No valid value for license appropriate for proprietary code

[ygale]

The only non-SPDX value allowed in the license field is NONE. But since cabal files are also human-readable, the text license: NONE cannot be included in a cabal file for proprietary code for obvious legal reasons, no matter what the machine-readable meaning. Nor can any SPDX-compliant value be used. Without a license field at all, cabal refuses to build the package.

By comparison, npm is also SPDX-compliant. There are several reasonable options for proprietary code in npm:

• { "license": "UNLICENSED"} - not great, but much better than NONE.
• { "license": "Proprietary", "private": true } - this disables the ability to upload the package to the public distribution channel, which is fine for truly proprietary code.
• { "license": "SEE LICENSE IN <filename>"} - allows upload with a custom license, possibly proprietary. We might not want to allow that for Hackage.

See also #2141. Now "AllRightsReserved" has not two meanings, but zero meanings, which is much worse. Not that we should necessarily resurrect "AllRightsReserved", but there needs to be some reasonable alternative.

[23Skidoo]

/cc @phadej

IMO it makes sense to copy what npm is doing.

[23Skidoo]

See also https://bugs.linuxfoundation.org/show_bug.cgi?id=1289.

[phadej]

IMO it doesn't make sense what npm is doing.

---

cannot be included in a cabal file for proprietary code for obvious legal reasons,

They aren't obvious to me.

---

From the sdpx issue tracker, @23Skidoo linked (emphasis mine)

We (folks on tech call: Mark, Gary, Bill, Kate, Scott...) think the best practice is to recommend use of the LicenseRef where the text of the referenced license can be whatever the producer of the doc really intends. (if they want to say "All Rights Reserved" they can....)

Regarding the example below: if someone had no license and only a copyright notice (which would be captured via 3.16), then NONE would be correct - there is no license information in the package. How would adding "ALL-RIGHTS-RESERVED" or "NO-LICENSE" add any value? This seems like it would only create overlap and potential confusion, but maybe I'm missing something? I suspect the other thing to consider here, which I think may be touched upon in the NPM issue is creating a bit more of an affirmative statement that there really is 'no license,' rather than 'I can't find any license at all.' But I think the spec already allows for this. For example, if you are using a tool to look for licenses and NOTHING turns up anywhere in the package, then you could return "NONE" for 3.14 Declared License. Then, a human might check that a bit, maybe you even contact the copyright holder and they confirm, 'yup, no license. it truly is ALL rights reserved.' I'd then expect to see NONE for 3.12 Concluded License and a comment 3.15 with some explanation of why or what you discovered.

"PROPRIETARY" is not advisable to add as an identifier - does someone want to define what that means?!? If there IS a license and it's not on the SPDX License List, then use License-Ref (section 5 of the spec). I don't think we want to dilute that. If someone wants to add a field to create a license type classification for their internal use (which I can see being helpful) then they can use the optional fields to do so.

---

I recommend to close this issue as wontfix: if there IS a (proprietary) license: use LicenseRef, if there aren't use NONE.

[ygale]

I opened this issue because when I tried to use cabal init to create a cabal file for proprietary code, I got the error
The license must be a valid SPDX expression.
no matter what I entered other than an open-source license or NONE.

I'll clarify that in the description. Sorry I wasn't clear.

[ygale]

What is the syntax in a cabal file to get LicenseRef? Cabal rejects LicenseRef as the value of license, with the error
CabalFileParseError "./proprietary.cabal" [PError (Position 11 32) "\nunexpected Unknown SPDX license identifier: 'LicenseRef' \n\nLicenseRef\n"] (Just (mkVersion [2,4])) []

EDIT: So leaving the issue description for now. Unless there is some way to get LicenseRef as the value of license, or some other value that is not an SPDX license and not NONE, then this issue is still valid and should be fixed.

[23Skidoo]

LicenseRef-Foo works for me as an identifier with cabal-version: 2.4.

@phadej That thread also mentions that NOASSERTION is a valid value in addition to NONE, shouldn't we support it too?

[sboosali]

iiuc, isn't NONE problematic as a license? even if they don't care about the licensing, the user should at least choose between a "all rights reserved" variant or a public domain variant.

[phadej]

“NONE” is not a license. It’s says there are no license. Same as omitting `license:` field (which is completely fine).

…

Sent from my iPhone

On 17 Mar 2019, at 8.35, Spiros Boosalis ***@***.***> wrote: iiuc, isn't NONE problematic as a license? even if they don't care about the licensing, the user should at least choose between a "all rights reserved" variant or a public domain variant. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[phadej]

NONE is a fancy way to say Nothing. We don’t care to distinguish between “tried [to find a license] but gave up”, “did not try”, and “won't tell you”?. All flavours (i.e. `NONE`) mean the same: only copyright holder have rights

