Multiple Licenses in a single LicenseRef?
|
Rose Judge
Hi there,
This is a question regarding LicenseRefs, specifically for the PackageLicenseDeclared field.
Tern is a tool that can generate SPDX documents for containers. When we are collecting license information for Debian packages inside a container, we must scan the copyright files to gather any type of license information for that package. We do this with the Debian-inspector library; other package managers like apk or rpm can provide a direct license for a package with a straightforward command. This means that licenses associated with a debian package typically look something like this after scanning the copyright text: GPL-2, GPL-2+, GPL-3+, LGPL, LGPL-3+, MIT, public-domain
Is it possible to create a LicenseRef of the entire string of multiple licenses? I.e.: PackageLicenseDeclared: LicenseRef-123456 . . LicenseID: LicenseRef-123456 ExtractedText: <text>Original license: GPL-2, GPL-2+, GPL-3+, LGPL, LGPL-3+, MIT, public-domain</text>
Or, does the spec require that we separate each license into a separate LicenseRef? The issue with the latter option is I’m not sure choosing AND or OR to join the various license refs is something Tern should be doing as each infers a different compliance obligation.
Thanks in advance for any thoughts on the matter. -Rose |
|
|
|
Gary O'Neall
Responses inline below… Gary
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge via lists.spdx.org
Sent: Friday, December 2, 2022 1:56 PM To: Spdx-tech@...; spdx-implementers@... Subject: [spdx-implementers] Multiple Licenses in a single LicenseRef?
Hi there,
This is a question regarding LicenseRefs, specifically for the PackageLicenseDeclared field.
Tern is a tool that can generate SPDX documents for containers. When we are collecting license information for Debian packages inside a container, we must scan the copyright files to gather any type of license information for that package. We do this with the Debian-inspector library; other package managers like apk or rpm can provide a direct license for a package with a straightforward command. This means that licenses associated with a debian package typically look something like this after scanning the copyright text: GPL-2, GPL-2+, GPL-3+, LGPL, LGPL-3+, MIT, public-domain
Is it possible to create a LicenseRef of the entire string of multiple licenses? I.e.: PackageLicenseDeclared: LicenseRef-123456 . . LicenseID: LicenseRef-123456 ExtractedText: <text>Original license: GPL-2, GPL-2+, GPL-3+, LGPL, LGPL-3+, MIT, public-domain</text> [G.O.] I believe the spec does allow for a single LicenseRef with text referencing multiple licenses. This is how I handle it when I do audits. This allows the consumer of the SPDX document to see the declared license information close wo that the package manager provides without me (or tools) providing any interpretation on some potentially ambiguous text. For the concluded license, I will translate the list into a conjunctive and/or disjunctive license and explain my logic in the comments.
Or, does the spec require that we separate each license into a separate LicenseRef? The issue with the latter option is I’m not sure choosing AND or OR to join the various license refs is something Tern should be doing as each infers a different compliance obligation.
Thanks in advance for any thoughts on the matter. -Rose |
|
|