Greetings, SPDX Tech Team, and congrats on 2.0! I introduced myself earlier today on spdx-legal@, where Gary encouraged me to drop a line to this list, as well.
I am an attorney in the San Francisco Bay Area, but more to the point of this list, I continue to develop open source software. For various reasons related to my own projects, I've fallen in with great people in the Node.js/JavaScript community, and I recently cobbled together an SPDX expression syntax parser in JS, which I've proposed to include in npm, the most popular JS package manner, for validation of license metadata: https://github.com/kemitchell/spdx.js https://github.com/npm/npm/pull/8179 https://github.com/npm/init-package-json/pull/42 https://github.com/npm/normalize-package-data/pull/61 The last of those PRs in particular may have additional links of interest, including some population studies of the current state of license metadata in the npm repository. npm is fast approaching 150,000 packages, most of which are released under academic/permissive licenses. Though the metadata guidelines for npm mention SPDX, the docs are buried and familiarity among the developer community is low. Ambiguous ("BSD", "GPL") and non-standard ("Apache License 2.0") license strings abound. Fortunately, the bulk metadata studies, together with a quick-and-dirty, rules-based metadata correction function ... https://github.com/kemitchell/spdx-correct.js ... were all I needed to send north of 150 automated pull requests correcting non-SPDX license strings in npm packages this week. It's been a fun project, and I feel like it's starting to get the word out. Most all the PR recipients have responded very positively, from the tiny "guy who can't believe he got a PR" to well-known, corporate-sponsored library contributors. Lots of push-button merges. I have high hopes that, by leading the charge myself in lieu of scarce resources within the npm team itself, the Node community can avoid a situation where the repository has outpaced our ability to instill a norm of good license hygiene. That would mean a repository that never supports an expectation that figuring out licensing isn't a disaster. I still think that's possible for npm. As soon as I felt myself taking responsibility for a better outcome, I knew I'd better get in touch with the folks behind SPDX direct. I understand from Gary that the tech team has a number of projects ongoing, and has considered the idea of publishing identified license files in various formats. My to-do list includes a Node.js script for automatically generating a license file based on package metadata, and I'd happy to handle text-to-JSON conversion in connection with that effort. I'd also be very interested to know whether the team has published (or considered) a repository of test fixtures for checking license expression implementation consistency across language implementations. If there are any other areas where I might contribute, please don't hesitate to let me know. In any case, I'll stay subscribed to this list, and I look forward to see where the group goes after 2.0. Best, K -- Kyle Mitchell, attorney San Francisco, California +1 (415) 864 - 9913 _______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
