Updates to snap licenses

Hi all,

just a quick announcement that we recently modified how the license is stored internally in the Store. We now use proper SPDX compatible license expressions for storing the license for a snap.

This means we had to migrate the license for some snaps from the (old) custom license strings the Store used to the (new) SPDX license names. This change should not have modified the license itself (ie, the new value should still represent the same license that was defined originally for the snap).

If you have any concerns or doubts whether your snap was affected by this, please go to the Snapcraft Dashboard and check out if the license listed matches what it should be. In the event we may have made a mistake, this can be easily fixed by just setting the license back to the right value and saving.

2 Likes

During one of the conversations with @noise, @cprov and @niemeyer we agreed that validation of the expression would be centralized on a single codebase/linter for the store, snapd and snapcraft (or any other component) to use. Is this the case here?

We have github.com/snapcore/snapd/spdx for this in snapd. It exports spdx.ValidateLicense(expr string) - if its helpful we can provide a snap validate-license hidden command or similar.

Oh, great, wasn’t aware this was ready! While I cannot speak for the store, we will probably need a command exposed for snapcraft to use so the command would be appreciated.

usually the store delegates that kind of checks to review-tools (cc @jdstrand)

but here the license can also be updated out of band so not sure how the store will proceed

That was going to be my counter argument for you previous message :slight_smile: The store allows for metadata to be changed out of band so it would need to validate that this metadata is correct. The review tools only run against snap revisions.

The review tools would also need this command.

The store’s internal SPDX storage predates the discussion where we agreed to use a single codebase to validate SPDX. So currently (and since we implemented SPDX storage months ago) we’re using https://pypi.python.org/pypi/spdx/ for processing and validation.

Once the snap validate-license command is available we can switch to that, but remember we can’t install snapd on store app servers, so as discussed during that meeting, we’ll need a way to install only the snap command (and not as a snap itself, obviously).

Michael mentioned the snapd code base already has spdx code, so we could all go and implement our own mini-wrapper around that code, which sounds awful, so I won’t suggest it :slight_smile:

1 Like

What about projects that use custom licenses?

Please check Support for custom license text for a summary of the current situation and plans.

Cheers!

1 Like