forge icon indicating copy to clipboard operation
forge copied to clipboard
verified publisher icon digitalbazaar

package.json license statement not SPDX compliant

Open robertpatrick opened this issue 3 years ago • 3 comments

In package.json, the project lists its license as (BSD-3-Clause OR GPL-2.0) but according to the SPDX license page, there is no GPL-2.0 license code. It seems like it needs to be either GPL-2.0-only or GPL-2.0-or-later.

I assume it should be GPL-2.0-only but this should really be corrected.

robertpatrick avatar Sep 20 '22 17:09 robertpatrick

It used to exist, but looks like they recently in 2018 "obsoleted" GPL-2.0. https://github.com/spdx/license-list-XML/blob/main/src/GPL-2.0.xml.

I don't know what it should be. Need to diff the license text with each of their versions and see which matches.

Is some tooling complaining?

davidlehn avatar Sep 20 '22 17:09 davidlehn

@davidlehn yes, we have tooling based on SPDX that processes and gives credit to third-party packages. Our tool is complaining...

robertpatrick avatar Sep 20 '22 19:09 robertpatrick

According to https://spdx.org/licenses/GPL-2.0.html, it seems clear that the new code from GPL-2.0 is GPL-2.0-only.

robertpatrick avatar Sep 20 '22 19:09 robertpatrick