On 1/5/22 7:59 AM, David Cantrell wrote:
On Mon, Jan 03, 2022 at 12:12:38PM -0500, Matthew Miller wrote:
On Mon, Jan 03, 2022 at 01:26:33PM +0100, Miroslav Suchý wrote:
The License tag was never formally defined. If we agree that there can be anything, then let it be.
The Pending PR here updates that to: SPDX License identifier or expression (from our "Good" list).
https://pagure.io/packaging-committee/pull-request/1142#_1__38
Although given the context here, I note that that's ambiguous about whether the _whole expression_ must be on the list — I don't think that's the intention!
I think in some cases, it may be. As our discussions on this PR have noted, Fedora may approve an expression but not all expressions that SPDX can represent. So the objective is more about using the tokens and expression syntax defined by SPDX, but then we have our list of approved expressions. This is also necessary because we need to maintain our own list of LicenseRef tokens for things we approve for Fedora but that do not have an upstream SPDX token.
There were some license combinations (could be AND, OR, or WITH) that are on the "good" list but a different combination might need separate approval.
Off top of head, I think any L/GPL WITH [exception] would fall into the category of needing to be capture as the full license expression since the specific exception would need to be reviewed and approved and would be different text than another exception.
But for any combination of previously approved license for Fedora - e.g., "MIT OR GPL-2.0-only", "Apache-2.0 AND BSD-3-Clause" and so on - separate listings would not be necessary - agreed?
(and this concept needs to be documented... adding to the list of items to better document)
However, in many cases Fedora is ok with combining something with GPL-2.0-or-later with BSD-3-Clause using AND. The good list we've been working through has some of these expressions that are a license token and then a WITH qualifier. So this may be more about ensuring that a WITH clause isn't noted as approved without also requiring the main token.
See above. Also, as per SPDX License List expression syntax (found in an appendix to the SPDX spec), you have to have a valid license ID on the left side of the WITH operator and a valid exception ID on the right side (as one would expect)
IANAL, so take my comments with that in mind. And this is where I defer to Jilayne for the actual expertise here. :)