Re: SPDX Statistics - Voyager 2 edition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Mon, Aug 28, 2023 at 4:39 AM Jilayne Lovejoy <jlovejoy@xxxxxxxxxx> wrote:
> Top-posting a few comments related to this thread in total (instead of multiple responses to separate posts) and in hopes that people will be more likely to see/read :)
> As to Rust saying MPL-2.0+ is invalid - this is likely because Rust thinks of the SPDX License List as *only* what is this page - ignoring the links at the top of that page that provide the greater context, which is really important to understand. This is a somewhat common misconception, especially when adoption of SPDX ids occurs without actual engagement in the SPDX community. Some time ago, I started (in presentations) to repeat "it's not just a 'list'" to help educate people and updated the first FAQ to this end -

It's not "Rust" language per se, but about, the central
package ("crate") registry.

The package manager itself (cargo) has no requirements about license
specifications at all, and treats the "license" field in package
metadata as free-form text.
Only looks at the text of the "license" in the crate
metadata, attempts to parse it, and adds links to the license's pages

However, it looks like this SPDX expression parser is still limited
and doesn't support the full SPDX specification:

Reading these docs again, it sounds like the only issue here is that
the parser doesn't understand the full SPDX syntax, but that doesn't
mean that you can't *use* valid SPDX syntax.

>  Maybe I need to re-write that lead-in language on the top of the page again or put a big yellow flashing sign also? sigh
> If you want to pass along this concept to people at Rust and tell them to join the spdx-legal mailing list, we'd be happy to help advise.

As I said, it looks like this is not about *validity*, but more about
"we can't parse everything yet", so I don't see this is a problem.

> As for deprecated SPDX ids and validity in the context of Fedora - I would strongly urge us to use the current ids and not muddy things with the use of deprecated ids. The change as of the SPDX License List 2.0 added the operators (AND, OR, WITH, and +) and so it would super confusing if people still used the ids from v1.0

What's the commended approach for packages that use deprecated
identifiers then? I would rather not just convert "GPL-2.0" to
"GPL-2.0-or-later" or "GPL-2.0-only", since it's almost always not
obvious which one was originally intended. Do we need to file issues
with upstream projects and ask them to clarify?

As for <ID>+ being valid SPDX syntax, can that be supported by
fedora-license-validate or whatever the tool is called today?
I'd rather not go filing unnecessary bugs with upstream again, just to
learn that I filed bugs for things that aren't even wrong.

devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux