Top-posting a few comments related to this thread in total (instead of
multiple responses to separate posts) and in hopes that people will be
more likely to see/read :)
As to Rust saying MPL-2.0+ is invalid - this is likely because Rust
thinks of the SPDX License List as *only* what is this page
https://spdx.org/licenses/ - ignoring the links at the top of that page
that provide the greater context, which is really important to
understand. This is a somewhat common misconception, especially when
adoption of SPDX ids occurs without actual engagement in the SPDX
community. Some time ago, I started (in presentations) to repeat "it's
not just a 'list'" to help educate people and updated the first FAQ to
this end - https://github.com/spdx/license-list-XML/blob/main/DOCS/faq.md
Maybe I need to re-write that lead-in language on the top of the page
again or put a big yellow flashing sign also? sigh
If you want to pass along this concept to people at Rust and tell them
to join the spdx-legal mailing list, we'd be happy to help advise.
As for deprecated SPDX ids and validity in the context of Fedora - I
would strongly urge us to use the current ids and not muddy things with
the use of deprecated ids. The change as of the SPDX License List 2.0
added the operators (AND, OR, WITH, and +) and so it would super
confusing if people still used the ids from v1.0
Further comments below
thanks,
Jilayne
On 8/22/23 2:55 PM, Richard Fontana wrote:
On Tue, Aug 22, 2023 at 4:44 PM Fabio Valentini<decatho...@gmail.com> wrote:
On Tue, Aug 22, 2023 at 10:39 PM Richard Fontana<rfont...@redhat.com> wrote:
On Tue, Aug 22, 2023 at 3:06 PM Fabio Valentini<decatho...@gmail.com> wrote:
On Tue, Aug 22, 2023 at 1:21 PM Miroslav Suchý<msu...@redhat.com> wrote:
rust-bitmaps warning: not valid neither as Callaway nor as SPDX, please check
This uses MPL-2.0 or later, denoted as "MPL-2.0+". It looks like an
SPDX identifier, but it's not (there is no "-or-later" variant of
MPL-2.0 in SPDX). I'll investigate and file an issue with upstream.
Jilayne can correct me if I'm wrong, but I am pretty sure `MPL-2.0+`
is a valid and semantically meaningful SPDX identifier. It is arguably
redundant since MPL-2.0 permits downstream relicensing to later
versions.
correct
It's not on the list though:
https://spdx.org/licenses/
The use of `+` is documented at
https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/
(there's probably a more recent version)
Here is the current spec link
https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
<excerpt>
D.3 Simple license expressions
A simple <license-expression> is composed one of the following:
An SPDX License List Short Form Identifier. For example: CDDL-1.0
An SPDX License List Short Form Identifier with a unary "+" operator
suffix to represent the current version of the license or any later
version. For example: CDDL-1.0+
An SPDX user defined license reference:
["DocumentRef-"1*(idstring)":"]"LicenseRef-"1*(idstring)
</excerpt>
I believe CDDL-1.0 is like MPL-2.0 in having a built-in "later versions" clause.
this is more or less correct, although we did some analysis on the
various license with "or later" clauses and the variations on the actual
wording and meaning was surprising...
Also, cargo / crates.io even documents that licenses in crate metadata
needs to be valid SPDX expressions and only things from SPDX license
list are acceptable, so this isn't considered valid by crates.io
That is at least in some sense wrong, since the SPDX spec shows that
valid SPDX expressions include use of the `+` operator with SPDX
identifiers. I think in reality crates.io is redefining what "valid
SPDX expressions" means, though possibly not intentionally.
see comment above - but I'd rephrase that crates.io is probably not
"redefining" but operating on a limited understanding :(
For Fedora, I think there are (quite rare) cases where the use of
postpositional `+` should be recognized as valid. I know of one
package (though I can't remember what it is now) that says its license
is the Apache License 2.0 or any later version -- this is validly
represented as `Apache-2.0+` in SPDX.
I would argue that Apache-2.0+, while technically valid, would be
silly/incorrect, though :)
Richard
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
