[arch-dev-public] Using SPDX License list as identifiers
Hi This just came up on IRC. Thoughts on using the SPDX license list as valid license identifiers for all packages? https://spdx.org/licenses/ Most of the identifiers would change but we would have a consistent and much larger, externally-maintained list to choose from. It would also be a little more accurate; eg. the SPDX allows for distinctions such as "LGPL-3.0-or-later" vs. "LGPL-3.0-only". We could retain the current identifiers as symlinks. J. Leclanche
On 22/10/19 9:59 pm, Jerome Leclanche wrote:
It would also be a little more accurate; eg. the SPDX allows for distinctions such as "LGPL-3.0-or-later" vs. "LGPL-3.0-only".
I thought we already managed that, but it seems in rather limited use these days looking at our -Si output. e.g. Licenses : LGPL-2.1 Licenses : LGPL-2.1+ A
On 2019-10-22 15:01, Allan McRae via arch-dev-public wrote:
It would also be a little more accurate; eg. the SPDX allows for distinctions such as "LGPL-3.0-or-later" vs. "LGPL-3.0-only".
I thought we already managed that, but it seems in rather limited use these days looking at our -Si output. e.g.
Licenses : LGPL-2.1 Licenses : LGPL-2.1+
Adding a plus doesn't appear to be standard practice, on the PKGBUILD ArchWiki page [1] the policy regarding GPL versions is described as - (L)GPL — (L)GPLv2 or any later version - (L)GPL2 — (L)GPL2 only - (L)GPL3 — (L)GPL3 or any later version which is not very clear for the uninitiated. I think that using SPDX license identifiers is a good idea since they provide a unified way to unambiguously refer to commonly used licenses. They are used by many projects [2], most notably the Linux kernel. Best, Jonas [1] https://wiki.archlinux.org/index.php/PKGBUILD#license [2] https://spdx.org/ids-where
On 22 Oct 2019, at 1:59 pm +0200, Jerome Leclanche wrote:
This just came up on IRC. Thoughts on using the SPDX license list as valid license identifiers for all packages? https://spdx.org/licenses/
Most of the identifiers would change but we would have a consistent and much larger, externally-maintained list to choose from. It would also be a little more accurate; eg. the SPDX allows for distinctions such as "LGPL-3.0-or-later" vs. "LGPL-3.0-only".
We could retain the current identifiers as symlinks.
I think it would probably be useful in the long run, though of course would take work to implement. For one thing, it would put the onus of deciding what is and is not a common license on someone else, making that officially Not Our Problem. Also, their system does allow some useful things that aren't really obvious how to do with Arch's current set-up. For example, some licenses have optional exception clauses developers can add which might not be reflected in a standard Arch font array, but which can be conveyed easily with their "license expressions" (e.g., "GPL3+ WITH Font-exception-2.0" for GPL'd font packages that don't cause PDFs with the font embedded to become GPL'd documents) Cheers, Ivy
On 22 Oct 2019, at 12:43 pm -0500, Ivy Foster wrote:
[....] some licenses have optional exception clauses developers can add which might not be reflected in a standard Arch font array [....]
That's *license* array, not font array. Learn from my mistakes: proofread your emails!
On Tue, Oct 22, 2019 at 01:59:48PM +0200, Jerome Leclanche wrote:
Hi
This just came up on IRC. Thoughts on using the SPDX license list as valid license identifiers for all packages? https://spdx.org/licenses/
I like this idea. I started looking into how this would be packaged. The main repository is simply just structured data SPDX, which are processed into different formats. One of them are just plain text files with the license text [1]. Dropping these files into `/usr/share/licenses/common` seems like the easiest solution. But our current structure is `/usr/share/licenses/$LicenseName/license.txt`, with a few exceptions such as CCPL. Is there any reason for this structure? If we want the current structure, it feels like the easiest solution is to take the list and massage it into folders. This can probably be done with SPDX tooling, and I'll gladly take a look at how that can be done. [1]: https://github.com/spdx/license-list-data/tree/master/text -- Morten Linderud PGP: 9C02FF419FECBE16
On Tue, Oct 22, 2019 at 09:15:17PM +0200, Morten Linderud via arch-dev-public wrote:
Dropping these files into `/usr/share/licenses/common` seems like the easiest solution. But our current structure is `/usr/share/licenses/$LicenseName/license.txt`, with a few exceptions such as CCPL. Is there any reason for this structure?
I have added a suggested PKGBUILD for the SPDX license package with the assumption that we don't want the current structure. I'd really appreciate some input as to why we have the current structure. # Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org> # Maintainer: Dan McGee <dan@archlinux.org> # Contributor: Morten Linderud <foxboron@archlinux.org> pkgname=licenses pkgver=20191028 _spdx_version=3.7 pkgrel=1 pkgdesc='Standard licenses distribution package, based of SPDX' arch=('any') license=('CC0-1.0') url='https://spdx.org/licenses/' source=("$pkgname-$pkgver.tar.gz::https://github.com/spdx/license-list-data/archive/v${_spdx_version}.tar.gz") sha256sums=('3f3a121ad331261d0997b3c6526d0db030d8b1468afce862921eaea22099f909') package() { cd "license-list-data-$_spdx_version/text" rm deprecated_* install -dm644 "$pkgdir/usr/share/licenses/common" mv * "$pkgdir/usr/share/licenses/common" } -- Morten Linderud PGP: 9C02FF419FECBE16
participants (5)
-
Allan McRae
-
Ivy Foster
-
Jerome Leclanche
-
Jonas Witschel
-
Morten Linderud