Use SPDX expressions for License and Default-License #22
Conversation
There was a problem hiding this comment.
Seems like a good place to start to me.
That being said, before we call CPS stable, I think we should get CPS reviewed by at least one person with some more experience implementing SBOM features in earnest. But this PR doesn't need to wait on that requirement in my opinion.
|
To be clear, we're requiring anyone that actually needs to parse license information to implement a lexer to do so? We're okay with that? |
|
I am okay with that. Most tools can simply interpret it as string and tools that want to do fancy stuff with licenses need to parse spdx license expressions. vcpkg for example already can do this and there are existing libraries for js, java, python or go. |
There was a problem hiding this comment.
Okay, I guess I'm being dragged (kicking and screaming, you understand 😉) into accepting this in principle. I saw some minor issues; see inline comments. Also, at least one of the commits seems to be obliterated by later ones; should this be squashed? (In general, I like fine-grained commits, but this might be a little too fine-grained.)
dcbaker
force-pushed
the
use-spdx
branch
2 times, most recently
from
0115bb1
to
0804cf3
Compare
|
I took your inline suggestions. I also squashed the last two commits into one, and dropped the commit that fixes the names of the GPL licenses. |
Okay, the current split is fine. Thank you! BTW, although the build is "succeeding", there's a warning: (See inline comment with suggested fix.) |
|
Oops, I replaced the wrong link with your suggestion! fixed now. |
Currently, SPDX license identifiers are used, but a custom composition syntax of nested lists is used. This patch replaces that custom syntax with full SPDX expressions. SPDX has become an ISO standard since work on CPS began, making it a good candidate for use in CPS. For example, the expression in the documentation using the nested list syntax `["CC-BY-4.0", ["GPL-2.0", "LGPL-3.0-or-later"]]` would be written as: `CC-BY-4.0 AND (GPL-2.0-only OR LGPL-3.0-or-later)`.
Currently CPS specifies a custom recursive array based syntax for licenses, but uses SPDX license representations. Since the time this was originally specified, SPDX has become an ISO standard, and continued to gain traction in the Open Source world. Apart from being a standard, and more likely to be directly consumable by external tools, it simplifies a build system that wishes to build it's own SPDX license information, by simply returning
(ExpressionA) AND (ExpressionB).Fixes #6