-----Original Message-----
From: Spdx-legal@... <Spdx-legal@...> On Behalf Of
Richard Purdie
Sent: Thursday, March 18, 2021 4:12 AM
To: SPDX-legal <Spdx-legal@...>
Subject: Options for metadata license identifiers

...

My question is what to put in the recipe to identify the license?

We can easily put a "# SPDX-License-Identifier:" into the recipe but there is a
lot of concern about how people might interpret this. Our top level license
says unless otherwise stated, recipe metadata is MIT licensed so the license is
relatively clear. The worry is something like:

# SPDX-License-Identifier: MIT
LICENSE = "GPLv2 & bzip2-1.0.4"

makes for very confusing reading and can be badly interpreted.

I have some ideas about what we might have to do to make this really clear
but they have downsides. I wondered if there was any advice here on how
best to handle this? Once we know how to do it, marking up the recipes is
relatively straightforward, we just need to establish what makes sense.

Also, there is a secondary problem of which license any patches we have are
under and what license identifier (if any) we should put in those.
Those would likely need to match the upstream project source they're
patching I'd imagine but I don't know if we want to mark up all the patches or
not.

[G.O.] How about using the SPDX tag/value terms defined for SPDX documents?

You would use "PackageLicenseDeclared: " for the package itself (see https://spdx.github.io/spdx-spec/3-package-information/#315-declared-license).
There are a couple of advantages to this approach - there is a specific definition for the term and the consistency in syntax makes the tooling a bit easier.

As far as patches, if these are specific files and you have a way to associate the field with that specific file, you could use the term "LicenseInfoInFile: "
(see https://spdx.github.io/spdx-spec/4-file-information/#46-license-information-in-file).

Gary