@jinwoo, there is an issue to contend with for the new, SPDX-3-compatible version of this package.

@goneall, I've read through some of the SPDX minutes, but couldn't quite pick out: Is GPL-2.0-only semantically equivalent to GPL-2.0? Is GPL-2.0-or-later semantically equivalent to GPL-2.0+?

Does this block publishing v3.0.0?

I think so. If we don't know how to handle *-only and *-or-later identifiers, the right thing to do is still to throw.

If spdx-satisfies will throw for those identifiers, I think spdx-correct must also be updated so that those identifiers are not resulted from spdxCorrect('some-id'). E.g. spdxCorrect('LGLP3') will return 'LGPL-3.0-or-later', and spdxSatisfies('LGPL-3.0-or-later') will throw, which is why I originally created the issue, #2.

spdx-correct has been updated.

What I meant was that the new version of spdx-correct returns 'LGPL-3.0-or-later' for 'LGPL3'. If you make spdx-satisfies throw for *-only and *-or-later identifiers, many corrected identifiers will make spdx-satisfies throw.

@jinwoo, yes, different versions are inconsistent as to which identifiers are valid. Some packages, like the parser, could go ahead based just on the new license list. Other packages with more semantics, like spdx-satisfied, wait on clarifications like the one @goneall was just kind enough to provide.

#5 resolves.

Thanks again, @kemitchell , for quickly fixing the issues and publishing a new NPM!

@jinwoo, I'll invite you to the org, with edit perms. Feel free to open pull requests to do what needs doing. If in doubt, just @-mention me or another member of the org.

Thanks for the invite. Joined just now.