Deprecated license IDs do not validate with the latest SPDX tooling. You will
see an error like the following:
This SPDX Document is not valid due to:
Package at line 34690 invalid: LGPL-2.1 is deprecated. in
libseccomp2
Package at line 8056 invalid: LGPL-2.1 is deprecated. in
gcc-9-base
This has been an issue for Tern as libraries we depend on still refer to
deprecated SPDX license IDs.
From: [email protected] <[email protected]> on behalf of J
Lovejoy via lists.spdx.org <[email protected]>
Date: Thursday, April 13, 2023 at 8:23 PM
To: Anthony Harrison <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: [spdx-tech] License with duplicated SPDX license ds
!! External Email
Hi Anthony,
Well… yes, they are deprecated and show up on the deprecated part of the SPDX
License List. But I think they are still valid in the context of SPDX tooling
for the reason stated below.
Kate - do I have that correctly stated?
I guess this does make for a bit of an odd appearance. But it seemed the best
approach given the reality of use of the old ids and it being a big change.
Thanks,
Jilayne
On Apr 12, 2023, at 12:27 PM, Anthony Harrison
<[email protected]<mailto:[email protected]>> wrote:
Hi Jilayne
Thank you for the explanation.
However I note that the 'older' GPL license ids e.g. LGPL-2.0+ are now marked
as deprecated as of version 3.0 of the SPDX license list (see
https://spdx.org/licenses/). Therefore if the SBOM refers to a version of the
SPDX license list which is V3.x, then I assume that the deprecated license ids
are no longer valid and should not be used when reporting a license within an
SBOM. Is this a correct interpretation?
Anthony
On Wed, 12 Apr 2023 at 00:26, J Lovejoy
<[email protected]<mailto:[email protected]>> wrote:
Hi Anthony,
This is not an error at all but reflects the changing of the ids for the GPL
family of licenses at the behest of the FSF in 2017, while trying to not break
things for those people who had already been using the previous ids for years
prior. You can read more about it here:
https://spdx.dev/license-list-3-0-released/
Thanks,
Jilayne
SPDX-legal co-lead
----
Hello
Looking at the latest version of the SPDX :License List (3.20) I have noticed
that some licenses have multiple identities e.g.
--
"name": "GNU General Public License v2.0 only",
"licenseId": "GPL-2.0-only",
"licenseId": "GPL-2.0",
--
"name": "GNU Library General Public License v2 only",
"licenseId": "LGPL-2.0-only",
"licenseId": "LGPL-2.0",
--
"name": "GNU Library General Public License v2 or later",
"licenseId": "LGPL-2.0-or-later",
"licenseId": "LGPL-2.0+",
--
"name": "GNU General Public License v2.0 or later",
"licenseId": "GPL-2.0-or-later",
"licenseId": "GPL-2.0+",
--
"name": "GNU Lesser General Public License v2.1 only",
"licenseId": "LGPL-2.1-only",
"licenseId": "LGPL-2.1",
-
"name": "GNU Lesser General Public License v2.1 or later",
"licenseId": "LGPL-2.1-or-later",
"licenseId": "LGPL-2.1+",
--
"name": "GNU Lesser General Public License v3.0 only",
"licenseId": "LGPL-3.0-only",
"licenseId": "LGPL-3.0",
--
"name": "GNU Lesser General Public License v3.0 or later",
"licenseId": "LGPL-3.0-or-later",
"licenseId": "LGPL-3.0+",
According to https://spdx.org/licenses/, there is only one identity e.g.
LGPL-2.0-only specified for each license name.
When validating a license identity (e.g. within an SBOM) are both identifiers
valid or is this an error in the license data and I should only be using the
license identifier as shown on https://spdx.org/licenses/,?
Regards
Anthony
!! External Email: This email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5079): https://lists.spdx.org/g/Spdx-tech/message/5079
Mute This Topic: https://lists.spdx.org/mt/98159656/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
