Hi Anthony, Well… yes, they are deprecated and show up on the deprecated part of the SPDX License List. But I think they are still valid in the context of SPDX tooling for the reason stated below. Kate - do I have that correctly stated?
I guess this does make for a bit of an odd appearance. But it seemed the best approach given the reality of use of the old ids and it being a big change. Thanks, Jilayne > On Apr 12, 2023, at 12:27 PM, Anthony Harrison <[email protected]> > wrote: > > Hi Jilayne > > Thank you for the explanation. > > However I note that the 'older' GPL license ids e.g. LGPL-2.0+ are now marked > as deprecated as of version 3.0 of the SPDX license list (see > https://spdx.org/licenses/ <https://spdx.org/licenses/>). Therefore if the > SBOM refers to a version of the SPDX license list which is V3.x, then I > assume that the deprecated license ids are no longer valid and should not be > used when reporting a license within an SBOM. Is this a correct > interpretation? > > Anthony > > On Wed, 12 Apr 2023 at 00:26, J Lovejoy <[email protected] > <mailto:[email protected]>> wrote: > Hi Anthony, > > This is not an error at all but reflects the changing of the ids for the GPL > family of licenses at the behest of the FSF in 2017, while trying to not > break things for those people who had already been using the previous ids for > years prior. You can read more about it here: > https://spdx.dev/license-list-3-0-released/ > <https://spdx.dev/license-list-3-0-released/> > > Thanks, > Jilayne > SPDX-legal co-lead > > ---- > > Hello > > Looking at the latest version of the SPDX :License List (3.20) I have noticed > that some licenses have multiple identities e.g. > > -- > "name": "GNU General Public License v2.0 only", > "licenseId": "GPL-2.0-only", > "licenseId": "GPL-2.0", > -- > "name": "GNU Library General Public License v2 only", > "licenseId": "LGPL-2.0-only", > "licenseId": "LGPL-2.0", > -- > "name": "GNU Library General Public License v2 or later", > "licenseId": "LGPL-2.0-or-later", > "licenseId": "LGPL-2.0+", > -- > "name": "GNU General Public License v2.0 or later", > "licenseId": "GPL-2.0-or-later", > "licenseId": "GPL-2.0+", > -- > "name": "GNU Lesser General Public License v2.1 only", > "licenseId": "LGPL-2.1-only", > "licenseId": "LGPL-2.1", > - > "name": "GNU Lesser General Public License v2.1 or later", > "licenseId": "LGPL-2.1-or-later", > "licenseId": "LGPL-2.1+", > -- > "name": "GNU Lesser General Public License v3.0 only", > "licenseId": "LGPL-3.0-only", > "licenseId": "LGPL-3.0", > -- > "name": "GNU Lesser General Public License v3.0 or later", > "licenseId": "LGPL-3.0-or-later", > "licenseId": "LGPL-3.0+", > > According to https://spdx.org/licenses/ <https://spdx.org/licenses/>, there > is only one identity e.g. LGPL-2.0-only specified for each license name. > > When validating a license identity (e.g. within an SBOM) are both > identifiers valid or is this an error in the license data and I should only > be using the license identifier as shown on https://spdx.org/licenses/, > <https://spdx.org/licenses/,>? > > Regards > > Anthony > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5077): https://lists.spdx.org/g/Spdx-tech/message/5077 Mute This Topic: https://lists.spdx.org/mt/98159656/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
