Determine strategy for handling URLs that map to multiple SPDX identifiers

cashapp / licensee

Gradle plugin which validates the licenses of your dependency graph match what you expect

https://cashapp.github.io/licensee/docs/1.x/

Apache License 2.0

626 stars 29 forks source link

Determine strategy for handling URLs that map to multiple SPDX identifiers #28

Closed JakeWharton closed 1 year ago

JakeWharton commented 3 years ago

For example, the androidx.emoji library uses http://scripts.sil.org/cms/scripts/page.php?item_id=OFL_web which maps to OFL-1.1, OFL-1.1-no-RFN, and OFL-1.1-RFN. Right now, we map URL to SPDX identifier based on the first seen in the JSON which isn't great.

Should we accept any SPDX identifier of the three and have them match any dependency with this license URL?

JakeWharton commented 3 years ago

The workaround for now is to allow the URL, not the SPDX identifier.

hfhbd commented 1 year ago

Isn't this a duplicate of https://github.com/cashapp/licensee/issues/86?

JakeWharton commented 1 year ago

I still think we grab only a single SPDX ID from a URL. Given the behavior of 'or' now, mapping to all possible IDs seems reasonable.

hfhbd commented 1 year ago

Wanna have a PR? :D

JakeWharton commented 1 year ago

Always. And then I am going to doing the release because it's getting large.