specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

feat: licenses acknowledgement SHOULD be unique

Open jkowalleck opened this issue 9 months ago • 7 comments

as discussed in #619

  • license acknowledgement should be be unique
  • license acknowledgement should be be unset when used if evidences

this is considered a non-breaking change, as the introduction of the keyword "should" does not alter existing behavior, it just exp recces a preference, which may be ignored by users if they have a good reason to do so....

RFC notice sent 2025-08-14

This RFC will be open for 4 weeks. At the end of the RFC period, the CycloneDX community will vote, by lazy consensus, to accept or reject the proposal. RFC period end: 2025-09-11

  • fixes #619

jkowalleck avatar Apr 14 '25 20:04 jkowalleck

this is the designed solution for your request, @pombredanne

jkowalleck avatar Apr 14 '25 20:04 jkowalleck

will fix merge conflicts soon, then ask a smaller part of the community for their input, and then, this should be go into RFC phase very soon.

jkowalleck avatar Jul 24 '25 15:07 jkowalleck

will rebase this one ASAP, and then, the RFC phase will start.

jkowalleck avatar Aug 05 '25 14:08 jkowalleck

ready for review.

maybe ask @swinslow for his thoughts. maybe ask @nickvidal for his thoughts.

jkowalleck avatar Aug 08 '25 09:08 jkowalleck

@jkowalleck Since this is only advisory, I wonder if you could introduce some clarifications to support future enforcement of something stricter?

For instance rather than:

A list of SPDX licenses and/or named licenses and/or SPDX License Expression.\nThere should be no more than one per license acknowledgement.

What about something more or less along these lines:

A list with a single SPDX License Expression (preferred). Alternatively, for legacy compatibility, a list of SPDX license identifiers, named licenses, or SPDX License Expressions. \nThere should be no more than one item in this list. If there are more than one item, then the conjunction of all the listed licenses applies.

pombredanne avatar Aug 15 '25 08:08 pombredanne

Since this is only advisory, I wonder if you could introduce some clarifications to support future enforcement of something stricter

Plan was to keep https://github.com/CycloneDX/specification/issues/619 open for 2.0 - then we can introduce breaking changes safely, and we would change the "should" to a "must" and would be good, right?

jkowalleck avatar Aug 15 '25 10:08 jkowalleck

Safety aside, clear definition "Should" "Must" "Shall" shouldn't hurt too much

Regul-000 avatar Sep 10 '25 23:09 Regul-000