appstream-glib icon indicating copy to clipboard operation
appstream-glib copied to clipboard

Published 20 hours ago verified publisher icon hughsie

Validation should not accept multiple project_license elements

Open oturpe opened this issue 3 years ago • 2 comments

During Fedora review of an application called qvge, a metainfo file that contains the following was created in attempt to describe the fact that qvge's binary contains parts for each of the listed licenses:

<project_license>MIT</project_license>
<project_license>BSD</project_license>
<project_license>LGPL-3.0</project_license>

My reading of the AppStream spec would be that there can be 0 or 1 of project_license elements, and an application that needs to respect all these licenses should be encoded as MIT and BSD and LGPL-3.0. But, Fedora's mandatory call to appstream-util validate-relax let the metainfo file in question pass. validate-strict does not complain about multiples either.

I think the validation should fail when there are multiple project_license elements. At least the reference implementation simply ignores all but one, so having more is certainly an error.

This is the full file that should fail validation, but does not:

<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright 2016-2020 Ars L. Masiuk <[email protected]> -->
<component type="desktop">
  <id>qvge.desktop</id>
  <metadata_license>MIT</metadata_license>
  <project_license>MIT</project_license>
  <project_license>BSD</project_license>
  <project_license>LGPL-3.0</project_license>
  <name>Qt visual graph editor</name>
  <summary>View and manipulate small till middle-sized graphs.</summary>
  <description>
    <p>
      Application for viewing and manipulating small till middle-sized graphs. It supports several formats (GraphML, GEXF, GML, GraphViz/Dot).
    </p>
  </description>
  <url type="homepage">https://github.com/ArsMasiuk/qvge</url>
  <url type="donation">https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&amp;hosted_button_id=Z35EHHJ3729GG&amp;source=url</url>
  <screenshots>
    <screenshot type="default">
      <image>https://user-images.githubusercontent.com/19762856/85934275-2a985480-b8e1-11ea-81a9-a5b81f3365e2.PNG</image>
      <caption>Screenshot of the main window</caption>
    </screenshot>
  </screenshots>
  <updatecontact>https://github.com/ArsMasiuk/qvge/issues</updatecontact>
  <translation type="qt">qvge</translation>
</component>

oturpe avatar May 11 '21 19:05 oturpe

Agree. Could you do a simple PR to add this to the app validator please?

hughsie avatar May 11 '21 19:05 hughsie

I think I can do that. There are also other fields that behave the same, I will check their situation as well.

oturpe avatar May 11 '21 19:05 oturpe