Skip to content

feat: licenses acknowledgement SHOULD be unique #626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: 1.7-dev
Choose a base branch
from
Open

feat: licenses acknowledgement SHOULD be unique #626

wants to merge 4 commits into from
+36 −7

Conversation

jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Apr 14, 2025
edited
Loading

as discussed in #619

  • license acknowledgement should be be unique
  • license acknowledgement should be be unset when used if evidences

this is considered a non-breaking change,
as the introduction of the keyword "should" does not alter existing behavior, it just exp recces a preference,
which may be ignored by users if they have a good reason to do so....

RFC notice sent 2025-08-14

This RFC will be open for 4 weeks. At the end of the RFC period, the CycloneDX community will vote, by lazy consensus, to accept or reject the proposal.
RFC period end: 2025-09-11

@jkowalleck jkowalleck requested a review from a team as a code owner April 14, 2025 20:26
@jkowalleck jkowalleck changed the base branch from master to 1.7-dev April 14, 2025 20:26
@jkowalleck
Copy link
Member Author

this is the designed solution for your request, @pombredanne

@jkowalleck jkowalleck added this to the 1.7 milestone Apr 14, 2025
@jkowalleck jkowalleck changed the title feap: licenses/acknowledgement should be unique feap: licenses acknowledgement should be unique Apr 14, 2025
@jkowalleck jkowalleck changed the title feap: licenses acknowledgement should be unique feat: licenses acknowledgement should be unique Apr 14, 2025
@jkowalleck jkowalleck changed the title feat: licenses acknowledgement should be unique feat: licenses acknowledgement SHOULD be unique May 5, 2025
jkowalleck
jkowalleck commented Jun 6, 2025
View reviewed changes
@jkowalleck
Copy link
Member Author

will fix merge conflicts soon, then ask a smaller part of the community for their input, and then,
this should be go into RFC phase very soon.

@jkowalleck
Copy link
Member Author

will rebase this one ASAP, and then, the RFC phase will start.

@jkowalleck
Copy link
Member Author

ready for review.

maybe ask @swinslow for his thoughts.
maybe ask @nickvidal for his thoughts.

@jkowalleck jkowalleck added RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration request for comment labels Aug 15, 2025
@pombredanne
Copy link

@jkowalleck Since this is only advisory, I wonder if you could introduce some clarifications to support future enforcement of something stricter?

For instance rather than:

A list of SPDX licenses and/or named licenses and/or SPDX License Expression.\nThere should be no more than one per license acknowledgement.

What about something more or less along these lines:

A list with a single SPDX License Expression (preferred). Alternatively, for legacy compatibility, a list of SPDX license identifiers, named licenses, or SPDX License Expressions. \nThere should be no more than one item in this list. If there are more than one item, then the conjunction of all the listed licenses applies.

@jkowalleck
Copy link
Member Author

Since this is only advisory, I wonder if you could introduce some clarifications to support future enforcement of something stricter

Plan was to keep #619 open for 2.0 -
then we can introduce breaking changes safely, and we would change the "should" to a "must" and would be good, right?

@Regul-000
Copy link

Safety aside, clear definition "Should" "Must" "Shall" shouldn't hurt too much

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
proposed core enhancement ready for review request for comment RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration
Projects
None yet
Milestone
1.7
Development

Successfully merging this pull request may close these issues.

[FEATURE]: there SHOULD be at most one "declared" and one "conclude" license per component
3 participants
@jkowalleck @pombredanne @Regul-000