David>Determining what is allowed is a separate operation, greatly aided by having standard names for common cases
That's what I say. It would be great if the standard included a set of resolved cases. A list of "well-known later versions" would be a good starting point. Vladimir>Hey, Vlad, it looks like you are using GPL dependency in a MIT project, and that is not typically allowed David>But that is false. I'm ok if machine would produce false positives. The point is not to somehow make a bulletproof judgement. The point is to highlight the potential violations to humans, so they can decide what to do. Of course, GPL might be fine to use in MIT projects however machine could make a great help of by raising alarms. Vladimir> How about Artistic-1.0 vs Artistic-1.0-cl8 vs Artistic-1.0-Perl vs Artistic-2.0? David>Those are not SPDX license identifiers. If they were, then I would say the first set are not SPDX license identifiers Here you go, sir: https://spdx.org/licenses/ I've quoted a subset of non-deprecated SPDX identifiers. Vladimir> How about LPPL-1.0 vs LPPL-1.2 vs LPPL-1.3a vs LPPL-1.3c? David>The second set is easily ordered by natural sort, and is ordered in exactly the order shown. Are you sure LPPL-1.3c is "a later version of " LPPL-1.3a? In practice, it could easily turn out to be "LPPL-1.3 variation c" vs "LPPL-1.3 variation a" which share the common ancestor (LPPL-1.2) while it might be that neither of those is "a later version" of another. It might be a lucky coincidence that "LPPL-1.3c is a later version of LPPL-1.3a", however I won't agree that relation would always hold provided the variety of licenses we have. As I said, Artistic-1.0 vs Artistic-1.0-cl8 is not that obvious in terms of "natural order". David>If it’s really bizarre, a special version or new name could be used. Your move: what should be the "version" for Artistic-1.0, Artistic-1.0-cl8, Artistic-1.0-Perl, Artistic-2.0? David>It’s more complex than that, because if some software is a released with a rider that says “only this version may be used” If they use "the canonical version of CC-BY-SA 2.0", then they do not override the text. If they somehow override the text to allow CC-BY-SA-2.0 **only** (I've no idea if that is possible but let's pretend it is), then they can't really use SPDX identifier of CC-BY-SA-2.0 because they are effectively using a different license (which is more like "only CC-BY-SA-2.0"). So no harm is made. If the author declares that "bundle license is SPDX CC-BY-SA-2.0, then it means it is equivalent to a canonical meaning of CC-BY-SA-2.0". Otherwise the author should express the intention somehow (e.g. by declaring NOASSERTION or NONE or "CC-BY-SA-2.0 WITH CustomException" or whatever else). Vladimir -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3730): https://lists.spdx.org/g/Spdx-tech/message/3730 Mute This Topic: https://lists.spdx.org/mt/32049933/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
