SPDX and Non SPDX License Support (Technical Steering Committee) #3949
Description
I am referencing dialog and a possible solution for the package.json's license property. Recent changes to the requirements of the package.json imposed by NPM require the use of SDPX licenses while excluding non-SPDX licenses from the manifest. This has hit a nerve with a number of developers in the references identified below.
Alternatives have been proposed (including what follows below). The proposed solutions ensure the inclusion of the license type in the metadata in a way that is agnostic while enabling SPDX validation.
At this point, if a non-SPDX license is used it must be excluded from the package.json with a reference that is of no help for developers or search tools. License discovery is an important issue for all developers that work with node and for tooling that extends beyond NPM.
Further, the form of language NPM has put forward to manage non-SPDX licenses is ambiguous – even to people that speak english as a first language. Consider the following:
"license": "SEE LICENSE IN LICENSE"
NPM does not appear interested in evolving to a solution that is agnostic to the type of license. This feels unilateral. We are presently forced to produce license strings that degrade the quality of the metadata.
The solution put in place by NPM for the license property is inadequate. It forces developers to look outside the manifest to when a license is not classified within SPDX. To be clear, several open and closed source licenses fall outside SPDX. This is not a debate about open or closed licenses or license preferences.
This issue was opened as #10479 npm/npm#10479 and closed again without an appropriate resolution.
I am requesting the Node Technical Steering Committee fully examine this issue to bring an appropriate focus and solution that is neutral and properly considered.
The last issue filed concerning the license field and SPDX follows:
I am opening this issue that was closed while discussion was ongoing for an appropriate solution to #8918. Discussion has been ongoing for months over this in #8918 as well as #8291, #8557, #8773, #8795 so it has touched a nerve. I urge NPM to listen and collaborate for an appropriately considered solution that will work for everyone.
The latest solution recommended is as follows that has the following benefits:
- backwards compatible
- may be validated with SPDX
- is open and inclusive
- may be validated against other possible license databases/registries in future ie. XYZ('Apple Software License')
- may use "OR" on non SPDX licenses if "license" property cannot be a list
- may emit a warning if it detects SPDX licenses that ought to be enclosed in SPDX()
Valid SPDX licenses
"license": "SPDX(MIT)"
"license": "SPDX(ISC OR GPL-3.0)"
Non SPDX licenses
"license": "Oculus VR Inc. Software Development Kit License"
"license": "Artistic 2.0 OR StrongLoop Subscription Agreement"
"license": "WTFPL"
May Emit Warning
Backwards compatible but a SPDX License.
"license": "MIT"
My recommendation is to inform NPM users of the change of the license property and give module developers some time before driving everyone crazy with SPDX warnings as has been done when you imposed it. Perhaps blog about the change first to allow voluntary revisions until a certain date where warnings could be emitted. One way or the other, I urge you to engage users before disturbing software and build systems with noise.
I have not heard anyone come out against SPDX, only the way you have chosen to implement it that is not backwards compatible to about 5 years of data, excludes non SPDX licenses from package metadata, and creates a non standard SPDX description of "SEE LICENSE IN" that makes the language of the metadata awkward. ie.
"license": "SEE LICENSE IN LICENSE"
Metadata is a source of truth and these type of phrases are meaningless and only require more investigation into a repo or package.