spdx / spdx-spec

The SPDX specification in MarkDown and HTML formats.
https://spdx.github.io/spdx-spec/
Other
274 stars 133 forks source link

make it explicit that a license exception, alone, cannot be a valid license expression #873

Open alpianon opened 5 months ago

alpianon commented 5 months ago

see https://github.com/fsfe/reuse-tool/issues/890 and and https://github.com/spdx/Spdx-Java-Library/issues/227

TL;DR: Qt-GPL-exception-1.0 (or any other "standalone" license exception) is not a valid license expression that can be put in LicenseInfoInFile.

That is implied by what is written in Annex D.1, but it would be better to make it more explicit, to avoid issues like the ones mentioned above

pmonks commented 5 months ago

The ABNF grammar in Annex D.1 makes this explicit, and I've always understood the sentence "The exact syntax of license expressions is described below in ABNF." to mean that that grammar is normative.

alpianon commented 5 months ago

The ABNF grammar in Annex D.1 makes this explicit, and I've always understood the sentence "The exact syntax of license expressions is described below in ABNF." to mean that that grammar is normative.

What about adding something like "For the sake of clarity, a license exception in isolation is not a valid license expression"?

I'm pretty sure there are other tools out there (eg. Fossology) that incur in the same mistake, so make it clearer would do no harm and may help avoiding such mistake

pmonks commented 5 months ago

It seems to me that the logical conclusion of that argument would be that the entire ABNF grammar needs to be duplicated and translated to plain English, which I'd argue is inappropriate in a technical specification like the SPDX spec. ABNF is a good choice for describing this kind of thing precisely and succinctly.

goneall commented 3 months ago

Agree with @pmonks - ABNF should be the "source of truth" for the license expression.

@kestewart - thoughts?

swinslow commented 4 weeks ago

I tend to agree with @pmonks here. I think that between the ABNF, the rest of the annex, and the definitions in the model, it's pretty clear for purposes of the spec that a license exception cannot by itself be a license expression.

For what's currently in the spec, there's at least the following (emphasis added):

All that said: We've been discussing that there should likely be other documentation, not part of the spec itself but published elsewhere by SPDX, to assist users to better understand the spec. I could see something like this being worth raising in e.g. an FAQ.