which was included on this license list), the restrictions here would prevent prominent software distributions such as Debian or RHEL from being able to include packages available under this license. It is also worth noting that the license steward seems to also advertise itself as a payment handler for exclusive software licenses; however, it also states that it has shut down "to make way for an evolved system". In conclusion, I don't feel as if inclusion of this license in SPDX would add any value to the open source ecosystem. What do others here think about its suitability for this list? |
|
OSI and FSF approval aren't required for SPDX identification, and haven't been. A few non commercial licenses have already been identified, including Creative Commons' SPDX users, on the dev side and the user side, routinely identify proprietary code with license identifiers and expressions. It's a list of license forms. Not a list of endorsements. |
|
Thanks for the speedy response, Kyle! I've spent some time researching the PolyForm license that you've linked to in comparison to this one.
I noticed from your GitHub profile that you are a member of both the Artless Devices (the license steward for Prosperity for others reading this) and PolyForm projects, so I can understand your reasoning for their equivalence here. However, I don't think that similarity to a previously accepted license grants any intrinsic eligibility to the SPDX license list; indeed, proliferation of similar licenses is most often counter-productive in this space. The critical differences between the PolyForm license you linked to and the Prosperity 3.0.0 are the 30-day trial period and the 'contributing back' section. I find these additions problematic, though. Given the lack of clarity as to whether and how the trial period can be continued or reset through transference or modification, this extra clause is of little to no use for software distributions and their users. As for the 'contributing back' clause, I personally don't see this as an improvement! If a for-profit company made an addition to the licensed software and then put it up for sale under the Apache license, for instance, how would this not be commercial use? Indeed, is that company's license void if the initial author refuses or is unable to, for some reason, receive the modified version? Thus, even in the wider proprietary distribution context, Prosperity 3.0.0 seems to be at best serving as a replacement for the PolyForm Noncommercial license, and at worst adding uncertainty for software distributions that use SPDX. Again, thank you for giving some extra background about the license. I'd appreciate some other views on this as well; anyone else fancy chipping in? |
|
The SPDX process isn't an open-ended referendum on license quality, or a popularity contest. That's what OSI and the Linux distro licensing committees are for. There are plenty of licenses on the list I take it you'd dub problematic. There are several arguably permissive licenses that another organization I'm involved in, Blue Oak Council, call out as problematic by ID. The value of SPDX identification is being able to name and recognize welcome as well as unwelcome terms in the wild, for whatever counts as welcome and unwelcome in context. People are using Prosperity for their work and running into it in code and package repositories. Both licensors and licensees would benefit from an SPDX ID. |
|
I use Prosperity in most of my source provided software. GitHub uses Prosperity as well https://github.com/dependabot/dependabot-core/blob/main/LICENSE I seek the addition of Prosperity to SPDX as it helps with the generation of a bill of materials. SPDX is meant to be a list of licenses. |
|
See also NixOS/nixpkgs#97832. |
|
I also use prosperity for my published software. I also considered the Polyform NC license and specifically chose Prosperity. I believe the reason Polyform NC entered the discussion is not to compare the licenses in every respect but to address a specific objection around the inclusion principles. Specifically, the draft process considered the question of Polyform NC and whether SPDX wanted to include it. Obviously the end result is that the license was included. |
@kemitchell, certainly, I agree with you here. Indeed, I may have been rather vague in my previous comment! To clarify, I was referring to the usefulness of a 'prospective' inclusion rather than judging the license on any inherit merit. If a new version of the GNU GPL were to be published, for example, there would be a strong case for a kind of prospective inclusion, as it's to be expected that such a license would quickly become common in software distributions that use SPDX. The same would likely not be true of Prosperity 3.0.0, as many of these distributions would be unable to include software under the license. This is either because they do not distribute proprietary packages, because the distribution is a commercial venture itself, or because the lack of clarity in key areas of the license would incur unreasonable risk to the distribution or its users. To recap with particular regard to the inclusion principles-
and
|
|
Welcome to the discussion, @ghuntley, @drewcrawford. It is always good to have more perspectives on these things :) ghuntley, regarding creating a software bill of materials, I think section 6.1 of the latest SPDX specification has you covered! It describes the process for describing within SPDX documents licenses not included in the SPDX License List. |
