Re: update on only/or later etc.

Home Messages Hashtags Subgroups

David A. Wheeler #2061 Brad Edmondson [mailto:brad.edmondson@...] I think your points are good ones, but it seems to me they go to the separate issues of "file:detected license" and "package:concluded license." The clarity of the spec argument is aimed at making the "file:detected license" case more explicit, and if it leaves tools with NOASSERTION for "package:concluded license," then I think that's OK, no? No, it fails to work for multiple reasons: 1. "NOASSERTION" is basically useless, because it provides no information. In many cases, all I need to know is "there's a version of the GPL here", and I can make a decision. Being able to provide some information is often all that's needed , while providing no information creates a lot of unnecessary work for tool users. 2. Tools, lacking sentience, often cannot determine whether or not "or later versions" applies. So they're unable to be "more explicit" in package:concluded. The current structure requires that conclude either "only 2.0" or "2.0 or later"... even though tools typically CANNOT make that determination. SPDX should make it possible report the information actually available. 3. The majority of SPDX users do not use SPDX files. Instead, they only use SPDX license expressions (as available in package managers, file content declarations, etc.). So there's no "file:detected" vs. "package:concluded" entries to compare anyway. --- David A. Wheeler
More All Messages By This Member

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.