[tz] re SPDX, I'll do the work, if you'll use the tag

Paul Eggert eggert at cs.ucla.edu
Tue Jun 30 08:40:18 UTC 2020

On 6/29/20 11:51 AM, Mark Atwood wrote:
> What does make sense is creating a new tag, something like "TZ-PD".   Then you can start putting "# SDPX-License-Identifier: TZ-PD" in your database text source file, and make life easier for a bunch of people who just want to do the right thing with your data.

I guess I'm not seeing why a one-off tag like this would make compliance
checking significantly easier. No other project is likely to use the TZ-PD tag,
so data consumers doing compliance checking would need to crosscheck "TZ-PD" to
see what it really means, which would require looking at tzdb's LICENSE file
and/or development history (like you did) to make up their own minds. So for the
tzdb project, the SPDX label seems to be an extra bureaucratic step that
provides little or no benefit.

Anyway, a more-important obstacle is the legal concern expressed in
<https://mm.icann.org/pipermail/tz/2020-June/029122.html>. I'm not reassured by
the comment "Applying an SPDX tag ... is not intended to change reality." If
tzdb comes with a statement that a particular tag applies to tzdb, then
consumers would plausibly rely on that statement, and that would be a change to
reality that could well have legal effect. (Besides, Occam's razor applies here:
doing nothing is the simplest way to not change reality. :-)

One possible way out of the legal impasse might be for you to maintain a tzdb
release downstream (let's call it "tzdb-spdx") that has the SPDX tags, and for
companies to use tzdb-spdx releases instead of the upstream tzdb releases. That
way, these companies could rely on you to bear any extra legal liability that
would come from attaching the SPDX tags. Before taking such a step, though, I
suggest consulting a lawyer with some expertise in the area.

More information about the tz mailing list