|
@seabass-labrax, "pure" Linux distributions aren't the only or even the primary use case for the SPDX license list, and no free/open-only disto I'm aware of relies on SPDX to identify only licenses they accept. The standard's also used extensively by mixed distributions, software package repositories, automatic license audit and compliance tools, and corporate compliance departments. @drewcrawford, @ghuntley, @feross and others want to be able to use the obvious identifier--- These are all valid users of the SPDX license list, and in some cases the expression syntax. |
|
ok, several things to address here: PROCESS: I think at least a couple of us got confused b/c this came in directly as PR, instead of as an Issue with the usual format that entails. That's ok, we know where we are now. INCLUSION PRINCIPLES:
|
|
unrelated to inclusion analysis - @ghuntley - not sure why you thumbs-downed @seabass-labrax comment re: use of LicenseRef- as recognized by SPDX where there is not an SPDX License List identifier. This is correct (I have used it myself in code for a license not on the SPDX License List!) "Proprietary" is not recognized in SPDX. I know, I know, you may be just using the SPDX License List and are not creating a full SPDX document, but that doesn't mean other downstream users won't be. The license fields information in the SPDX are still relevant to use of the SPDX License List, so it'd be nice if you could use the method provided :) (unless/until the relevant license is added to the SPDX License List) |
|
one more comment re: use - it seems like the 2.0 version has the most uptake (I didn't count, but that's the impression I got while flipping through pages of files) |
|
Adding more context to 3. because it's a biggie:
https://www.theregister.com/2019/05/23/github_acquires_dependabot_to_automate_open_source_bug_zapping_chucks_money_at_developers/
https://docs.github.com/en/code-security/supply-chain-security/configuring-dependabot-security-updates
Finally https://github.com/dependabot/dependabot-core
a. Prosperity is a core feature that enabled the founders to create an open community where people could see code and contribute fixes which in return the service helps the contributors/community through the service.
b. Prosperity enabled a path for founders for their exit.
c. Prosperity enabled the creation of a form of an open community (viewing of source code, people can fix their own issues/contribute them back) that isn't possible under any other license currently.
d. Prosperity enables GitHub to continue the original open community recipe, invest into their product features whilst preventing competitors
from piggybacking off the investment.
What I'm getting at — this is a new class of license, that is pro-community, pro-access to source code, pro-contribution and is financially sustainable.
It does not meet the OSD definition but not every license should. Licenses in the category of OSD are financially unsustainable by design.
|
|
#1368 has now been opened, so we can re-invigorate the discussion there in relation to the license inclusion guidelines for the SPDX License List and clarify the version 2.0 or 3.0 question and usage. On 12/23 call, we remembered we had a analysis for the collection of Polyform licenses (tl;dr - we added some but not all), so we should ensure we are consistent with the decisions there |
|
@jlovejoy, why was this closed? #1368 may be unclear or abandoned, but this #960 is unambiguous and ready to merge. You mentioned the difference of free trial off in #1368. Prosperity 3 isn't a free-trial license. It's a noncommercial license plus a free trial. More permissive than PolyForm Noncommercial. |
|
whether it's a PR or an issue - it was for the same license, so the various comments as to the decision were made in one place with a pointer (to here). Please remember, it's not one person making the call and there had already been much discussion (and procrastination) on a decision. |
|
Please try to understand how frustrating this is on our end. I've got multiple side messages reading this as underhanded. I don't see it that way, but I see how they do. I read the note before Christmas last year about discussion moving to #1368. #1368 was opened two years after this PR, for a superseded version of the license, with no follow-up to your question about which version was intended. Still, whatever works. I subscribed to #1368. But no discussion there ensued. Crickets. A few days ago, I saw a comment summarizing a call I didn't know I should be on, making points I'd been happy to talk through, tagging Not Accepted before I had a chance to respond. This PR got tagged and closed likewise, without further comment. If calls are mandatory, or discussion will no longer take place in this PR or on GitHub more generally, please let me know. Anyone can reach me at kyle@kemitchell.com anytime. As for substance, this license apes Blue Oak 1.0.0 in style and a combo of PolyForm Noncommercial and Free Trial in substance. It's a noncommercial software license, plus a built-in free trial for commercial use, which it turns out go together like burgers and fries. It also adds permission for developing contributions back to the project, to make sure that's clearly welcome, even in otherwise commercial context. Apart from Free Trial, which derives from PolyForm Free Trial, and Contributions Back, which is new, no language here is unknown to the license list. Quick diffs against BlueOak-1.0.0 and PolyForm-Noncommercial-1.0.0 show the family resemblance. I don't understand the hold-up on the merge, other than as reflecting out-of-process pushback from those who don't like non-comm licenses, wish the inclusion principles excluded them, and regret that SPDX has accepted them. If that's new SPDX policy, please announce it clearly, so especially package manager developers know what process they're incorporating by reference. |
|
In case it wasn't absolutely clear, the main reason for not accepting this license (at this time) is the fact of lack of substantial use, in addition to the other factors as noted regarding the SPDX inclusion guidelines which we endeavor to apply equally to all submitted licenses. There was nothing that was done out-of-process or without fidelity to the SPDX inclusion guidelines. Unfounded accusations otherwise are not appropriate. If in the future this license has additional substantial use we would welcome your re-submission of this license. |
|
@jlovejoy, the idea that there's a main reason, and that it's now substantial use, wasn't absolutely clear. This is the first we're reading that here on GitHub. Hence the process question: Are we doing this on GitHub, or is the real deal all on calls, with GitHub just for announcing call decisions? This #960 has several people linking to substantial projects and mentioning use of the license for their own work. Quick searches on GitHub or libraries.io show more. Please understand that from our point of view, this feels like the goalposts getting moved again. And it's not clear even where they stand now. What's substantial use? All this---more than two years---to put an XML file in a GitHub repo. I could add |
|
The basis for evaluating what licenses to add to the SPDX License List are described here: https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md @jlovejoy provided a writeup of her take on applying the principles to this submission in this thread, in May 2021: #960 (comment). Lack of substantial use was described there as of that point in time. Although I wasn't on the team call where this one was more recently discussed, I gather there hasn't been further examples of usage of the 3.0.0 version of the license provided either here or in the issue that was filed subsequently. We discussed substantial use's relevance as a factor in 2020 at #925 when the updated license inclusion principles were being put together. That thread includes discussion (and at least my own views) on the ways that, in analyzing the "Other Factors" from the inclusion principles, (i) a higher degree of real-world usage is required to be demonstrated for non-FOSS licenses; and (ii) we haven't see a meaningful way to come up with a strict "use in the wild means exactly X projects must be using the license" definition. Regarding process:
On that last point, I'd ask if we could please all work to presume good faith in our participation on these issues. There will of course be disagreements on outcomes, but at least speaking for myself I'm endeavoring to presume that everyone involved is acting in good faith towards SPDX's goals and purposes. As @jlovejoy indicated, if this license has relevant additional substantial use then we would welcome your re-submission of this license, and we will re-evaluate it under the license inclusion principles. |
|
@swinslow can you confirm?:
|
|
👋 Hi from the Dependabot team. I was trying to use the SPDX identifier for the Prosperity license that we use, and stumbled across this thread. I find it surprising the license wasn't accepted, at least for the We'd happily start using the SPDX identifier, but until then we're stuck with some hacks:
We've had discussions about changing to a more popular license, but currently for our use case the Prosperity license is the best fit. |
|
Hi – another open source maintainer here! I'd like use Prosperity-3.0.0 for appropriate projects, preferably without tripping alarms in the npm infrastructure. Because the blocker appears to be an unspecified threshold of "substantial use", here's some context. Open source packages I personally build and maintain are downloaded from the NPM repository >3 million times per month. Nearly all of these are under permissive licenses like MIT or Apache-2.0, of course, but I have reasons for needing more restrictive licenses in certain packages. The number of licenses suitable for supporting independent developers is diminishingly small. If it would not be a dramatic technical or procedural burden on the SPDX maintainers to make a few such licenses machine-readable with SPDX, I hope you'll reconsider adding Prosperity Public License 3.0.0 to the registry. |
|
Adding my vote for this to be reconsidered. |
|
if you want to request a license be added to the SPDX License List, please follow the process as described here: https://github.com/spdx/license-list-XML/blob/main/DOCS/request-new-license.md commenting on closed issues, is not likely to be easily seen :) |
This comment was marked as spam.
This comment was marked as spam.
|
I wanted to follow the Handling License Info guide for some software I’m writing as it is concise & easy for other folks to understand the identifiers, however, Prosperity is missing so I can’t technically use |
12 participants
I'd like to add Prosperity-3.0.0 to the SPDX license list. Here's a PR!
Previously, there was discussion about adding Prosperity-2.0.0 in #805. Since that time, Prosperity-3.0.0 was released. The announcement post is here: https://blog.licensezero.com/2019/12/15/prosperity-3.html