Philippe Ombredanne:

I am not confusing these at all. The gist of what I am saying is that the plus is a legacy that should not be there. It does not make sense to add to the large majority of GPL in the wild a + just to deal with a few exceptions that do not allow other versions. Exceptions should be dealt with an exception not with an extra + in an expression. What you saying in substance is that every time I want state that code is licensed under the GPL 2.0 or any other version (which is the default), you want me to craft a special license expression with a plus. And If do not craft that expression, then the SPDX meaning is that only the current version applies and not any later version.
I am saying this instead: Since the default for the GPL is to allow later versions, we should by default state the opposite: The few times that "only the current version" should be used, state this explicitly with an exception.
You say:
GPL-2.0 ==> implies GPL 2.0 only
GPL-2.0+ ==> implies GPL 2.0 or later

That's not just what I say. That's what the spec says, and has clearly stated since circa 2010.

I say:
GPL-2.0 ==> implies GPL 2.0 with its defaults (including later versions)
GPL-2.0 with no-other-version ==> implies GPL 2.0 and no other version
Explicit is better than implicit.
My rationale:
Practically the use of a GPL version "only" is much less frequent than the default "or later" and therefore forcing me to add a plus is a source of confusion.
The most common use case should be the default and should not require a special addition of a character in an expression.
"only" should be an exception and not the default, because it is not the default, nor the prevalent usage of the GPL: it is exceptional.
The fact that the + convention has been used by Linux distros package maintainers and neither always strictly nor consistently does not make this right and something that should be endorsed blindly.
I am arguing about the essence of the meaning of the plain GPL-2.0 license key in a simple expression.
The mere use of a GPL-2.0 identifier should convey that the license is GPL-2.0 or any other version.
We should have an exception to convey the rarer cases when only the stated version applies.

This would have been a useful argument to raise in 2010 (when SPDX was drafted). But this group doesn't exist to create a new spec where none has existed. For more than 5 years SPDX has consistently stated that "GPL-2.0" means ONLY GPL-2.0 and nothing else. This builds on previous history of Fedora and Debian, who also use "+" this way, e.g., see: https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing . While I know you're focusing on the GPL, there are many other licenses, and most licenses do NOT have a "this or later version" clause; having the default be what's common in MOST licenses is actually sensible.

Changing the meaning of "GPL-2.0" now, 5 years after the original version was released in beta, would be a terrible idea. This would be a broadly backwards-incompatible change. Even worse, it's a backwards-incompatible change that cannot be easily detected by tools. The result would be that no one would know what "GPL-2.0" actually meant - does it mean "2.0 or later" or "exactly 2.0"? Many existing SPDX license expressions could be subtly wrong. That is *NOT* a good direction.

The benefits are:
1. no ambiguity about the meaning of widely used licenses such as the GPL.
2. simpler spec
3. simpler expressions in most cases, more verbose and more explicit expressions when needed in some rarer cases.

I disagree, in fact, it would create widespread ambiguity. People already use SPDX, with the terms as stated; there are many tools that build on it. It *might* have been better to have defined it some other way many years ago, but that ship has sailed.

Standards have to pick some common agreement that most people can live with. Adding a "+" suffix to a particular license name does not seem like a serious burden.

--- David A. Wheeler