spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard

Published 20 hours ago verified publisher icon spdx

make it explicit that a license exception, alone, cannot be a valid license expression

Open alpianon opened this issue 1 year ago • 5 comments

see https://github.com/fsfe/reuse-tool/issues/890 and and https://github.com/spdx/Spdx-Java-Library/issues/227

TL;DR: Qt-GPL-exception-1.0 (or any other "standalone" license exception) is not a valid license expression that can be put in LicenseInfoInFile.

That is implied by what is written in Annex D.1, but it would be better to make it more explicit, to avoid issues like the ones mentioned above

alpianon avatar Jan 09 '24 20:01 alpianon

The ABNF grammar in Annex D.1 makes this explicit, and I've always understood the sentence "The exact syntax of license expressions is described below in ABNF." to mean that that grammar is normative.

pmonks avatar Jan 12 '24 05:01 pmonks

The ABNF grammar in Annex D.1 makes this explicit, and I've always understood the sentence "The exact syntax of license expressions is described below in ABNF." to mean that that grammar is normative.

What about adding something like "For the sake of clarity, a license exception in isolation is not a valid license expression"?

I'm pretty sure there are other tools out there (eg. Fossology) that incur in the same mistake, so make it clearer would do no harm and may help avoiding such mistake

alpianon avatar Jan 12 '24 08:01 alpianon

It seems to me that the logical conclusion of that argument would be that the entire ABNF grammar needs to be duplicated and translated to plain English, which I'd argue is inappropriate in a technical specification like the SPDX spec. ABNF is a good choice for describing this kind of thing precisely and succinctly.

pmonks avatar Jan 12 '24 22:01 pmonks

Agree with @pmonks - ABNF should be the "source of truth" for the license expression.

@kestewart - thoughts?

goneall avatar Apr 04 '24 22:04 goneall

I tend to agree with @pmonks here. I think that between the ABNF, the rest of the annex, and the definitions in the model, it's pretty clear for purposes of the spec that a license exception cannot by itself be a license expression.

For what's currently in the spec, there's at least the following (emphasis added):

  • the formal definition in the ABNF grammar
  • In the License Expression Syntax annex: "A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-[idString]; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +)."
  • In the class definition for LicenseAddition: "A LicenseAddition represents text which is intended to be added to a License as additional text, but which is not itself intended to be a standalone License."

All that said: We've been discussing that there should likely be other documentation, not part of the spec itself but published elsewhere by SPDX, to assist users to better understand the spec. I could see something like this being worth raising in e.g. an FAQ.

swinslow avatar Jun 06 '24 20:06 swinslow

Based on the above comments, I'm closing this as resolved. If you disagree, please open a new issue with the reasoning and reference this issue.

goneall avatar Aug 11 '24 22:08 goneall