Validate license field against the SPDX identifier list

[domcleal]

Uses a new 'spdx-licenses' gem for the list, and returns an error if this recommendation isn't met.

The Puppet Forge uses the SPDX list to validate known licenses when scoring the quality of metadata files.

https://github.com/puppetlabs/puppet-docs/pull/414 introduced this to the module publishing documentation.

[ryanycoleman]

@domcleal, you rock! Thank you. For handiness, here's the link to those license identifiers: http://spdx.org/licenses

[nibalizer]

Cool! I'll try to get to this today! Don't be afraid to harass me if I forget.

[nibalizer]

Why does it accept 'Apache-2.0' but not 'Apache 2.0' ? I think most things say "Apache 2.0" and I don't really want to break compat. How about we put spdx license validation behind a flag/config file, and if it is enabled, it fails?

[domcleal]

re Apache 2.0 versus hyphenated, that's just the way SPDX identify licences. We could whitelist it, but would then have to ask @ryanycoleman to make sure the Forge does too.

[nibalizer]

@ryanycoleman so right now you get docked points if you say "Apache 2.0" and not "Apache-2.0" ? That seems like a bug.

[ryanycoleman]

@nibalizer you get docked very little and I do not consider it a bug. If the values of that field are not consistent, we cannot make any assertions about which modules have a particular license. If you prefer to treat it differently in your linter, feel free. We very much expect adoption to have a long tail, much like OS compatibility.

[electrical]

Could we make this an option like '--strict-license' for example? I would have it enabled by default, but that's just me :-)

[nibalizer]

@electrical ya I think that's the smart money.

[nibalizer]

Merged #7 instaed. It has all your features though. Thanks!