Description:

Although there appears to have been a PR to add support for this, satisfies does not seem to handle the + modifier and its synonymous -or-later modifier consistently:

Versions Used:

spdx-satisfies: 5.0.0
spdx-correct: 3.1.0

Expected Behavior:

satisfies('GPL-2.0', 'GPL-2.0+') //=> true
satisfies('GPL-2.0', 'GPL-2.0-or-later') //=> true

Actual Behavior:

satisfies('GPL-2.0', 'GPL-2.0+') //=> true
satisfies('GPL-2.0', 'GPL-2.0-or-later') //=> false

I considered applying spdx-correct to both terms before passing them to satisfies, but spdx-correct normalizes GPL-2.0+ to GPL-2.0-or-later, the case for which satisfies produces unexpected results.

P.S. Thank you for all the work you've done on the various spdx- packages, @kemitchell. 💯

@darkobits, can you reference a part of the SPDX spec that defines semantics for -or-later? I am a bit behind.

For reference: I don't suspect -or-later is a general purpose part of license expression syntax. I think it's part of specific license identifiers. I saw when SPDX did the change, but I wasn't involved in it, and don't understand it yet.

I'm just beginning to dive into this licensing space myself. 😕

The SPDX License List page makes several references to the -or-later modifier. Further down, under the "Deprecated License Identifiers" heading:

Release 2.0 of the SPDX Specification introduced License Expressions that supports the ability to identify common variations of SPDX-identified licenses without the need to define each potential variation as a distinct license on the SPDX License List. This new syntax supports the ability to declare an SPDX-identified license exception using the "WITH" operator (e.g. GPL-2.0-or-later WITH Autoconf-exception-2.0), as well as the ability to use a simple "+" operator after a license short identifier to indicate "or later version". SPDX has defined a list of license exceptions to use after the "WITH" operator. As a result, a number of licenses formerly included on the SPDX License List have been deprecated, and correct usage employs the License Expression syntax as of v2.0.

This is mainly pointing out that identifiers like GPL-2.0-with-autoconf-exception should now be written GPL-2.0-or-later WITH Autoconf-exception-2.0, but it's another example of the -or-later usage in their documentation.

I assumed that since the latest version of spdx-correct behaves thusly:

// "+" gets normalized to "-or-later" with GNU license:
correct('GPL-2.0+') //=> 'GPL-2.0-or-later'

// "+" left intact with non-GNU license:
correct('CC-BY-NC-1.0+') //=> 'CC-BY-NC-1.0+'

// "-or-later" not recognized/correctable with non GNU license:
correct('CC-BY-NC-1.0-or-later') //=> null

that -or-later/-only was the "preferred" way to identify GNU licenses, but invalid on all other licenses, which is in itself slightly confusing.

So, one possibility is that there may be a discrepancy between how spdx-correct and spdx-satisfies comprehend these modifiers, as spdx-correct prefers the form that spdx-satisfies doesn't.

This is all confounded by the fact that this grammar doesn't seem to appear in the specification for identifiers, and it seems to only apply to GNU licenses.