Hi all,
I'm currently working on packaging cargo-deny, and it includes (a very old version) of a compressed form of the SPDX license data from https://github.com/spdx/license-list-data.
The package needs the SPDX license-list-data in a format that can be read by "askalono", and it is used to match unknown license files with licenses known to SPDX. I was able to include a new version of that data by rebuilding that compressed blob from the SPDX license-list-data on GitHub.
However, I could not determine under which license terms this data is made available. The repository for spdx/license-list-data only states that all contents are automatically generated from https://github.com/spdx/license-list-XML, which itself specifies no license for the data, either.
I assume this data is redistributable *somehow*? The documentation explains how to *use* the data for various purposes, but not which license (if any) applies to it.
Note that the existing askalono-cli package also bundles this data, which seems to have been missed during the original package review. I will apply any necessary changes both to cargo-deny (which is still being reviewed) and askalono-cli.
Fabio
On Mon, Nov 13, 2023 at 3:54 PM Fabio Valentini decathorpe@gmail.com wrote:
Hi all,
I'm currently working on packaging cargo-deny, and it includes (a very old version) of a compressed form of the SPDX license data from https://github.com/spdx/license-list-data.
The package needs the SPDX license-list-data in a format that can be read by "askalono", and it is used to match unknown license files with licenses known to SPDX. I was able to include a new version of that data by rebuilding that compressed blob from the SPDX license-list-data on GitHub.
However, I could not determine under which license terms this data is made available. The repository for spdx/license-list-data only states that all contents are automatically generated from https://github.com/spdx/license-list-XML, which itself specifies no license for the data, either.
I assume this data is redistributable *somehow*? The documentation explains how to *use* the data for various purposes, but not which license (if any) applies to it.
Note that the existing askalono-cli package also bundles this data, which seems to have been missed during the original package review. I will apply any necessary changes both to cargo-deny (which is still being reviewed) and askalono-cli.
I *think* SPDX's position is that anything copyrightable (created by the SPDX project) that's in https://github.com/spdx/license-list-XML is under CC0 (er, CC0-1.0). See: https://github.com/spdx/license-list-XML/issues/1044 https://github.com/spdx/license-list-XML/issues/986 But Jilayne would have the authoritative answer :)
Richard
On Mon, Nov 13, 2023 at 10:33 PM Richard Fontana rfontana@redhat.com wrote:
On Mon, Nov 13, 2023 at 3:54 PM Fabio Valentini decathorpe@gmail.com wrote:
Hi all,
I'm currently working on packaging cargo-deny, and it includes (a very old version) of a compressed form of the SPDX license data from https://github.com/spdx/license-list-data.
The package needs the SPDX license-list-data in a format that can be read by "askalono", and it is used to match unknown license files with licenses known to SPDX. I was able to include a new version of that data by rebuilding that compressed blob from the SPDX license-list-data on GitHub.
However, I could not determine under which license terms this data is made available. The repository for spdx/license-list-data only states that all contents are automatically generated from https://github.com/spdx/license-list-XML, which itself specifies no license for the data, either.
I assume this data is redistributable *somehow*? The documentation explains how to *use* the data for various purposes, but not which license (if any) applies to it.
Note that the existing askalono-cli package also bundles this data, which seems to have been missed during the original package review. I will apply any necessary changes both to cargo-deny (which is still being reviewed) and askalono-cli.
I *think* SPDX's position is that anything copyrightable (created by the SPDX project) that's in https://github.com/spdx/license-list-XML is under CC0 (er, CC0-1.0). See: https://github.com/spdx/license-list-XML/issues/1044 https://github.com/spdx/license-list-XML/issues/986 But Jilayne would have the authoritative answer :)
Thank you for those links! I seem to have only looked at the spdx/license-list-data repository for existing issues, and not at spdx/license-list-XML ...
I'll wait for confirmation on the CC0-1.0 designation, and update the packages accordingly.
Fabio