Package: licensecheck
Version: 3.0.31-3

It would be useful for `licensecheck` to output SPDX-compliant license identifiers, so that it can be used in SPDX/CycloneDX SBOMs.

We did experiment with using ScanCode, but it was quite slow in CI, and `licensecheck` is rather speedy - perhaps this output mode could be
done in a Unix-style pipe from the [default] tabular output in a
pipeline processing mode?

Happy to do some experimenting with the above approach, but also keen
for other suggestions.

Best regards,
--
Dom Rodriguez (he/him)
Software Engineer

Codethink Ltd

Codethink delivers cutting edge open source design, development and
integration services.

https://codethink.co.uk

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Dom,

Quoting Dom Rodriguez (2025-03-13 01:18:03)

It would be useful for `licensecheck` to output SPDX-compliant license identifiers, so that it can be used in SPDX/CycloneDX SBOMs.

Do you mean like this?:

```
licensecheck --shortname-scheme=spdx *
```

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Jonas,

On 13.03.2025 11:01, Jonas Smedegaard wrote:

Hi Dom,

Quoting Dom Rodriguez (2025-03-13 01:18:03)

It would be useful for `licensecheck` to output SPDX-compliant license
identifiers, so that it can be used in SPDX/CycloneDX SBOMs.

Do you mean like this?:

```
licensecheck --shortname-scheme=spdx *
```

Perfect, I missed that in the docs.

However, I note that, for example, GPLv2 licenses are reported as
`GPL-2.0`, which is deprecated by the SPDX license list[0], which
should - probably - be addressed.

I can open a different bug report and close this one if that works for
the team. I'm running `licensecheck` v3.3.9.

[0]: https://spdx.org/licenses/

Best regards,
--
Dom Rodriguez (he/him)
Software Engineer

Codethink Ltd

Codethink delivers cutting edge open source design, development and
integration services.

https://codethink.co.uk

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Dom Rodriguez (2025-03-13 14:48:21)

On 13.03.2025 11:01, Jonas Smedegaard wrote:

Quoting Dom Rodriguez (2025-03-13 01:18:03)

It would be useful for `licensecheck` to output SPDX-compliant license
identifiers, so that it can be used in SPDX/CycloneDX SBOMs.

Do you mean like this?:

```
licensecheck --shortname-scheme=spdx *
```

Perfect, I missed that in the docs.

However, I note that, for example, GPLv2 licenses are reported as
`GPL-2.0`, which is deprecated by the SPDX license list[0], which
should - probably - be addressed.

The license fulltext itself does not cover any work, so cannot decide if
it is -only or -or-later.

I can open a different bug report and close this one if that works for
the team. I'm running `licensecheck` v3.3.9.

If you only needed what --shortname-scheme=spdx then yes, makes sense to
close this bugreport.

If that other issue you wanted to open another bugreport for is the
above about GPL-3, then please first check if covered in either of bugs #1052259 or #1081421.

You might also be interested in bug#950363 :-)


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============X18880711824143097=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJn0uu/CRAsfDFGwaABIUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmcd3RMNLaueTNMwkoIfzuUAzykfPWO2EfgCIANEAYiJ NRYhBJ/j6cNmkaaf9TzGhCx8MUbBoAEhAABe4BAApBc/rIUmo9QJ+mke4VHfo/nf 2QQwCnTqo6gu5rNABZF5Jpg7RZMzHqRzXeqASK6/KBAKcOShCCjw/hE18a1GCZ3a k+itJcrKmRxisN4ujkTML0+9TB/ZLvmSPAra0nx8FOBfCJrwAKlcDmBYoReMFiX/ DbA0WidWbhjgH5UkaYEeDOEPmWLE/8mqhUVD0rj+lPHV08379nRCRyLgyx5WkJk3 W4ZY9R1IonjLGoHE6SRaEOE6sB/CWX5GoN1aJYz9o8gz+Y0uFz2r9FUy59F8kKh2 ldSU74oME1ArVFWySipb1Bx+gQ5fX9lRY4Zs5rzYB297wXu4Q5Ay9Fe3iQo1vzKj T1WwH4FbTq4S5GEDHppWX5h7C4GYf7NgE+7mHdHO

On 26.03.2025 00:26, Dom Rodriguez wrote:

I'll close this for now, as those other bug reports seem to -
partially, one way or another - cover the -only/-or-later bits we need.

Actually, looking at the Debbugs system, which I'm not /too/ familiar
with - is there a way to close this without needing to provide a
'Version' tag for the fixed version of `licensecheck` - this was more
of a query than anything.

Best regards,
--
Dom Rodriguez (he/him)
Software Engineer

Codethink Ltd

Codethink delivers cutting edge open source design, development and
integration services.

https://codethink.co.uk

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 13.03.2025 15:29, Jonas Smedegaard wrote:

Quoting Dom Rodriguez (2025-03-13 14:48:21)

On 13.03.2025 11:01, Jonas Smedegaard wrote:

Quoting Dom Rodriguez (2025-03-13 01:18:03)

It would be useful for `licensecheck` to output SPDX-compliant license
identifiers, so that it can be used in SPDX/CycloneDX SBOMs.

Do you mean like this?:

```
licensecheck --shortname-scheme=spdx *
```

Perfect, I missed that in the docs.

However, I note that, for example, GPLv2 licenses are reported as
`GPL-2.0`, which is deprecated by the SPDX license list[0], which
should - probably - be addressed.

The license fulltext itself does not cover any work, so cannot decide if
it is -only or -or-later.

I can open a different bug report and close this one if that works for
the team. I'm running `licensecheck` v3.3.9.

If you only needed what --shortname-scheme=spdx then yes, makes sense to >close this bugreport.

If that other issue you wanted to open another bugreport for is the
above about GPL-3, then please first check if covered in either of bugs >#1052259 or #1081421.

You might also be interested in bug#950363 :-)

I'll close this for now, as those other bug reports seem to -
partially, one way or another - cover the -only/-or-later bits we need.

Thanks for your help on this, Jonas - I spent a long time implementing
ScanCode for this project, only to find it was too slow on CI - and
naturally, Perl is perfect for this kind of text processing.

Best regards,
--
Dom Rodriguez (he/him)
Software Engineer

Codethink Ltd

Codethink delivers cutting edge open source design, development and
integration services.

https://codethink.co.uk

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Dom Rodriguez (2025-03-26 01:30:09)

On 26.03.2025 00:26, Dom Rodriguez wrote:

I'll close this for now, as those other bug reports seem to -
partially, one way or another - cover the -only/-or-later bits we need.

Actually, looking at the Debbugs system, which I'm not /too/ familiar
with - is there a way to close this without needing to provide a
'Version' tag for the fixed version of `licensecheck` - this was more
of a query than anything.

Yes, adding psudo-header "Version:" is recommended but not mandatory:
Just send an email to 1100386-done@bugs.d.o with a notice why it is
closed.

Thanks!

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============87278489554615387=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJn5CGzCRAsfDFGwaABIUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmc8a2JcJ4zBj6p5RalYq4qcRjPv2ciitq2Z/4JyQzN1 FhYhBJ/j6cNmkaaf9TzGhCx8MUbBoAEhAAARLQ/9EwvaPjVlwEMMRES5WaL2sRwc L/E+3pIqjikTnksz9giMn5IJDdkjtAYtjbM0ydjm3HH9l12ghr6z8aB/cHejyuSM 9xTuBz5pN7BJRjUdctShPvogx2ZH/NBqIvlErMOvUV0VhNBGnHG10RWXYb/4XLjo vzdMVuFLvxPJHfRGv9x7CMVwtWt1S26krvzrGA50/3k+zFZMIRkwU/8Ds+07wG/8 ul5nHhcEpGfw9maecpLyRaYN3MLR0CdiCZ+z9CHBPcyFato53Y4B4CtB6KtED2tB BSawGqkyNxzBYHF6BzUcnWclw3sjwkpfolI4/GsKofS437SxR4u4GbvEogz2Yb/y 9nV8aOcTRiFp/RDcNQT/xpDJOZrBT0iJKAkkGiEZ