[ISSUE] Amiguity of multi-license notation

[ISSUE] Amiguity of multi-license notation

[HiPhish]

[-- Attachment #1: Type: text/plain, Size: 1070 bytes --]

New issue by HiPhish on void-packages repository

https://github.com/void-linux/void-packages/issues/48303

Description:
If a package is released under the terms of two licenses the manual says

> Multiple licenses should be separated by commas, Example: `GPL-3.0-or-later, custom:Hugware`.

However, this does not make it clear whether *either* of the license terms apply, or whether *both* apply. An example of a package where both licenses apply is `picom` which is under the terms of both the MPL-2.0 *and* MIT licenses.

This ambiguity could be avoided by using [SPDX expressions](https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/) to combine multiple licenses. These expressions can be arbitrarily complex and cover combinations of licenses (`AND` and `OR`) as well as exceptions (`WITH`) and grouping with parentheses. In the case of picom the SPDX expression is `MPL-2.0 AND MIT`. In fact, there is an SPDX file in the repo that contains this license: https://github.com/yshui/picom/blob/197b4bd396590cb5df61eb54ec6a1dadf1115a5d/LICENSE.spdx

Re: Ambiguity of multi-license notation

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 496 bytes --]

New comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/issues/48303#issuecomment-1902213280

Comment:
in xbps-src and xbps, the license field is just free text so it's more a matter of adding it to [xlint](https://github.com/leahneukirchen/xtools/blob/master/xlint#L417-L431).
xlint already supports WITH (it just translates it to `,`). supporting AND and OR could be done the same way or in a more complex way to actually interpret the expression.

Re: Ambiguity of multi-license notation

[HiPhish]

[-- Attachment #1: Type: text/plain, Size: 555 bytes --]

New comment by HiPhish on void-packages repository

https://github.com/void-linux/void-packages/issues/48303#issuecomment-1902219826

Comment:
Updating xlint would be good, but if we want to support more complex expressions that involve parentheses it gets much more complicated. One solution would be to internally ignore any parentheses, then we only validate the individual license identifiers, but not the entire expression. Or we shell out to a dedicated validator.

And the manual should be updated to recommend SPDX expressions instead of comma.

Re: Ambiguity of multi-license notation

[0x5c]

[-- Attachment #1: Type: text/plain, Size: 693 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/issues/48303#issuecomment-1936909389

Comment:
I'm not sure we truly need support for full SPDX expressions, but even the parentheses could be handled as `,` by xlint since there's no place (in xbps-src or xlint) where the code actually needs a full understanding of the licence; where there's some logic looking at the licence, it's only looking at the individual licence IDs.
In short: we could accept full expression in that field even if we don't *parse* and evaluate them properly in xlint and such

I think that's what I'm working on once I'm done updating picom and a couple other packages

Re: Ambiguity of multi-license notation

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 251 bytes --]

New comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/issues/48303#issuecomment-1936912638

Comment:
> even the parentheses could be handled as `,` by xlint

I think xlint should just filter parens out

Re: Ambiguity of multi-license notation

[0x5c]

[-- Attachment #1: Type: text/plain, Size: 199 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/issues/48303#issuecomment-1937486483

Comment:
xlint PR https://github.com/leahneukirchen/xtools/pull/322

Re: Ambiguity of multi-license notation

[0x5c]

[-- Attachment #1: Type: text/plain, Size: 287 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/issues/48303#issuecomment-1937486483

Comment:
- [ ] xlint PR https://github.com/leahneukirchen/xtools/pull/322
- [ ] update manual
- [ ] update templates that have comas in the licence field

Re: Ambiguity of multi-license notation

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/issues/48303#issuecomment-2106085476

Comment:
Issues become stale 90 days after last activity and are closed 14 days after that.  If this issue is still relevant bump it or assign it.

Re: Ambiguity of multi-license notation

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 287 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/issues/48303#issuecomment-1937486483

Comment:
- [x] xlint PR https://github.com/leahneukirchen/xtools/pull/322
- [ ] update manual
- [ ] update templates that have comas in the licence field