Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

License Mapping for BSD-3-Clause and BSD-4-Clause #205

Open
msymons opened this issue May 30, 2022 · 4 comments
Open

License Mapping for BSD-3-Clause and BSD-4-Clause #205

msymons opened this issue May 30, 2022 · 4 comments
Labels
question Further information is requested

Comments

@msymons
Copy link
Contributor

msymons commented May 30, 2022
edited

With this addition to license mappings in PR #195

cyclonedx-core-java/src/main/resources/license-mapping.json

Line 67 in b664a13

"The BSD License",

The consequence is that the component antlr4 now maps to BSD-4-Clause when the intention of the antlr project is the the license should beBSD-3-Clause.

See LICENSE.txt

From antlr4 POM:

    <licenses>
        <license>
            <name>The BSD License</name>
            <url>http://www.antlr.org/license.html</url>
            <distribution>repo</distribution>
        </license>
    </licenses>

So, is this a problem with cyclonedx-core-java license mapping, or is it a problem with antlr4 POM?

The consequence of thinking that a BSD-3-Clause is actually BSD-4-Clause is that the latter:

  • Adds an "advertising clause" that requires an acknowledgment of the original source in all advertising material.
  • Was rescinded in 1999
  • Is not OSI-approved.
@stevespringett stevespringett added the question Further information is requested label Jun 5, 2022
@stevespringett
Copy link
Member

According to wikipedia, "BSD License" is the 4-clause license. Thus CycloneDX-Core-Java is properly identifying the license from the antlr4 pom.

https://en.wikipedia.org/wiki/BSD_licenses

If the antlr4 project is licensed under BSD-3-Clause, then perhaps the project should explicitly state that using the BSD-3-Clause SPDX identifier.

@msymons
Copy link
Contributor Author

msymons commented Jun 5, 2022

@stevespringett, the POM for antl4 say "The BSD License" and not "BSD License". The wikipedia page says..

While the original license is sometimes referred to as the "BSD-old", the resulting 3-clause version is sometimes referred to by "BSD-new." Other names include "New BSD", "revised BSD", "BSD-3", or "3-clause BSD". This version has been vetted as an Open source license by the OSI as "The BSD License"

ie, a reading of this is that "The BSD License" is 3-clause and not 4-clause.

So, is the license mapping in cyclonedx-core-java really correct on this point?

Having said that, I will most definitely try to get the antlr4 project to use the BSD-3-Clause SPDX identifier.

@msymons msymons mentioned this issue Jun 21, 2022
Merged
@tmehnert
Copy link
Contributor

The antlr4 project is proven to be BSD-3-Clause, see LICENSE.txt.

@msymons
Copy link
Contributor Author

msymons commented Feb 2, 2023

The antlr4 project is proven to be BSD-3-Clause, see LICENSE.txt.

Yes, @tmehnert , that's because the license that you link to is the one is based on the PR that I submitted 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stevespringett @msymons @tmehnert