Re: New tool - license-validate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 04, 2022 at 02:40:06PM -0500, Neal Gompa wrote:
On Tue, Jan 4, 2022 at 2:25 PM Robbie Harwood <rharwood@xxxxxxxxxx> wrote:

Neal Gompa <ngompa13@xxxxxxxxx> writes:

> SPDX expression logic is identical to Fedora's, so that will not
> change.

I don't believe that's correct.

For instance, for the LGPL, SPDX uses "LGPL-2.0-only" and
"LGPL-2.0-or-later", while Fedora currently uses "LGPLv2" and "LGPLv2+".

(From https://spdx.org/licenses/ and
https://fedoraproject.org/wiki/Licensing:Main )


Those are the identifiers, not the *logic*. SPDX and Fedora both use
the same boolean logic terms ("and"/"or"/"with") and support
parenthetical expressions. Fedora mandates lowercase, SPDX doesn't
care, but examples historically are uppercase. Fedora will retain its
expression logic system, complete with lowercase terms (since that
makes the expressions more readable).

One of the difficult things with the Fedora abbreviations is that
tokens can have spaces in them.  For example, the Apache 2.0 license
in Fedora is called "ASL 2.0".  This makes it really hard to work with
in software.

Likewise, we have historically allowed full expressions through that
contain otherwise forbidden licenses.  For example, many Perl module
packages use the License tag "GPL+ or Artistic" so in a way that
entire expression is treated as a token.

This information is currently captured in this JSON file (not the
original author, but I make use of the file):

    https://github.com/rpminspect/rpminspect-data-fedora/blob/master/licenses/fedora.json

rpminspect's license check uses this data to validate the License tag
in RPM headers based on the rules as they exist in the packaging
guidelines plus the assorted expressions we have historically allowed
through that would not otherwise validate.

If your License tag fails the check in rpminspect, it will report the
unapproved token based on the fedora.json file it read.

All of this is to say that the ongoing effort to permit SPDX
expressions in the License is to make this inspection more predictable
and Fedora's License tags more useful.

Thanks,

--
David Cantrell <dcantrell@xxxxxxxxxx>
Red Hat, Inc. | Boston, MA | EST5EDT
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux