Re: SPDX Statistics - Voyager 2 edition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 22, 2023 at 4:44 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote:
>
> On Tue, Aug 22, 2023 at 10:39 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote:
> >
> > On Tue, Aug 22, 2023 at 3:06 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote:
> > >
> > > On Tue, Aug 22, 2023 at 1:21 PM Miroslav Suchý <msuchy@xxxxxxxxxx> wrote:
> >
> > > > rust-bitmaps warning: not valid neither as Callaway nor as SPDX, please check
> > >
> > > This uses MPL-2.0 or later, denoted as "MPL-2.0+". It looks like an
> > > SPDX identifier, but it's not (there is no "-or-later" variant of
> > > MPL-2.0 in SPDX). I'll investigate and file an issue with upstream.
> >
> > Jilayne can correct me if I'm wrong, but I am pretty sure `MPL-2.0+`
> > is a valid and semantically meaningful SPDX identifier. It is arguably
> > redundant since MPL-2.0 permits downstream relicensing to later
> > versions.
>
> It's not on the list though:
> https://spdx.org/licenses/

The use of `+` is documented at
https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/
(there's probably a more recent version)

<excerpt>
D.3 Simple license expressions

A simple <license-expression> is composed one of the following:

An SPDX License List Short Form Identifier. For example: CDDL-1.0
An SPDX License List Short Form Identifier with a unary "+" operator
suffix to represent the current version of the license or any later
version. For example: CDDL-1.0+
An SPDX user defined license reference:
["DocumentRef-"1*(idstring)":"]"LicenseRef-"1*(idstring)
</excerpt>

I believe CDDL-1.0 is like MPL-2.0 in having a built-in "later versions" clause.

> Also, cargo / crates.io even documents that licenses in crate metadata
> needs to be valid SPDX expressions and only things from SPDX license
> list are acceptable, so this isn't considered valid by crates.io

That is at least in some sense wrong, since the SPDX spec shows that
valid SPDX expressions include use of the `+` operator with SPDX
identifiers. I think in reality crates.io is redefining what "valid
SPDX expressions" means, though possibly not intentionally.

For Fedora, I think there are (quite rare) cases where the use of
postpositional `+` should be recognized as valid. I know of one
package (though I can't remember what it is now) that says its license
is the Apache License 2.0 or any later version -- this is validly
represented as `Apache-2.0+` in SPDX.

Richard
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux