Hi all, As a follow-up to this -- from the SPDX License List page at https://spdx.org/licenses/, in the "Deprecated License Identifiers" section:
. . . When a license identifier is "deprecated" on the SPDX License List, it effectively means that there is an updated license identifier and the deprecated license identifier, while remaining valid, should no longer be used. So, deprecated identifiers are and remain "valid", and SPDX Documents that contain them are also fully valid. If some of the SPDX parsing tools (from the SPDX project or elsewhere) flag those identifiers as making a document "invalid", then that isn't correct and is an error in the tooling. I don't think there would be a problem with a *warning* that they are not encouraged for use (given the "should no longer be used" language above), but I think it's incorrect if tooling flags it as an *error*. Best, Steve On Fri, Apr 14, 2023 at 4:31 PM Rose Judge via lists.spdx.org <rjudge= [email protected]> wrote: > Deprecated license IDs do not validate with the latest SPDX tooling. You > will see an error like the following: > > > > This SPDX Document is not valid due to: > > Package at line 34690 invalid: LGPL-2.1 is deprecated. in > libseccomp2 > > Package at line 8056 invalid: LGPL-2.1 is deprecated. in > gcc-9-base > > > > This has been an issue for Tern as libraries we depend on still refer to > deprecated SPDX license IDs. > > > > *From: *[email protected] <[email protected]> on behalf of > J Lovejoy via lists.spdx.org <[email protected]> > *Date: *Thursday, April 13, 2023 at 8:23 PM > *To: *Anthony Harrison <[email protected]> > *Cc: *[email protected] <[email protected]> > *Subject: *Re: [spdx-tech] License with duplicated SPDX license ds > > *!! External Email* > > Hi Anthony, > > > > Well… yes, they are deprecated and show up on the deprecated part of the > SPDX License List. But I think they are still valid in the context of SPDX > tooling for the reason stated below. > > Kate - do I have that correctly stated? > > > > I guess this does make for a bit of an odd appearance. But it seemed the > best approach given the reality of use of the old ids and it being a big > change. > > > > Thanks, > > Jilayne > > > > On Apr 12, 2023, at 12:27 PM, Anthony Harrison < > [email protected]> wrote: > > > > Hi Jilayne > > > > Thank you for the explanation. > > > > However I note that the 'older' GPL license ids e.g. LGPL-2.0+ are now > marked as deprecated as of version 3.0 of the SPDX license list (see > https://spdx.org/licenses/). Therefore if the SBOM refers to a version of > the SPDX license list which is V3.x, then I assume that the deprecated > license ids are no longer valid and should not be used when reporting a > license within an SBOM. Is this a correct interpretation? > > > > Anthony > > > > On Wed, 12 Apr 2023 at 00:26, J Lovejoy <[email protected]> wrote: > > Hi Anthony, > > This is not an error at all but reflects the changing of the ids for the > GPL family of licenses at the behest of the FSF in 2017, while trying to > not break things for those people who had already been using the previous > ids for years prior. You can read more about it here: > https://spdx.dev/license-list-3-0-released/ > > Thanks, > Jilayne > SPDX-legal co-lead > > ---- > > Hello > > > > Looking at the latest version of the SPDX :License List (3.20) I have > noticed that some licenses have multiple identities e.g. > > > > -- > "name": "GNU General Public License v2.0 only", > "licenseId": "GPL-2.0-only", > > "licenseId": "GPL-2.0", > > -- > > "name": "GNU Library General Public License v2 only", > > "licenseId": "LGPL-2.0-only", > > "licenseId": "LGPL-2.0", > -- > "name": "GNU Library General Public License v2 or later", > "licenseId": "LGPL-2.0-or-later", > > "licenseId": "LGPL-2.0+", > > -- > > "name": "GNU General Public License v2.0 or later", > "licenseId": "GPL-2.0-or-later", > "licenseId": "GPL-2.0+", > > -- > "name": "GNU Lesser General Public License v2.1 only", > "licenseId": "LGPL-2.1-only", > > "licenseId": "LGPL-2.1", > > - > "name": "GNU Lesser General Public License v2.1 or later", > "licenseId": "LGPL-2.1-or-later", > "licenseId": "LGPL-2.1+", > -- > "name": "GNU Lesser General Public License v3.0 only", > "licenseId": "LGPL-3.0-only", > > "licenseId": "LGPL-3.0", > > -- > "name": "GNU Lesser General Public License v3.0 or later", > "licenseId": "LGPL-3.0-or-later", > > "licenseId": "LGPL-3.0+", > > > > According to https://spdx.org/licenses/, there is only one identity e.g. > LGPL-2.0-only specified for each license name. > > > > When validating a license identity (e.g. within an SBOM) are > both identifiers valid or is this an error in the license data and I > should only be using the license identifier as shown on > https://spdx.org/licenses/,? > > > > Regards > > > > Anthony > > > > > > > > > > *!! External Email:* This email originated from outside of the > organization. Do not click links or open attachments unless you recognize > the sender. > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5099): https://lists.spdx.org/g/Spdx-tech/message/5099 Mute This Topic: https://lists.spdx.org/mt/98159656/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
