Handling of SPDX 3 *-only and *-or-later
kemitchell opened this issue · comments
Does this block publishing v3.0.0?
I think so. If we don't know how to handle *-only and *-or-later identifiers, the right thing to do is still to throw.
If spdx-satisfies
will throw for those identifiers, I think spdx-correct
must also be updated so that those identifiers are not resulted from spdxCorrect('some-id')
. E.g. spdxCorrect('LGLP3')
will return 'LGPL-3.0-or-later'
, and spdxSatisfies('LGPL-3.0-or-later')
will throw, which is why I originally created the issue, #2.
spdx-correct
has been updated.
What I meant was that the new version of spdx-correct
returns 'LGPL-3.0-or-later'
for 'LGPL3'
. If you make spdx-satisfies
throw for *-only
and *-or-later
identifiers, many corrected identifiers will make spdx-satisfies
throw.
@jinwoo, yes, different versions are inconsistent as to which identifiers are valid. Some packages, like the parser, could go ahead based just on the new license list. Other packages with more semantics, like spdx-satisfied, wait on clarifications like the one @goneall was just kind enough to provide.
#5 resolves.
Thanks again, @kemitchell , for quickly fixing the issues and publishing a new NPM!
@jinwoo, I'll invite you to the org, with edit perms. Feel free to open pull requests to do what needs doing. If in doubt, just @-mention me or another member of the org.
Thanks for the invite. Joined just now.