[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DEP5 and spdx shortname of license



Il 08/09/2024 12:25, Aurélien COUDERC ha scritto:

Le 8 septembre 2024 09:38:00 GMT+02:00, Andrea Pappacoda <andrea@pappacoda.it> a écrit :
Hi Aurélien,

On Sat Sep 7, 2024 at 10:56 PM CEST, Aurélien COUDERC wrote:
Our spec [2] already defines an equivalence rule between License-X and License-X.0 declarations for SPDX compatibility.
For what I’ve seen on the quite vast and diverse KDE source corpus we’d only need 2 additional equivalence rules to be added to matches what that upstream ships :
- equivalence between the + and -or-later suffixes (GPL-2+ / GPL-2.0-or-later)
There's already an equivalence in the SPDX spec, as described in "Annex D: SPDX license expressions"[1] (kind of. using the plus sign operator "+" is SPDX's general way of saying "this version or later", while "-or-later" is a special case only valid for GPL licenses, as described in [2] and [3]).

This means that you can use "GPL-3.0+" in debian/copyright and have it being valid both when interpreted as our format or as an SPDX expression.
GPL-3.0+ and GPL-3.0 are deprecated in spdx and from what I saw a tool using spdx consider them not valid
Thanks, interesting.

What I'd like to see is us updating *our* spec to have the equivalence the other way around and I can extract upstream provided SPDX licence identifiers while staying debian-machine-readable-copyright compliant.

spdx license list it's big and it keeps growing, I think this can help in some cases where searching among the Debian ones it is difficult to find

there are some cases where even the spdx list is not enough but I found a match in scancode-licensedb.aboutcode.org (now with 2197 licenses)

seems that someone tried to add scancode or integrate its detection in decopy (https://wiki.debian.org/JelmerVernooij/scancode) and that would be great if we could succeed



--
Aurélien


Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


Reply to: