search

spdx / license-list-XML

This is the repository for the master files that comprise the SPDX License List
Other
355 stars 288 forks source link

Discrepancies between GPL 1.0 & 2.0 canonical texts and their associated SPDX templates #2568

Open pmonks opened 1 month ago

pmonks commented 1 month ago

There are discrepancies between FSF's canonical GPL-1.0 and GPL-2.0 texts and their associated SPDX templates that cause matching to fail in downstream software that performs matching.

Specifically:

Note: if the SPDX project has contacts over at the FSF it may be worth asking them if it might be possible to notify the SPDX project whenever they make changes of any kind to their license texts (even/especially "legally inconsequential" ones). Previous issues (including #2430, #2204, #1995, #1973, #1972) suggest that the FSF are quite liberal about making such changes and thereby inadvertently breaking SPDX license matching randomly.

pmonks commented 1 month ago

It appears the same issue exists in the (old) LGPL variants too:

The LGPL-3.0-* SPDX templates appear to be aligned with the FSF's canonical LGPL-3.0 text, however. This issue also isn't relevant for the AGPL, since there's only a single version of that published by the FSF (AGPL-3.0).

jlovejoy commented 1 month ago

good catch! And since the copyright notice in this (somewhat rare case) is on the license itself, this is not a situation where for matching purposes it might be ignored as part of the copyright notice.

the good news is that this can easily be accommodated with the alt tag.

@pmonks - do you want to prepare a PR?

szepeviktor commented 1 month ago

Is the change in the sample copyright disclaimer relevant here?

-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
+  <signature of Moe Ghoul>, 1 April 1989
+  Moe Ghoul, President of Vice

https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt

jlovejoy commented 6 days ago

this just needs a PR to address these variations