Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

licenses: allow mix of multiple SPDX expressions AND multiple named/spdx licenses #454

Open
jkowalleck opened this issue Apr 29, 2024 · 2 comments
Open

licenses: allow mix of multiple SPDX expressions AND multiple named/spdx licenses #454

jkowalleck opened this issue Apr 29, 2024 · 2 comments
Assignees
@jkowalleck
Labels
proposed core enhancement
Milestone
1.7

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Apr 29, 2024
edited
Loading

current situation (CDX 1.6):

  • it is allowed to have EITHER one spdx license expression OR multiple named/spdx licenses. see spec
  • each license(expression/named/spdx) can have a acknowledgement - none or "declared" or "concluded". see spec

problem

the current situation does not allow the following:

  • situation A: multiple declared licenses ids (like in python license trove-classifiers) and one concluded expression
    • Declared spdx license id "MIT" - as set in the project manifest
    • Declared spdx license id "PostgreSQL" - as set in the project manifest
    • Declared named license "Apache Software License" - as set in the project manifest
    • License evidence from the README file: "chose the license that applies best to you: PostgreSql or MIT or Apache2"
    • Concluded spdx license expression license "(MIT OR PostgreSQL OR Apache-2.0)"
  • situation B: declared expression and concluded expression
    • Delcared spdx expression "MIT OR (GPL-3.0 OR GPL-2.0)"
    • Concluded spdx expression "(GPL-3.0 OR LGPL-2.0)" - after some lawyer checked for actual applied situation (this is just an example for spec reasons, this is not a real-world law case!)
  • situation C: declared expression and concluded spdx id
    • Declared spdx expression "GPL-3.0+ OR GPL-2.0"
    • Concluded spdx id "GPL-2.0+" - after some lawyer checked for actual applied situation (this is just an example for spec reasons, this is not a real-world law case!)

request

allow the following:

  • multiple SPDX expressions at the same time
  • allow mix of SPDX expression and other licenses at the same time
@jkowalleck jkowalleck added this to the 1.7 milestone May 24, 2024
@jkowalleck jkowalleck self-assigned this May 24, 2024
@jkowalleck jkowalleck mentioned this issue May 24, 2024
Closed
@jkowalleck jkowalleck mentioned this issue Nov 8, 2024
Closed
@jkowalleck
Copy link
Member Author

related: CycloneDX/cyclonedx-python#826

@villaflaminio
Copy link

villaflaminio commented Nov 8, 2024
edited
Loading

I agree with the problem, especially case C.
I would like to be able to have a lawyer or some automatic mechanism review the product sbom so that I can identify which licence to "refer" to for each individual component based on my use case.
It is more than reasonable to have two licenses defined for a product, e.g. if the component is used in open source projects then the license is type A, otherwise if it is used for commercial purposes then the license is type B.
This is just an example.
And, of course, in the report I would like to avoid replacing the license expression declared by whoever produced the component in question.
One solution might be to allow to have one license expression and only one license by specifying ‘acknowledgement concluded’, but I don't know whether this would create problems elsewhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
proposed core enhancement
Projects
None yet
Milestone
1.7
Development

No branches or pull requests
2 participants
@jkowalleck @villaflaminio