Inconsistent behavior with "+" and "-or-later" modifiers.
darkobits opened this issue · comments
Description:
Although there appears to have been a PR to add support for this, satisfies
does not seem to handle the +
modifier and its synonymous -or-later
modifier consistently:
Versions Used:
spdx-satisfies: 5.0.0
spdx-correct: 3.1.0
Expected Behavior:
satisfies('GPL-2.0', 'GPL-2.0+') //=> true
satisfies('GPL-2.0', 'GPL-2.0-or-later') //=> true
Actual Behavior:
satisfies('GPL-2.0', 'GPL-2.0+') //=> true
satisfies('GPL-2.0', 'GPL-2.0-or-later') //=> false
I considered applying spdx-correct
to both terms before passing them to satisfies
, but spdx-correct
normalizes GPL-2.0+
to GPL-2.0-or-later
, the case for which satisfies
produces unexpected results.
P.S. Thank you for all the work you've done on the various spdx-
packages, @kemitchell. 💯
@darkobits, can you reference a part of the SPDX spec that defines semantics for -or-later? I am a bit behind.
For reference: I don't suspect -or-later is a general purpose part of license expression syntax. I think it's part of specific license identifiers. I saw when SPDX did the change, but I wasn't involved in it, and don't understand it yet.
I'm just beginning to dive into this licensing space myself. 😕
The SPDX License List page makes several references to the -or-later
modifier. Further down, under the "Deprecated License Identifiers" heading:
Release 2.0 of the SPDX Specification introduced License Expressions that supports the ability to identify common variations of SPDX-identified licenses without the need to define each potential variation as a distinct license on the SPDX License List. This new syntax supports the ability to declare an SPDX-identified license exception using the "WITH" operator (e.g. GPL-2.0-or-later WITH Autoconf-exception-2.0), as well as the ability to use a simple "+" operator after a license short identifier to indicate "or later version". SPDX has defined a list of license exceptions to use after the "WITH" operator. As a result, a number of licenses formerly included on the SPDX License List have been deprecated, and correct usage employs the License Expression syntax as of v2.0.
This is mainly pointing out that identifiers like GPL-2.0-with-autoconf-exception
should now be written GPL-2.0-or-later WITH Autoconf-exception-2.0
, but it's another example of the -or-later
usage in their documentation.
I assumed that since the latest version of spdx-correct
behaves thusly:
// "+" gets normalized to "-or-later" with GNU license:
correct('GPL-2.0+') //=> 'GPL-2.0-or-later'
// "+" left intact with non-GNU license:
correct('CC-BY-NC-1.0+') //=> 'CC-BY-NC-1.0+'
// "-or-later" not recognized/correctable with non GNU license:
correct('CC-BY-NC-1.0-or-later') //=> null
that -or-later
/-only
was the "preferred" way to identify GNU licenses, but invalid on all other licenses, which is in itself slightly confusing.
So, one possibility is that there may be a discrepancy between how spdx-correct
and spdx-satisfies
comprehend these modifiers, as spdx-correct
prefers the form that spdx-satisfies
doesn't.
This is all confounded by the fact that this grammar doesn't seem to appear in the specification for identifiers, and it seems to only apply to GNU licenses.