I just created this issue to update the message from the SPDX Java and online tools: https://github.com/spdx/tools-java/issues/123
Feel free to review/comment my proposed change to the tool. Thanks, Gary From: [email protected] <[email protected]> On Behalf Of Steve Winslow Sent: Tuesday, April 18, 2023 12:56 PM To: [email protected] Cc: [email protected]; Anthony Harrison <[email protected]>; [email protected] Subject: Re: [spdx-tech] License with duplicated SPDX license ds Hi all, As a follow-up to this -- from the SPDX License List page at https://spdx.org/licenses/, in the "Deprecated License Identifiers" section: . . . When a license identifier is "deprecated" on the SPDX License List, it effectively means that there is an updated license identifier and the deprecated license identifier, while remaining valid, should no longer be used. So, deprecated identifiers are and remain "valid", and SPDX Documents that contain them are also fully valid. If some of the SPDX parsing tools (from the SPDX project or elsewhere) flag those identifiers as making a document "invalid", then that isn't correct and is an error in the tooling. I don't think there would be a problem with a warning that they are not encouraged for use (given the "should no longer be used" language above), but I think it's incorrect if tooling flags it as an error. Best, Steve On Fri, Apr 14, 2023 at 4:31 PM Rose Judge via lists.spdx.org <http://lists.spdx.org> <[email protected] <mailto:[email protected]> > wrote: Deprecated license IDs do not validate with the latest SPDX tooling. You will see an error like the following: This SPDX Document is not valid due to: Package at line 34690 invalid: LGPL-2.1 is deprecated. in libseccomp2 Package at line 8056 invalid: LGPL-2.1 is deprecated. in gcc-9-base This has been an issue for Tern as libraries we depend on still refer to deprecated SPDX license IDs. From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > on behalf of J Lovejoy via lists.spdx.org <http://lists.spdx.org> <[email protected] <mailto:[email protected]> > Date: Thursday, April 13, 2023 at 8:23 PM To: Anthony Harrison <[email protected] <mailto:[email protected]> > Cc: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > Subject: Re: [spdx-tech] License with duplicated SPDX license ds !! External Email Hi Anthony, Well… yes, they are deprecated and show up on the deprecated part of the SPDX License List. But I think they are still valid in the context of SPDX tooling for the reason stated below. Kate - do I have that correctly stated? I guess this does make for a bit of an odd appearance. But it seemed the best approach given the reality of use of the old ids and it being a big change. Thanks, Jilayne On Apr 12, 2023, at 12:27 PM, Anthony Harrison <[email protected] <mailto:[email protected]> > wrote: Hi Jilayne Thank you for the explanation. However I note that the 'older' GPL license ids e.g. LGPL-2.0+ are now marked as deprecated as of version 3.0 of the SPDX license list (see https://spdx.org/licenses/). Therefore if the SBOM refers to a version of the SPDX license list which is V3.x, then I assume that the deprecated license ids are no longer valid and should not be used when reporting a license within an SBOM. Is this a correct interpretation? Anthony On Wed, 12 Apr 2023 at 00:26, J Lovejoy <[email protected] <mailto:[email protected]> > wrote: Hi Anthony, This is not an error at all but reflects the changing of the ids for the GPL family of licenses at the behest of the FSF in 2017, while trying to not break things for those people who had already been using the previous ids for years prior. You can read more about it here: https://spdx.dev/license-list-3-0-released/ Thanks, Jilayne SPDX-legal co-lead ---- Hello Looking at the latest version of the SPDX :License List (3.20) I have noticed that some licenses have multiple identities e.g. -- "name": "GNU General Public License v2.0 only", "licenseId": "GPL-2.0-only", "licenseId": "GPL-2.0", -- "name": "GNU Library General Public License v2 only", "licenseId": "LGPL-2.0-only", "licenseId": "LGPL-2.0", -- "name": "GNU Library General Public License v2 or later", "licenseId": "LGPL-2.0-or-later", "licenseId": "LGPL-2.0+", -- "name": "GNU General Public License v2.0 or later", "licenseId": "GPL-2.0-or-later", "licenseId": "GPL-2.0+", -- "name": "GNU Lesser General Public License v2.1 only", "licenseId": "LGPL-2.1-only", "licenseId": "LGPL-2.1", - "name": "GNU Lesser General Public License v2.1 or later", "licenseId": "LGPL-2.1-or-later", "licenseId": "LGPL-2.1+", -- "name": "GNU Lesser General Public License v3.0 only", "licenseId": "LGPL-3.0-only", "licenseId": "LGPL-3.0", -- "name": "GNU Lesser General Public License v3.0 or later", "licenseId": "LGPL-3.0-or-later", "licenseId": "LGPL-3.0+", According to https://spdx.org/licenses/, there is only one identity e.g. LGPL-2.0-only specified for each license name. When validating a license identity (e.g. within an SBOM) are both identifiers valid or is this an error in the license data and I should only be using the license identifier as shown on https://spdx.org/licenses/,? Regards Anthony !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5100): https://lists.spdx.org/g/Spdx-tech/message/5100 Mute This Topic: https://lists.spdx.org/mt/98159656/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
