On 6/29/20 11:51 AM, Mark Atwood wrote:
What does make sense is creating a new tag, something like "TZ-PD". Then you can start putting "# SDPX-License-Identifier: TZ-PD" in your database text source file, and make life easier for a bunch of people who just want to do the right thing with your data.
I guess I'm not seeing why a one-off tag like this would make compliance checking significantly easier. No other project is likely to use the TZ-PD tag, so data consumers doing compliance checking would need to crosscheck "TZ-PD" to see what it really means, which would require looking at tzdb's LICENSE file and/or development history (like you did) to make up their own minds. So for the tzdb project, the SPDX label seems to be an extra bureaucratic step that provides little or no benefit. Anyway, a more-important obstacle is the legal concern expressed in <https://mm.icann.org/pipermail/tz/2020-June/029122.html>. I'm not reassured by the comment "Applying an SPDX tag ... is not intended to change reality." If tzdb comes with a statement that a particular tag applies to tzdb, then consumers would plausibly rely on that statement, and that would be a change to reality that could well have legal effect. (Besides, Occam's razor applies here: doing nothing is the simplest way to not change reality. :-) One possible way out of the legal impasse might be for you to maintain a tzdb release downstream (let's call it "tzdb-spdx") that has the SPDX tags, and for companies to use tzdb-spdx releases instead of the upstream tzdb releases. That way, these companies could rely on you to bear any extra legal liability that would come from attaching the SPDX tags. Before taking such a step, though, I suggest consulting a lawyer with some expertise in the area.