We’ve come across an issue recently where a project gave its license as

<project_license>GPL-2.0+ and CC-BY-SA-3.0</project_license>

I assume (but am waiting to confirm) that this is intended to convey that the code is under GPL-2.0+ and the documentation is under CC-BY-SA-3.0. However, in SPDX, and means the terms of both licenses must be complied with, which means that the code must also be licensed under CC-BY-SA-3.0 and the documentation must also be licensed under GPL-2.0+.

CC-BY-SA-3.0 is not FSF or OSI approved so this has the end result of as_license_is_free_license() saying that this project is proprietary.

I think the fix here is for the project to simply use:

<project_license>GPL-2.0+</project_license>

since that’s the license for the project as a whole, and CC-BY-SA-3.0 is only used for a portion of it.

That leads to the question of how to avoid this situation in future. My suggestion would be the following, but I’m sure many other solutions are possible and might be better:

• Clarify in the spec that project_license is for the top-level license of the project (typically the one applied to the code, for a software project)
• Potentially add a new <documentation_license> element for exposing the license of the project’s documentation independently of <project_license>