License Metadata

Software we package is always licensed and there are two places where thelicenses are recorded in a package:

• Thelicense array field in the package metadata, as specified in the PKGBUILD file
• Copies of the license text contained in the package, usually under<prefix>/share/licenses/<real-package-name>/*. In some cases packages install their license files in different places though.

Guidelines for Specifying License Metadata

The license array field

• Values starting withspdx: areSPDX license expressions. Example:('spdx:GPL-2.0-or-later')
• Multiple values starting withspdx: are treated as if they are combined withOR. Example:('spdx:LGPL-2.1-only', 'spdx:MPL-1.1') is the same as('LGPL-2.1-only OR MPL-1.1')
• Mixing of spdx values and other values is undefined
• Values not starting withspdx: or starting withcustom: follow the Arch Linux rules.
• In case of a split package each package can have a different license field depending on the package content. The global license field is inherited by each split package but can be overridden there.

The license text files

In case the package provides one or more license text files, they can beinstalled to<prefix>/share/licenses/<real-package-name>/*.real-package-name is the package name without the environment specific prefix,so in case ofmingw-w64-ucrt-x86_64-meson it is justmeson. Example:/ucrt64/share/licenses/meson/COPYING

These guidelines are inspired by

• https://www.python.org/dev/peps/pep-0639/#advanced-example
• https://getcomposer.org/doc/04-schema.md#license

Differences compared to Arch Linux

Seehttps://wiki.archlinux.org/title/PKGBUILD#license

• Arch Linux doesn't use SPDX identifiers, but manages its own license list in alicenses package. This list is not very exhaustive and is missing various variants of common licenses such asGPL-2.0-or-later vsGPL-2.0-only.
• Everything else is prefixed withcustom:, e.g.custom:name of license.
• It's unclear (does anyone know?) if multiple licenses mean that the package is available under either license or you must comply with both licenses.

Given the above shortcomings we use our own rules inspired by other packagingsystems.

FAQ

The package includes different components with different licenses, what should I do?

Let's say the package source is licensed underApache-2.0, there is a vendoredlibrary that is licenses underMIT, and there is documentation that islicensed underCC-BY-4.0.

You can set the license field tospdx:Apache-2.0 AND MIT AND CC-BY-4.0.

In case the documentation is split out into a separate package then you can usespdx:Apache-2.0 AND MIT for the main package andspdx:CC-BY-4.0 for thedocumentation package.

How can I specify a custom license in an SPDX expression that is not on the SPDX license list?

You can define your own license ID with the following formatLicenseRef-<idstring> whereidstring is allowed to contain[A-Za-z0-9.-].For example:LicenseRef-my-special-license

The projects is licensed underGPL-2.0-or-later and only advertises that but containsMIT andBSD code as well. Should I include them all?

We can't be expected to hunt down every license in every file of every project. In case the project says it'sGPL-2.0-or-later then it's fine to just use that.