Hi, I found a problematic change in one of my packages:
https://github.com/KDE/kio-gdrive/commit/6321fda6294e3d021b7a2758c1200aa42debb021 This looks like a regression of license validity to me, because the fulfillment of §17 of the GPL was removed from the affected files, and I suspect that we don't accept standalone SPDX declarations as valid in ambiguous cases like this one... Especially when they're as confusing as "GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL", when the provided GPL-3.0-only is identical to the provided GPL-3.0-or-later, and the restriction of "only" is not reflected in any headers nor the license text for GPL-3.0-only. Finally, the intent of David Barchiesi appears to have been GPL-2+ OR GPL-3+...with "KDE e.V." restriction on forward compatibility, but this is not reflected in the provided https://github.com/KDE/kio-gdrive/commit/6321fda6294e3d021b7a2758c1200aa42debb021#diff-39989992dd1286c14401f7fd5ddc9cdf08c61ebe75659cc148678f13b75049b6 Despite the mess, it appears that the licenses will evaluate to bin:kio-gdrive as a whole being GPL-3.0-only work, but confidence in that is low if SPDX declarations do not fulfill §17 of GPL. I don't want to exploit the fact that the package is already in Debian as a way to bypass what seems like it might otherwise have been an ftpmaster reject. Thank you in advance for your comments! Nicholas
signature.asc
Description: PGP signature