Open pmonks opened 3 hours ago
It appears the same issue exists in the (old) LGPL variants too:
LGPL-2.0
text vs LGPL-2.0-only
SPDX template and LGPL-2.0-or-later
SPDX templateLGPL-2.1
text vs LGPL-2.1-only
SPDX template and LGPL-2.1-or-later
SPDX templateThe LGPL-3.0-*
SPDX templates appear to be aligned with the FSF's canonical LGPL-3.0
text, however. This issue also isn't relevant for the AGPL
, since there's only a single version of that published by the FSF (AGPL-3.0
).
There are discrepancies between FSF's canonical
GPL-1.0
andGPL-2.0
texts and their associated SPDX templates that cause matching to fail in downstream software that performs matching.Specifically:
GPL-1.0
text no longer includes a physical address on line 6, and has added a URL in that location instead. Neither of these changes are taken into account in either theGPL-1.0-only
orGPL-1.0-or-later
SPDX templates.GPL-2.0
text now has a URL on line 6. While theGPL-2.0-only
andGPL-2.0-or-later
SPDX templates correctly handle the (now optional) physical address, neither of them handle the (presumably optional) URL that is now included in the canonical text.Note: if the SPDX project has contacts over at the FSF it may be worth asking them if it might be possible to notify the SPDX project whenever they make changes of any kind to their license texts (even/especially "legally irrelevant" ones). Previous issues (including #2430, #2204, #1995, #1973, #1972) suggest that the FSF are quite liberal about making such changes and thereby inadvertently breaking SPDX license matching randomly.