On Mon, Aug 28, 2023 at 4:39 AM Jilayne Lovejoy <jlovejoy@xxxxxxxxxx> wrote: > > Top-posting a few comments related to this thread in total (instead of multiple responses to separate posts) and in hopes that people will be more likely to see/read :) > > As to Rust saying MPL-2.0+ is invalid - this is likely because Rust thinks of the SPDX License List as *only* what is this page https://spdx.org/licenses/ - ignoring the links at the top of that page that provide the greater context, which is really important to understand. This is a somewhat common misconception, especially when adoption of SPDX ids occurs without actual engagement in the SPDX community. Some time ago, I started (in presentations) to repeat "it's not just a 'list'" to help educate people and updated the first FAQ to this end - https://github.com/spdx/license-list-XML/blob/main/DOCS/faq.md It's not "Rust" language per se, but about crates.io, the central package ("crate") registry. The package manager itself (cargo) has no requirements about license specifications at all, and treats the "license" field in package metadata as free-form text. Only crates.io looks at the text of the "license" in the crate metadata, attempts to parse it, and adds links to the license's pages on choosealicense.com. However, it looks like this SPDX expression parser is still limited and doesn't support the full SPDX specification: https://doc.rust-lang.org/cargo/reference/manifest.html#the-license-and-license-file-fields Reading these docs again, it sounds like the only issue here is that the parser doesn't understand the full SPDX syntax, but that doesn't mean that you can't *use* valid SPDX syntax. > Maybe I need to re-write that lead-in language on the top of the page again or put a big yellow flashing sign also? sigh > > If you want to pass along this concept to people at Rust and tell them to join the spdx-legal mailing list, we'd be happy to help advise. As I said, it looks like this is not about *validity*, but more about "we can't parse everything yet", so I don't see this is a problem. > As for deprecated SPDX ids and validity in the context of Fedora - I would strongly urge us to use the current ids and not muddy things with the use of deprecated ids. The change as of the SPDX License List 2.0 added the operators (AND, OR, WITH, and +) and so it would super confusing if people still used the ids from v1.0 What's the commended approach for packages that use deprecated identifiers then? I would rather not just convert "GPL-2.0" to "GPL-2.0-or-later" or "GPL-2.0-only", since it's almost always not obvious which one was originally intended. Do we need to file issues with upstream projects and ask them to clarify? As for <ID>+ being valid SPDX syntax, can that be supported by fedora-license-validate or whatever the tool is called today? I'd rather not go filing unnecessary bugs with upstream again, just to learn that I filed bugs for things that aren't even wrong. Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
