Skip to content

Fix the openssl-exception-lgpl-3.0-plus primary spdx_license_key#5221

Open
sschuberth wants to merge 1 commit into
aboutcode-org:developfrom
doubleopen-io:fix-lgpl3.0plus-dashes
Open

Fix the openssl-exception-lgpl-3.0-plus primary spdx_license_key#5221
sschuberth wants to merge 1 commit into
aboutcode-org:developfrom
doubleopen-io:fix-lgpl3.0plus-dashes

Conversation

@sschuberth

Copy link
Copy Markdown
Collaborator

Tasks

  • Reviewed contribution guidelines
  • PR is descriptively titled 📑 and links the original issue above 🔗
  • Tests pass -- look for a green checkbox ✔️ a few minutes after opening your PR
    Run tests locally to check for errors.
  • Commits are in uniquely-named feature branch and has no merge conflicts 📁
  • Updated documentation pages (if applicable)
  • Updated CHANGELOG.rst (if applicable)

The primary `spdx_license_key` should be the more correct dashed
variant, and the other older variant should only be kept for backward
compatibility.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.io>
@sschuberth

sschuberth commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator Author

Ok, it seems that the original motivation for writing the license name like this is the "spdx_license_key must be 50 characters or less" error 😱

As that restriction seems a bit arbitrary, can we lift it?

mstykow added a commit to mstykow/provenant that referenced this pull request Jul 4, 2026
…cense keys

Upstream ScanCode enforces an arbitrary "spdx_license_key must be 50
characters or less" lint that squashed or truncated dozens of
LicenseRef-scancode-* SPDX keys (e.g.
LicenseRef-scancode-openssl-exception-lgpl3.0plus instead of the canonical
...lgpl-3.0-plus; see aboutcode-org/scancode-toolkit#5221). For the
LicenseRef-scancode namespace the identifier is by definition the license
key with the namespace prefix, so any deviation is a distortion, not a
semantic choice.

Provenant applies no length limit, so restore the canonical form at
index-build time and keep the previous value in other_spdx_license_keys
for backward compatibility. An audit of all 2733 licenses found 50 such
deviations: 49 are canonicalized by the general rule; 1
(tgc-spec-license-v2) carries an upstream typo in the license *key* while
its SPDX key is already correct (tcg), so it is exempted from the pass
(mirroring the key would regress the correct SPDX key, and renaming the
key would drop a ScanCode-compatible identifier with no alias mechanism).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Maxim Stykow <maxim.stykow@gmail.com>
mstykow added a commit to mstykow/provenant that referenced this pull request Jul 4, 2026
…cense keys (#1223)

Upstream ScanCode enforces an arbitrary "spdx_license_key must be 50
characters or less" lint that squashed or truncated dozens of
LicenseRef-scancode-* SPDX keys (e.g.
LicenseRef-scancode-openssl-exception-lgpl3.0plus instead of the canonical
...lgpl-3.0-plus; see aboutcode-org/scancode-toolkit#5221). For the
LicenseRef-scancode namespace the identifier is by definition the license
key with the namespace prefix, so any deviation is a distortion, not a
semantic choice.

Provenant applies no length limit, so restore the canonical form at
index-build time and keep the previous value in other_spdx_license_keys
for backward compatibility. An audit of all 2733 licenses found 50 such
deviations: 49 are canonicalized by the general rule; 1
(tgc-spec-license-v2) carries an upstream typo in the license *key* while
its SPDX key is already correct (tcg), so it is exempted from the pass
(mirroring the key would regress the correct SPDX key, and renaming the
key would drop a ScanCode-compatible identifier with no alias mechanism).

Signed-off-by: Maxim Stykow <maxim.stykow@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant