Hi Jilayne Thank you for the explanation.
However I note that the 'older' GPL license ids e.g. LGPL-2.0+ are now marked as deprecated as of version 3.0 of the SPDX license list (see https://spdx.org/licenses/). Therefore if the SBOM refers to a version of the SPDX license list which is V3.x, then I assume that the deprecated license ids are no longer valid and should not be used when reporting a license within an SBOM. Is this a correct interpretation? Anthony On Wed, 12 Apr 2023 at 00:26, J Lovejoy <[email protected]> wrote: > Hi Anthony, > > This is not an error at all but reflects the changing of the ids for the > GPL family of licenses at the behest of the FSF in 2017, while trying to > not break things for those people who had already been using the previous > ids for years prior. You can read more about it here: > https://spdx.dev/license-list-3-0-released/ > > Thanks, > Jilayne > SPDX-legal co-lead > > ---- > > Hello > > Looking at the latest version of the SPDX :License List (3.20) I have > noticed that some licenses have multiple identities e.g. > > -- > "name": "GNU General Public License v2.0 only", > "licenseId": "GPL-2.0-only", > "licenseId": "GPL-2.0", > -- > "name": "GNU Library General Public License v2 only", > "licenseId": "LGPL-2.0-only", > "licenseId": "LGPL-2.0", > -- > "name": "GNU Library General Public License v2 or later", > "licenseId": "LGPL-2.0-or-later", > "licenseId": "LGPL-2.0+", > -- > "name": "GNU General Public License v2.0 or later", > "licenseId": "GPL-2.0-or-later", > "licenseId": "GPL-2.0+", > -- > "name": "GNU Lesser General Public License v2.1 only", > "licenseId": "LGPL-2.1-only", > "licenseId": "LGPL-2.1", > - > "name": "GNU Lesser General Public License v2.1 or later", > "licenseId": "LGPL-2.1-or-later", > "licenseId": "LGPL-2.1+", > -- > "name": "GNU Lesser General Public License v3.0 only", > "licenseId": "LGPL-3.0-only", > "licenseId": "LGPL-3.0", > -- > "name": "GNU Lesser General Public License v3.0 or later", > "licenseId": "LGPL-3.0-or-later", > "licenseId": "LGPL-3.0+", > > According to https://spdx.org/licenses/, there is only one identity e.g. > LGPL-2.0-only specified for each license name. > > When validating a license identity (e.g. within an SBOM) are > both identifiers valid or is this an error in the license data and I > should only be using the license identifier as shown on > https://spdx.org/licenses/,? > > Regards > > Anthony > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5076): https://lists.spdx.org/g/Spdx-tech/message/5076 Mute This Topic: https://lists.spdx.org/mt/98159656/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
