[
https://issues.apache.org/jira/browse/MNG-6677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17788190#comment-17788190
]
Peter Monks edited comment on MNG-6677 at 5/19/25 5:29 PM:
-----------------------------------------------------------
Apologies for Lazarus'ing this issue, but I just want to reinforce how
important it is that SPDX License Expressions are modeled somewhere in a future
version of the POM, regardless of what values may exist in
{{<licenses><license>}} sub-elements. The existing model has two fundamental
issues that impact downstream tools that attempt to consume this information:
# the current sub-elements of {{<license>}} aren't validated, and there's an
enormous variation in the quality of data in those sub-elements in the real
world (on Maven Central and other artifact repositories)
# -in the presence of multiple {{<license>}} elements, it's impossible for
downstream tooling to infer whether the conjunction between those licenses is a
logical {{AND}} or a logical {{OR}} or a mix of both- This is not accurate -
it's buried very deeply in the Maven docs, but it is stated that multiple
blocks are to be considered a logical {{OR}}
[here|https://maven.apache.org/ref/3-LATEST/maven-model/maven.html] (search for
"{{{}license*{}}}" to find the relevant text). Of course the problem of dual
inclusive licensing (i.e. logical {{{}AND{}}}) remains.
SPDX License Expressions elegantly solve both problems, while still providing
an "escape hatch" for licenses that are not listed by SPDX themselves; the
so-called {{{}LicenseRef{}}}, and (as of SPDX v3.0) {{AdditionRef}} constructs.
was (Author: pmonks):
Apologies for Lazarus'ing this issue, but I just want to reinforce how
important it is that SPDX License Expressions are modeled somewhere in a future
version of the POM, regardless of what values may exist in
{{<licenses><license>}} sub-elements. The existing model has two fundamental
issues that impact downstream tools that attempt to consume this information:
# the current sub-elements of {{<license>}} aren't validated, and there's an
enormous variation in the quality of data in those sub-elements in the real
world (on Maven Central and other artifact repositories)
# in the presence of multiple {{<license>}} elements, it's impossible for
downstream tooling to infer whether the conjunction between those licenses is a
logical {{AND}} or a logical {{OR}} or a mix of both
SPDX License Expressions elegantly solve both problems, while still providing
an "escape hatch" for licenses that are not listed by SPDX themselves; the
so-called {{{}LicenseRef{}}}, and (as of SPDX v3.0) {{AdditionRef}} constructs.
> Ability to declare machine-readable license identifier for project
> ------------------------------------------------------------------
>
> Key: MNG-6677
> URL: https://issues.apache.org/jira/browse/MNG-6677
> Project: Maven
> Issue Type: Improvement
> Components: POM
> Affects Versions: 3.6.1
> Reporter: Vladimir Sitnikov
> Priority: Major
> Fix For: Issues to be reviewed for 4.x
>
>
> Current model for license is something, yet it is not machine-friendly.
> Developers tend to put random data into
> {{<license><name>...</name><url>...</url>}}, and it is hard to analyze in
> automatic way.
> What if we could use SPDX license identifiers/expressions for license
> information?
> Note: currently POM allows to list multiple <license> tags, and it is not
> clear how they should be treated (and? or?). So a machine-readable field
> should probably allow for AND/OR license expressions.
> So it would be nice if there was a way to declare a machine-readable license
> tag.
> I'm not affiliated with SPDX, however OSGi use those ids:
> https://osgi.org/specification/osgi.core/7.0.0/framework.module.html#framework.module-bundle-license
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
