SPDX should allow custom license text

chainguard-dev / melange

build APKs from source code

Apache License 2.0

382 stars 83 forks source link

SPDX should allow custom license text #1212

Closed xnox closed 1 month ago

xnox commented 1 month ago

In melange one should be able to specify filepaths to custom license information.

spdx should generate reference to it and include the full license text.

This is to address license terms of "proprietary" stuff and custom license terms which are not yet (if ever will be) in spdx license list.

xnox commented 1 month ago

Reading https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/#102-extracted-text-field

it feels like maybe we want to add extracted license texts into our spdx documents, or possibly just create refs to external texts that we self manage.

xnox commented 1 month ago

  "hasExtractedLicensingInfos" : [ {
    "licenseId" : "LicenseRef-wolfi-dev-spdx-ubuntu-font",
    "extractedText" : "foobaz bar"
  }],
  "licenseDeclared": "LicenseRef-wolfi-dev-spdx-ubuntu-font",

is valid spdx. And I think we can generate that from a list of license files.

xnox commented 1 month ago

Maybe we can do something like this:

Given yaml that has

copyright:
    license-text:
        - LICENSE.txt
        - LICENSE.lib

Generate

"licenseDeclared": "Licenseref-1-${{package.name}}-${{package.full-version}} AND Licenseref-2-${{package.name}}-${{package.full-version}}",

  "hasExtractedLicensingInfos" : [ {
    "licenseId" : "LicenseRef-1-${{package.name}}-${{package.full-version}}",
    "extractedText" : "contents of LICENSE.txt"
  }, {
    "licenseId" : "LicenseRef-2-${{package.name}}-${{package.full-version}}",
    "extractedText" : "contents of LICENSE.lib"
  }],

xnox commented 1 month ago

released https://github.com/chainguard-dev/melange/releases/tag/v0.8.0