Open alpianon opened 9 months ago
reply from @goneall if the parallel issue: https://github.com/spdx/Spdx-Java-Library/issues/227#issuecomment-1883689593
TL;DR:
So it seems that both projects have an issue to solve, in the end :slightly_smiling_face:
@alpianon thanks for the report! that does indeed seem like a bug.
I ran into this issue while trying to convert an SPDX file generated with the REUSE tool. I'm not sure if this an issue of SPDX tools or of REUSE tool (I will explain why below), so I'm opening the same issue in both projects :slightly_smiling_face:
link to the issue in SPDX tools' repo: https://github.com/spdx/Spdx-Java-Library/issues/227
In a nutshell, it seems that SPDX tools refuse to validate an SPDX file when both:
1) a license exception tag is stored as a separate LicenseInfoInFile field 2) the same tag is found (as a "WITH" exception) in the LicenseConcluded field
but it validates it when only (1) happens (and LicenseConcluded is NOASSERTION), or when only (2) happens and the license exception is stored in a license expression ("some-license WITH the-exception") in LicenseInfoInFile
I ran into this issue while I was trying to convert an SPDX file generated by REUSE tool from the qtbase source package, and I ran into an error due to (1)+(2), but I don't know whether SPDX tools is too picky here, or REUSE tool is not following an (implied) requirement of SPDX specs. In other words, I don't know if the expected behavior is that SPDX tools validates such files generated by REUSE tool, or if the expected behavior is that REUSE tool produces SPDX files without doing (1).
Steps to reproduce:
you get the following error:
The problem seems to be the SPDX file generated by REUSE tool, where you find file entries like:
(note that
Qt-GPL-exception-1.0
is stored as a separateLicenseInfoInFile
entry, and not as an exception)If you manually change all the entries like the above to:
the Verify command returns no error and says that "This SPDX Document is valid".
The thing that makes me wonder whether this is an issue of SPDX tools or of REUSE tool, is that I cannot find anything in the current SPDX specs that mandates that LicenseInfoInFile fields are coherent with LicenseConcluded fields when using license exceptions; moreover, if I try to generate an SPDX file without LicenseConcluded data with REUSE tool, SPDX tool validates it even if
Qt-GPL-exception-1.0
is stored in a separate LicenseInfoInFile field:..even if the entries like the one above are like this:
(note the field
LicenseInfoInFile: Qt-GPL-exception-1.0
)Summing up, as anticipated at the beginning, it seems that SPDX tools refuse to validate an SPDX file when both:
1) a license exception tag is stored as a separate LicenseInfoInFile field 2) the same tag is found (as a "WITH" exception) in the LicenseConcluded field
but it validates it when only 1) happens.
Is SPDX tools too picky here, or is REUSE tool not following an (implied) requirement of SPDX specs?