jeffmendoza
commented
4 years ago Not sure if this is a bug with curations, or a gap in validation.
Open ariel11 opened 5 years ago
jeffmendoza
commented
4 years ago Not sure if this is a bug with curations, or a gap in validation.
nellshamrell
commented
3 years ago Hi @ariel11! Have you seen this in any recent curations?
ariel11
commented
3 years ago @nellshamrell - yes, the automated tooling submits "GPL-2.0-with-classpath-exception" when the proper SPDX format would specify "only" or "or-later" for GPL-2.0 and use "WITH" in all caps and end with "Classpath-exception-2.0." This isn't a super common license, so not sure I have a more recent example handy. OK - I did a search and here is a PR from 28 days ago that shows it came through with the incorrect "GPL-2.0-with-classpath-exception" format - https://github.com/clearlydefined/curated-data/pull/8628/commits/4f0d2c948a288a64dc232a02aef978ae0221f148
nellshamrell
commented
3 years ago Thank you!
nellshamrell
commented
3 years ago Queued up a harvest in our Azure Dev environment to replicate this: https://dev.clearlydefined.io/definitions/nuget/nuget/-/Moq.Dapper/1.0.0.9
(As of now, harvest is still running)
nellshamrell
commented
3 years ago Some notes:
It seems like the core of the problem is with what the Clearly Defined bot submits for the pull request. Rather than submitting a license of "GPL-2.0-with-classpath-exception" it should be submitting "GPL-2.0-only WITH Classpath-exception-2.0".
@ariel11 - does this sound correct? (Want to make sure I understand the core problem)
@jeffmendoza - could this possibly be an issue on the Component Governance end? Is that where the ClearlyDefined bot requests come from?
Thank you every body!
ariel11
commented
3 years ago @nellshamrell - confirming "GPL-2.0-with-classpath-exception" is not SPDX compliant. Firstly, "GPL-2.0" is a deprecated identifier: https://spdx.org/licenses/GPL-2.0.html. Second, the the License Expression operator is "WITH" (all caps). Third, the classpath exception is "Classpath-exception-2.0."
So, yes - assuming the first part of the curation should be "GPL-2.0-only," then the full curation for something with the classpath exception is "GPL-2.0-only WITH Classpath-exception-2.0".
silverhook
commented
3 years ago GPL-2.0-with-classpath-exception is deprecated in SPDX since SPDX License List 2.0rc2 in favour of – as you said – GPL-2.0-only WITH Classpath-exception-2.0.
https://spdx.org/licenses/GPL-2.0-with-classpath-exception.html
So it should technically still be valid, but it should still be replaced with the new identifier.
Several curations are coming in as "EPL-2.0 OR GPL-2.0-with-classpath-exception" or "GPL-2.0-with-classpath-exception OR CDDL-1.1."
I think the proper SPDX format would be "EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0" and "GPL-2.0-only WITH Classpath-exception-2.0 OR CDDL-1." See https://github.com/clearlydefined/curated-data/pull/2193#issuecomment-510268781.