search

hughsie / appstream-glib

This library provides objects and helper methods to help reading and writing AppStream metadata.
GNU Lesser General Public License v2.1
65 stars 103 forks source link

Validation should not accept multiple project_license elements #401

Open oturpe opened 3 years ago

oturpe commented 3 years ago

During Fedora review of an application called qvge, a metainfo file that contains the following was created in attempt to describe the fact that qvge's binary contains parts for each of the listed licenses:

<project_license>MIT</project_license>
<project_license>BSD</project_license>
<project_license>LGPL-3.0</project_license>

My reading of the AppStream spec would be that there can be 0 or 1 of project_license elements, and an application that needs to respect all these licenses should be encoded as MIT and BSD and LGPL-3.0. But, Fedora's mandatory call to appstream-util validate-relax let the metainfo file in question pass. validate-strict does not complain about multiples either.

I think the validation should fail when there are multiple project_license elements. At least the reference implementation simply ignores all but one, so having more is certainly an error.

This is the full file that should fail validation, but does not:

<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright 2016-2020 Ars L. Masiuk <ars.masiuk@gmail.com> -->
<component type="desktop">
  <id>qvge.desktop</id>
  <metadata_license>MIT</metadata_license>
  <project_license>MIT</project_license>
  <project_license>BSD</project_license>
  <project_license>LGPL-3.0</project_license>
  <name>Qt visual graph editor</name>
  <summary>View and manipulate small till middle-sized graphs.</summary>
  <description>
    <p>
      Application for viewing and manipulating small till middle-sized graphs. It supports several formats (GraphML, GEXF, GML, GraphViz/Dot).
    </p>
  </description>
  <url type="homepage">https://github.com/ArsMasiuk/qvge</url>
  <url type="donation">https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&amp;hosted_button_id=Z35EHHJ3729GG&amp;source=url</url>
  <screenshots>
    <screenshot type="default">
      <image>https://user-images.githubusercontent.com/19762856/85934275-2a985480-b8e1-11ea-81a9-a5b81f3365e2.PNG</image>
      <caption>Screenshot of the main window</caption>
    </screenshot>
  </screenshots>
  <updatecontact>https://github.com/ArsMasiuk/qvge/issues</updatecontact>
  <translation type="qt">qvge</translation>
</component>
hughsie commented 3 years ago

Agree. Could you do a simple PR to add this to the app validator please?

oturpe commented 3 years ago

I think I can do that. There are also other fields that behave the same, I will check their situation as well.