© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
A proposal we came up with:
- The store will use the latest version of the SPDX license list from the location noted above. We will update our version on every store rollout (happens several times a week).
- Since snapds in the wild are not necessarily always in sync and up to date, there is always the possibility snapd will receive from the store a license expression with unknown (read: new) identifiers. Even having the store use snapd as the validation engine would not remove this possibility.
- So snapd could get/refresh the list of known identifiers from the store. The store will have a verbatim copy of the .json files from spdx.
- To avoid excess traffic, Bret suggested:
1- when trying to validate a snap's license, use the local data
2- If an unknown identifier is found in an expression, try fetching the latest data from the store, and retry the validation (which should now pass). Cache that latest data to keep the local license list updated.
3- If the validation still fails, then it is a bogus expression; show the appropriate error.
We also need to consider the sideloading case (e.g. snapd could maybe have a cached list in the event of sideload or whatever). A problem with sideloads is that if a snap with a newish license expression is installed and snapd has no store access, it will be unable to update its expression. In this case I would suggest just saying it is an unknown license to this snapd.
In any case, snapd should have an initial, seeded list of licenses which should be updated periodically so the disconnected and unfrequently-
Let me know if this should be cross-posted in the forum for more discussion!