Control: tag -1 + confirmed pending Hi Nicholas and Soren,
Nicholas D Steeves wrote: > Gpl-2+ (used in d/copyright) is equivalent to gpl-2.0+ used in > appstream metadata, so this is a false positive. Correct, as https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-short-name (part of the Debian Policy) also states: »For SPDX compatibility, versions with trailing dot-zeroes are considered to be equivalent to versions without (e.g., “2.0.0” is considered equal to “2.0” and “2”).« > Were GNU to hypothetically release a GPL 2.1, and were upstream to > switch to it, the onus would be on the Debian maintainer to update > d/copyright. Yes, but they'd need to update it in both cases as neither "GPL-2+" nor "GPL-2.0+" imply "newest version of the GPL 2.x series". :-) > It also seems wrong to emit this at the warning level for this > specific case. Unfortunately the level is hardcoded in the tag. We can't emit a tag e.g. once at warning and once at pedantic level depending on the found data. (It also IMHO makes not so much sense semantic-wise.) > If lintian is encouraging maintainers to use the "gpl-2.0+" notation > rather than gpl-2+ in d/copyright, then it should emit a different > (lower severity than warning) tag for that case. Well, as the Debian Copyright Format Specification 1.0 explicitly allows both variants, this seems not necessary. > It seems clear to me that (gpl-2.0+ = gpl-2+), so it looks like the > correct approach is to use a table of equivalent license notations to > prevent the false positive. Yeah, as that list would potentially became rather huge and hard to maintain, I'd rather use a regexp to filter out such things. Soren Stoutner wrote: > The same basic problem also occurs with MIT and Expat licenses. Ack. > The specification for the AppStream metadata file only has a few > options, one of them being MIT and none of them being Expat. Same for SPDX: Neither https://spdx.org/licenses/ nor https://spdx.org/licenses/MIT.html mention Expat. > Debian, of course, prefers the Expat name as it is more precise. According to https://wiki.debian.org/Proposals/CopyrightFormat#Differences_between_DEP5_and_SPDX SPDX does not have the Expat license. They do have though the "MIT License" (the one and only ;-), so that would imply that they're not the same license. And indeed, there are two difference between https://spdx.org/licenses/MIT.html and http://www.jclark.com/xml/copying.txt (the Expat license): * The MIT License starts with a headline "MIT License" (which is probably less relevant). * The MIT License contains the following part in its second paragraph which the Expat license doesn't have: "(including the next paragraph)". This might make a subtle difference, but IANAL. > inconsistent-appstream-metadata-license debian/metainfo.xml (mit != > expat) [debian/copyright] So that actually seems a true positive as the licenses differ. They only differ a bit, but they differ. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE