Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to spdx 3.22 #3554

Merged
merged 9 commits into from
Nov 8, 2023
Merged

Update to spdx 3.22 #3554

merged 9 commits into from
Nov 8, 2023

Conversation

AyanSinhaMahapatra
Copy link
Member

@AyanSinhaMahapatra AyanSinhaMahapatra commented Oct 17, 2023

These license additions and license/rule updates are added
automatically using the new spdx-synclic script. Features are:

  • Update old licenses on perfect-detection
  • Add new licenses where we don't have good detection at all
  • Deprecate generic rules when we have perfect detections to those,
    as we are adding licenses for those
  • In case of multiple detections/matches we are adding a new license and
    adding the detection details to the new file as notes to review there

Also reviewed the license additions and removed notes in resolved
licenses. Added category and owners, deprecate rules as required.

Reference: https://github.com/spdx/license-list-XML/releases/tag/v3.22
Reference: #3541

Tasks

  • Reviewed contribution guidelines
  • PR is descriptively titled 📑 and links the original issue above 🔗
  • Tests pass -- look for a green checkbox ✔️ a few minutes after opening your PR
    Run tests locally to check for errors.
  • Commits are in uniquely-named feature branch and has no merge conflicts 📁
  • Looked for possible updates in documentation and added updates if applicable
  • Updated CHANGELOG.rst

These license additions and license/rule updates are added
automatically using the new spdx-synclic script. Features are:

* Update old licenses on `perfect-detection`
* Add new licenses where we don't have good detection at all
* Deprecate generic rules when we have perfect detections to those,
  as we are adding licenses for those
* In case of multiple detections/matches we are adding a new license and
  adding the detection details to the new file as notes to review there

Reference: https://github.com/spdx/license-list-XML/releases/tag/v3.22
Reference: #3541

Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
Copy link
Member Author

@AyanSinhaMahapatra AyanSinhaMahapatra left a comment

category: Permissive
owner: Regents of the University of California
name: BSD 3-Clause Flex variant
notes: |
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/flex-2.5.LICENSE which has a slightly different license text, but has rules which are matching.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AyanSinhaMahapatra Rather than create a new scancode license, I think that we should update the existing scancode flex-2.5 license to match this new SPDX license:

  1. replace the license text in the scancode licensedb
  2. update the spdx_license_key to BSD-3-Clause-flex to replace the current LicenseRef

I am aware that in the license text we normally avoid copyrights and references to specific organizations and code projects, but I think that is appropriate for this license, which we would call a component_license.

src/licensedcode/data/licenses/bsd-3-clause-hp.LICENSE Outdated Show resolved Hide resolved
Copy link
Member

@DennisClark DennisClark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see my notes regarding the flex license. Everything else looks good.

src/licensedcode/data/licenses/bsd-3-clause-hp.LICENSE Outdated Show resolved Hide resolved
Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
@DennisClark
Copy link
Member

@AyanSinhaMahapatra Regarding HPND-Pbmplus, I think we need to update
https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/libpbm.LICENSE
to change the spdx_license_key from xlock to HPND-Pbmplus
and make sure that the texts are the same
and
we need to create a new scancode license for xlock to correspond with the spdx xlock

In both cases, I think the RULE specs need to be rather aggressive regarding required text to identify a good detection.

I hope that this is similar to what you were thinking?

@DennisClark
Copy link
Member

@AyanSinhaMahapatra Regarding HP-1989, I think we need to update
https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/osf-1990.LICENSE
to change the spdx_license_key from the current licenseref to HP-1989
but leave the scancode license text the way it is now (with the various company names genericized).

and

we need to create a new license in scancode to correspond with HP-1986
using a scancode license key of hp-1986

@AyanSinhaMahapatra
Copy link
Member Author

AyanSinhaMahapatra commented Oct 18, 2023

@DennisClark regarding Regarding HP-1989 what you said makes sense,
as we had already spdx_license_key: HP-1989 for key: osf-1990 (this was added in SPDX 3.20)

but leave the scancode license text the way it is now (with the various company names genericized).
This makes sense, I'll update this.

But in case of HPND-Pbmplus, we already had the spdx license key as spdx_license_key: xlock for key: libpbm (this was added in spdx 3.20 too) so if we change the spdx_license_key from xlock to HPND-Pbmplus we will make a change in the SPDX license key (in the other case above we are not changing). As we preserve old spdx license keys in other_spdx_license_keys when we change these keys, here the spdx key xlock would then be present at two places, the other_spdx_license_keys of the old license and at the spdx_license_key of the new license which would be inconsistent.

If we instead change the license texts so that we have key: libpbm and spdx_license_key: xlock and then the new license added is key: hpnd-pbmplus and spdx_license_key: HPND-Pbmplus would this be incorrect? We will also change the license text to ke consistent with spdx in this case. So basically the issue is we either have to change license texts or change the old key -> spdx_key relationship, and which one is less problematic? What do you think?

@DennisClark
Copy link
Member

@AyanSinhaMahapatra on further reflection, your remarks starting with "If we instead change the license texts ... " make more sense; please go ahead and do that.

The good news in all this is that these licenses are extremely rare, so I doubt that we'll be causing much trouble with this solution, if any.

Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
@AyanSinhaMahapatra
Copy link
Member Author

All green! Merging.

@AyanSinhaMahapatra AyanSinhaMahapatra merged commit 1163957 into develop Nov 8, 2023
33 checks passed
@AyanSinhaMahapatra AyanSinhaMahapatra deleted the update-to-spdx-3.22 branch November 8, 2023 22:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants