Require SPDX

[isuruf]

This has been working well for a while now. This would be a linter failure instead of a hint.

cc @conda-forge/core

[CJ-Wright]

What is the plan to bring failing feedstocks into compliance?

[isuruf]

Nothing. Maintainers should fix them.

[beckermr]

We can propose migrations for a significant fraction of them.

[isuruf]

I'd caution against automating it because they can be wrong especially with GPL-3.0-or-later vs GPL-3.0-only.

[beckermr]

Then what do we do about the R migration? Should we ignore the linter for all of that?

[isuruf]

For R, the information is given to us by R. We can use that.

[h-vetinari]

What about those that cannot be made compatible with the current rule? Especially those that combine several licenses, or worse, have different licenses for different parts of the codebase.

Recent example I've worked on cryptography (neither AND nor OR-conjunctions between SPDX identifiers worked), suitesparse (more complicated expression).

[isuruf]

cryptography works fine as far as I can see.

[isuruf]

Can you open an issue for suitesparse?

[h-vetinari]

@isuruf: cryptography works fine as far as I can see.

I don't think it does. The linter checks every commit but doesn't reissue the warning if the warning hasn't changed (or been cleared). If you look at conda-forge/cryptography-feedstock#37 you'll see that the warning was never cleared. It would be also easy to see by just opening a new PR.

[h-vetinari]

@isuruf: Can you open an issue for suitesparse?

#1300

[jakirkham]

This is done, right? Should we close?

[beckermr]

Where is the PR?

[djhoese]

Found this while working on the HDF5 package which has its own license (apparently) so "HDF5" is listed: https://github.com/conda-forge/hdf5-feedstock

[isuruf]

@djhoese, what's the issue here?

[djhoese]

That the HDF5 package wouldn't pass the linter with its current license, right? Maybe I misunderstood this issue, but it sounded like the linter would require SPDX license identifiers including compound/combined ones. The HDF5 library doesn't fit in to that.

[isuruf]

Linter posts a comment like conda-forge/hdf5-feedstock#122 (comment) which has a link to docs https://conda-forge.org/docs/maintainer/adding_pkgs.html#spdx-identifiers-and-expressions . Docs specifically mentions HDF5.

[isuruf]

Btw, PRs are welcome to improve docs.

[djhoese]

PRs are welcome to improve docs.

Mostly just inexperience with SPDX identifiers and this was the first time running into a non-SPDX license on a conda-forge package (I'm not a maintainer of HDF5). I probably just rushed to comment and should have read more. Thanks for the info.

[isuruf]

That's totally fine. Docs become better when others bring a fresh perspective.