[License-discuss] Request for clarification: OSI approved GPLV2 SPDX identifiers

Rob Landley rob at landley.net
Fri Aug 9 20:24:49 UTC 2024 

On 8/8/24 04:38, Erwan LE-RAY - foss wrote:
> Hello,
> 
> 
> I would like to get clarification on OSI approved GPLV2 SPDX identifiers. 
> 
> OSI website (https://opensource.org/licenses?ls=GPL-2
> <https://opensource.org/licenses?ls=GPL-2>) indicates that only GPL-2.0 is
> approved by OSI (GPL2.0+, GPL2.0-only and GPL2.0-or-later are not listed),
> whereas SPDX website (https://spdx.org/licenses/ <https://spdx.org/licenses/>)
> indicates that GPL-2.0 and GPL-2.0+ are deprecated, replaced by GPL-2.0-only and
> GPL-2.0-or-later.  GPL-2.0-only and GPL-2.0-or-later identifiers are tagged as
> approved by OSI (last column).
> 
> 
> Could you please clarify if GPL-2.0-only and GPL-2.0-or-later identifiers are
> really approved by OSI, as indicated by SPDX webpage?

SPDX is a separate organization from OSI. OSI doesn't maintain a database of
license short identifiers, and my understanding is OSI only approves licenses,
not combinations of licenses.

SPDX's database entry is indicating that the licenses being identified are
approved by OSI. GPLv2 is a license, GPLv3 is a license, and products may ship
under one or more of those licenses.

SPDX identifiers are a little weird/inexact in that they treat some common
combinations of licenses as if it were a license. If the project ships under
GPLv2 only, SPDX has an identifier for that. If it ships under GPLv2 and GPLv3
(allowing the recipient to select which one's terms they prefer to abide by),
SPDX has an identifier for that even though that isn't a license, it's two
different licenses both being offered on the same copyrighted material. Various
projects are also dual licensed with GPL+BSD, or GPL+Apache, but doing that is
not common enough to have an SPDX identifier. The FSF officially recommended
that people dual license GPL code that way for many years, so that's why it's
common enough to get an identifier.

In theory "or later" is carte blance to use any future FSF issued license when
Microsoft acquires them and comes up with a proprietary GPLv4 "pay us to look at
this" license, but nobody seriously expects FSF to outlive Richard Stallman and
he's 71 so GPLv4 is unlikely to come up (modulo acquisition of the assets by
private equity through probate, or similar). But the threat of doing that led
Linus Torvalds to famously clarify that Linux is "GPLv2 only" in 2000:

https://lkml.iu.edu/hypermail/linux/kernel/0009.1/0096.html

And clarified his position ~10 years later:
https://www.youtube.com/watch?v=PaKIZ7gJlRU

Similar clarification became quite popular (explicitly saying GPLv3 does NOT
apply to this GPLv2 project, despite the FSF's recommendations), to the point
SPDX came out with an identifier for such projects, but it's not a LICENSE. The
licenses are GPLv3 and GPLv3, and OSI approves licenses.

Rob

More information about the License-discuss mailing list