Re: SPDX Statistics - Voyager 2 edition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Top-posting a few comments related to this thread in total (instead of multiple responses to separate posts) and in hopes that people will be more likely to see/read :)

As to Rust saying MPL-2.0+ is invalid - this is likely because Rust thinks of the SPDX License List as *only* what is this page https://spdx.org/licenses/ - ignoring the links at the top of that page that provide the greater context, which is really important to understand. This is a somewhat common misconception, especially when adoption of SPDX ids occurs without actual engagement in the SPDX community. Some time ago, I started (in presentations) to repeat "it's not just a 'list'" to help educate people and updated the first FAQ to this end - https://github.com/spdx/license-list-XML/blob/main/DOCS/faq.md
 Maybe I need to re-write that lead-in language on the top of the page again or put a big yellow flashing sign also? sigh

If you want to pass along this concept to people at Rust and tell them to join the spdx-legal mailing list, we'd be happy to help advise.

As for deprecated SPDX ids and validity in the context of Fedora - I would strongly urge us to use the current ids and not muddy things with the use of deprecated ids. The change as of the SPDX License List 2.0 added the operators (AND, OR, WITH, and +) and so it would super confusing if people still used the ids from v1.0

Further comments below

thanks,
Jilayne

On 8/22/23 2:55 PM, Richard Fontana wrote:
On Tue, Aug 22, 2023 at 4:44 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote:
On Tue, Aug 22, 2023 at 10:39 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote:
On Tue, Aug 22, 2023 at 3:06 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote:
On Tue, Aug 22, 2023 at 1:21 PM Miroslav Suchý <msuchy@xxxxxxxxxx> wrote:

          
rust-bitmaps warning: not valid neither as Callaway nor as SPDX, please check
This uses MPL-2.0 or later, denoted as "MPL-2.0+". It looks like an
SPDX identifier, but it's not (there is no "-or-later" variant of
MPL-2.0 in SPDX). I'll investigate and file an issue with upstream.
Jilayne can correct me if I'm wrong, but I am pretty sure `MPL-2.0+`
is a valid and semantically meaningful SPDX identifier. It is arguably
redundant since MPL-2.0 permits downstream relicensing to later
versions.
correct
It's not on the list though:
https://spdx.org/licenses/
The use of `+` is documented at
https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/
(there's probably a more recent version)
Here is the current spec link https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/


<excerpt>
D.3 Simple license expressions

A simple <license-_expression_> is composed one of the following:

An SPDX License List Short Form Identifier. For example: CDDL-1.0
An SPDX License List Short Form Identifier with a unary "+" operator
suffix to represent the current version of the license or any later
version. For example: CDDL-1.0+
An SPDX user defined license reference:
["DocumentRef-"1*(idstring)":"]"LicenseRef-"1*(idstring)
</excerpt>

I believe CDDL-1.0 is like MPL-2.0 in having a built-in "later versions" clause.
this is more or less correct, although we did some analysis on the various license with "or later" clauses and the variations on the actual wording and meaning was surprising...

Also, cargo / crates.io even documents that licenses in crate metadata
needs to be valid SPDX expressions and only things from SPDX license
list are acceptable, so this isn't considered valid by crates.io
That is at least in some sense wrong, since the SPDX spec shows that
valid SPDX expressions include use of the `+` operator with SPDX
identifiers. I think in reality crates.io is redefining what "valid
SPDX expressions" means, though possibly not intentionally.
see comment above - but I'd rephrase that crates.io is probably not "redefining" but operating on a limited understanding :(

For Fedora, I think there are (quite rare) cases where the use of
postpositional `+` should be recognized as valid. I know of one
package (though I can't remember what it is now) that says its license
is the Apache License 2.0 or any later version -- this is validly
represented as `Apache-2.0+` in SPDX.
I would argue that Apache-2.0+, while technically valid, would be silly/incorrect, though :)

Richard

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux