Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ambiguity of multi-license notation #48303

Open
HiPhish opened this issue Jan 20, 2024 · 6 comments
Open

Ambiguity of multi-license notation #48303

HiPhish opened this issue Jan 20, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@HiPhish
Copy link
Contributor

HiPhish commented Jan 20, 2024

If a package is released under the terms of two licenses the manual says

Multiple licenses should be separated by commas, Example: GPL-3.0-or-later, custom:Hugware.

However, this does not make it clear whether either of the license terms apply, or whether both apply. An example of a package where both licenses apply is picom which is under the terms of both the MPL-2.0 and MIT licenses.

This ambiguity could be avoided by using SPDX expressions to combine multiple licenses. These expressions can be arbitrarily complex and cover combinations of licenses (AND and OR) as well as exceptions (WITH) and grouping with parentheses. In the case of picom the SPDX expression is MPL-2.0 AND MIT. In fact, there is an SPDX file in the repo that contains this license: https://github.com/yshui/picom/blob/197b4bd396590cb5df61eb54ec6a1dadf1115a5d/LICENSE.spdx
@HiPhish HiPhish changed the title Amiguity of multi-license notation Ambiguity of multi-license notation Jan 20, 2024
@classabbyamp
Copy link
Member

in xbps-src and xbps, the license field is just free text so it's more a matter of adding it to xlint.
xlint already supports WITH (it just translates it to ,). supporting AND and OR could be done the same way or in a more complex way to actually interpret the expression.

@HiPhish
Copy link
Contributor Author

HiPhish commented Jan 20, 2024

Updating xlint would be good, but if we want to support more complex expressions that involve parentheses it gets much more complicated. One solution would be to internally ignore any parentheses, then we only validate the individual license identifiers, but not the entire expression. Or we shell out to a dedicated validator.

And the manual should be updated to recommend SPDX expressions instead of comma.

@0x5c
Copy link
Contributor

0x5c commented Feb 10, 2024

I'm not sure we truly need support for full SPDX expressions, but even the parentheses could be handled as , by xlint since there's no place (in xbps-src or xlint) where the code actually needs a full understanding of the licence; where there's some logic looking at the licence, it's only looking at the individual licence IDs.
In short: we could accept full expression in that field even if we don't parse and evaluate them properly in xlint and such

I think that's what I'm working on once I'm done updating picom and a couple other packages

@classabbyamp
Copy link
Member

even the parentheses could be handled as , by xlint

I think xlint should just filter parens out

0x5c added a commit to 0x5c/xtools that referenced this issue Feb 11, 2024
@0x5c
xlint: accept full SPDX licence expressions
3588936 
This changes makes xlint gracefully accept full SPDX licence expressions, while
still evaluating only the individual licences in xlint.

See void-linux/void-packages#48303
@0x5c 0x5c mentioned this issue Feb 11, 2024
Merged
@0x5c
Copy link
Contributor

0x5c commented Feb 11, 2024
edited by classabbyamp

@github-actions GitHub Actions
Copy link

Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it.

@github-actions github-actions bot added the Stale label May 12, 2024
@classabbyamp classabbyamp added enhancement New feature or request and removed Stale labels May 12, 2024
leahneukirchen pushed a commit to leahneukirchen/xtools that referenced this issue May 12, 2024
@0x5c @leahneukirchen
xlint: accept full SPDX licence expressions
ba08489 
This changes makes xlint gracefully accept full SPDX licence expressions, while
still evaluating only the individual licences in xlint.

See void-linux/void-packages#48303
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@HiPhish @classabbyamp @0x5c