Closed xnox closed 1 month ago
Reading https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/#102-extracted-text-field
it feels like maybe we want to add extracted license texts into our spdx documents, or possibly just create refs to external texts that we self manage.
"hasExtractedLicensingInfos" : [ {
"licenseId" : "LicenseRef-wolfi-dev-spdx-ubuntu-font",
"extractedText" : "foobaz bar"
}],
"licenseDeclared": "LicenseRef-wolfi-dev-spdx-ubuntu-font",
is valid spdx. And I think we can generate that from a list of license files.
Maybe we can do something like this:
Given yaml that has
copyright:
license-text:
- LICENSE.txt
- LICENSE.lib
Generate
"licenseDeclared": "Licenseref-1-${{package.name}}-${{package.full-version}} AND Licenseref-2-${{package.name}}-${{package.full-version}}",
"hasExtractedLicensingInfos" : [ {
"licenseId" : "LicenseRef-1-${{package.name}}-${{package.full-version}}",
"extractedText" : "contents of LICENSE.txt"
}, {
"licenseId" : "LicenseRef-2-${{package.name}}-${{package.full-version}}",
"extractedText" : "contents of LICENSE.lib"
}],
In melange one should be able to specify filepaths to custom license information.
spdx should generate reference to it and include the full license text.
This is to address license terms of "proprietary" stuff and custom license terms which are not yet (if ever will be) in spdx license list.