…

Sent from my iPhone

On 17 Mar 2019, at 3.19, Mikhail Glushenkov ***@***.***> wrote: LicenseRef-Foo works for me as an identifier with cabal-version: 2.4. @phadej That thread also mentions that NOASSERTION is a valid value in addition to NONE, shouldn't we support it too? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[sboosali]

got it, thanks

…

On Sun, Mar 17, 2019, 00:31 Oleg Grenrus ***@***.***> wrote: NONE is a fancy way to say Nothing. We don’t care to distinguish between “tried [to find a license] but gave up”, “did not try”, and “won't tell you”?. All flavours (i.e. `NONE`) mean the same: only copyright holder have rights Sent from my iPhone > On 17 Mar 2019, at 3.19, Mikhail Glushenkov ***@***.***> wrote: > > LicenseRef-Foo works for me as an identifier with cabal-version: 2.4. > > @phadej That thread also mentions that NOASSERTION is a valid value in addition to NONE, shouldn't we support it too? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub, or mute the thread. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#5697 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACNoMVx2itcmfPCDwA7NlePm0O4ju8Yaks5vXe80gaJpZM4YoCXh> .

[ygale]

@phadej Aha, you can just omit the license: field? That works. But it's not one of the choices in cabal init. Can we add that? Or perhaps print a message when you select NONE that you can just delete the license field in the cabal file if you want. Or perhaps allow the empty string as a "valid SPDX license" for "Other" (which is arguably so), and change the prompt to "Other (specify or omit):".

@sboosali Yes, NONE is problematic as a license. @phadej is talking about the machine-readable meaning of NONE. But in English, the simplest meaning of "License: NONE" is a problem. None of the various legal teams I have worked with would allow that wording to appear in this file. In a litigation context, the fact that you could eventually prove that "License: NONE" doesn't mean what it sounds like hardly reduces the legal cost.

@23Skidoo are we using different versions of cabal? In my build of cabal 2.4.1.0 in cabal init there is only a choice of LicenceRef-PublicDomain, which isn't usable for proprietary. I tried manually editing "license:" with various other syntax to put something besides PublicDomain, but I couldn't get it to work. See the error message above.

[phadej]

Again, NONE is not a license. It’s a placeholder value, as `license: ` is (or at least should be) invalid syntax. I think we could make `cabal init` be able to skip license information, or/and omit `license` field if its value is `NONE`.

…

Sent from my iPhone

On 24 Mar 2019, at 12.00, ygale ***@***.***> wrote: @phadej Aha, you can just omit the licesne: field? That works. But it's not one of the choices in cabal init. Can we add that? Or perhaps print a message when you select NONE that you can just delete the license field in the cabal file if you want. Or perhaps allow the empty string as a "valid SPDX license" for "Other" (which is arguably so), and change the prompt to "Other (specify or omit):". @sboosali Yes, NONE is problematic as a license. @phadej is talking about the machine-readable meaning of NONE. But in English, the simplest meaning of "License: NONE" is a problem. None of the various legal teams I have worked with would allow that wording that to appear in this file. In a litigation context, the fact that you could eventually prove that "License: NONE" doesn't mean what it sounds like hardly reduces the cost. @23Skidoo are we using different versions of cabal? In my build of cabal 2.4.1.0 in cabal init there is only a choice of LicenceRef-PublicDomain, which isn't usable for proprietary. I tried manually editing "license:" with various other syntax to put something besides PublicDomain, but I couldn't get it to work. See the error message above. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[sboosali]

i think an omitted license field makes more sense.

…

On Sun, Mar 24, 2019, 07:15 Oleg Grenrus ***@***.***> wrote: Again, NONE is not a license. It’s a placeholder value, as `license: ` is (or at least should be) invalid syntax. I think we could make `cabal init` be able to skip license information, or/and omit `license` field if its value is `NONE`. Sent from my iPhone > On 24 Mar 2019, at 12.00, ygale ***@***.***> wrote: > > @phadej Aha, you can just omit the licesne: field? That works. But it's not one of the choices in cabal init. Can we add that? Or perhaps print a message when you select NONE that you can just delete the license field in the cabal file if you want. Or perhaps allow the empty string as a "valid SPDX license" for "Other" (which is arguably so), and change the prompt to "Other (specify or omit):". > > @sboosali Yes, NONE is problematic as a license. @phadej is talking about the machine-readable meaning of NONE. But in English, the simplest meaning of "License: NONE" is a problem. None of the various legal teams I have worked with would allow that wording that to appear in this file. In a litigation context, the fact that you could eventually prove that "License: NONE" doesn't mean what it sounds like hardly reduces the cost. > > @23Skidoo are we using different versions of cabal? In my build of cabal 2.4.1.0 in cabal init there is only a choice of LicenceRef-PublicDomain, which isn't usable for proprietary. I tried manually editing "license:" with various other syntax to put something besides PublicDomain, but I couldn't get it to work. See the error message above. > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub, or mute the thread. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5697 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACNoMTk5EnqhwGvcEAwXDbc0TXQ2v5JQks5vZ4hrgaJpZM4YoCXh> .

[Anton-Latukha]

(formed #7971 & reducted the message)

The simples solution: live as is & just allow people to discover that they can delete the license field.

With #7971 here - I think both reports cover *this (#5697) report fully, since #7971 uncovers direct technical usability to discover how to set licenses.

[Mikolaj]

@Anton-Latukha: thank you for your comment. Could you summarise you proposal in terms of code changes in cabal? Would that only be cabal init change?