On 6/21/20 8:26 AM, Brian Inglis wrote:
SPDX is under the Linux Foundation, and Linux has now been plastered with SPDX labels in all source files, and other projects are adding them, to reduce the effort of replying to compliance/risk management and other queries from supply chain managers: keeping product acquisition staff busy working from home.
I just checked, and the string "SPDX" is in about 26% of Linux source files, so apparently SPDX labeling is typically not needed universally even within its home project. From the Linux point of view, perhaps tzdb source could also fall under the category of "labeling not needed". Also, I'm not seeing many questions from compliance/risk management people on this mailing list - after all, the LICENSE file is pretty clear to anybody who does this sort of thing for a living - so perhaps the need for SPDX labeling is not so great for tzdb.
As there are concerns about IERS leap-seconds.list on this list, European and other country product compliance/risk management/supply chain staff have concerns about tz content.
Fair enough, but SPDX tagging won't solve that problem, just as the lack of SPDX tagging in the IERS leap-seconds.list isn't the fundamental problem that we have with using that file. One of my worries here is that SPDX tagging will give people even more arguments to sue me and/or the IANA. The SPDX website keeps saying things like "Certifier recognizes that his good faith efforts may not shield him from liability if in fact the work certified is not in the public domain." This leads me to think that I don't want to be an SPDX certifier, and would rather that somebody else take the additional legal liability that would arise from SPDX tagging. I've already been sued one time too many for my volunteer work.