New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ambiguity regarding multiple licenses #1108
Comments
The Do you have examples of projects in the Hex ecosystem with licenses this complex and why they need to express the licenses with expressions in this field? |
Does this mean that whether the licenses are For instance, the common Apache 2.0 license (used by Elixir, Erlang, etc) and the GPLv2 (used by
If someone else's package is licensed under GPLv2, knowing whether my package is licensed under "Apache-2.0 or MIT" vs "Apache-2.0 and MIT" (a la Rust) determines whether or not they may use my library. Of course, I should unambiguously state this somewhere within my project, but it would be nice if a tool could use the package metadata to perform this check automatically.
I don't know of any packages currently on Hex with a complex license, but I could ship one today 😉 Many of the foundational technologies that the ecosystem relies on have more than simple a license, including LLVM ( |
This is an interesting situation @J3RN |
@supersimple Fortunately for us, the good folks over at SPDX have a solution to normalizing all kinds of crazy licenses, including composite licenses, licenses with exceptions, and even user-defined licenses: SPDX License Expressions. The SPDX specification also specifies and unambiguous grammar for parsing licenses expressions into their constituent parts (the licenses, the operators, the exceptions, etc). FWIW, the Rust ecosystem has a |
Speaking of Rust, a quick Google reveals that the |
I think conforming to the SPDX standard would be sensible, seeing as it's already widely used and the rules are unambiguous and powerful enough for real-world use in larger ecosystems than ours. Supporting SPDX expressions does make the list of multiple licences redundant, but so long as we decide whether licences are |
To be clear we are conforming to the SPDX license identifiers but we do not support expressions. Between When there are projects in the community that require expressions we can reconsider supporting them but right now they do not seem to be needed so I would like to avoid the extra maintenance work for something that 10000+ packages has not needed so far. |
There's also a
Given we don't know whether existing projects are using RE maintenance, the SPDX ABNF grammar is thankfully very simple. We'd only need to parse a string in this format to validate an expression. idstring = 1*(ALPHA / DIGIT / "-" / "." )
license-id = <short form license identifier in Annex A.1>
license-exception-id = <short form license exception identifier in Annex A.2>
license-ref = ["DocumentRef-"1*(idstring)":"]"LicenseRef-"1*(idstring)
simple-expression = license-id / license-id"+" / license-ref
compound-expression = simple-expression /
simple-expression "WITH" license-exception-id /
compound-expression "AND" compound-expression /
compound-expression "OR" compound-expression /
"(" compound-expression ")"
license-expression = simple-expression / compound-expression If there was a Hex package that validated SPDX licences would that ease the development cost concern for you? -spec is_spdx_expression(binary()) -> boolean(). |
I am not so worried about the parsing itself, we already have spdx that validates license identifiers that we could add the parsing to. But updating the Hex package metadata specification involves changes to (I think) at least 7 repositories. We also just introduced enforcement of spdx identifiers with deprecations and eventually error messages that users will have to deal with. Introducing more changes for something that doesn't seem to be actively used does not make sense to me when there are so many other things that needs development time. |
That's very reasonable. What would a migration path be for people who are currently using the list as |
Related to, but not exactly, #746
Prompted by discussion on gleam-lang/gleam#1450
Presently the Adding metadata section of the Hex.pm docs contain a
licenses
field with the documentation:This leaves ambiguous a few items:
and
ed oror
ed together? If the answer is one of these, how would I convey the other?In my opinion (which you're free to ignore 😅) the answer to this is to supersede the
licenses
field with alicense_expression
field containing an SPDX Expression. SPDX Expression unambiguously conveyand
s,or
s,with
s, and "or later" (via-or-later
or+
, depending on GNU vs non-GNU).The text was updated successfully, but these errors were encountered: