In SPDX models CreationInfo class we have license_list_version: Optional[Version] = None and in the Version class we only have support for Major and Minor version numbers but since SPDX License List version 3.24.0 there are also patch versions used:
See also https://github.com/spdx/license-list-XML/blob/main/RELEASE-NOTES.md?plain=1#L55, this seems to be included to align with SPDX 3.0 requirements, but there is not SPDX 3.0 stable release yet and even after a SPDX 3.0 release there can be tools which still use the SPDX 2.3 models but choose to use the newer SPDX License List versions.
This is weird because:
- There is no release at https://github.com/spdx/license-list-data/releases/ which actually uses the patch version, so why introduce it which introduces extra work in the tool here and also tools downstream?
- Why not update also the tool for this version after, there has been two SPDX License List releases with this patch version already.
This means in scancode-toolkit we would not be able to show SPDX License List versions correctly (we have to skip the patch number) unless the tool is updated accordingly. Refer: aboutcode-org/scancode-toolkit#3897
In SPDX models
CreationInfoclass we havelicense_list_version: Optional[Version] = Noneand in theVersionclass we only have support for Major and Minor version numbers but since SPDX License List version3.24.0there are also patch versions used:See also https://github.com/spdx/license-list-XML/blob/main/RELEASE-NOTES.md?plain=1#L55, this seems to be included
to align with SPDX 3.0 requirements, but there is not SPDX 3.0 stable release yet and even after a SPDX 3.0 release there can be tools which still use the SPDX 2.3 models but choose to use the newer SPDX License List versions.This is weird because:
This means in
scancode-toolkitwe would not be able to show SPDX License List versions correctly (we have to skip the patch number) unless the tool is updated accordingly. Refer: aboutcode-org/scancode-toolkit#3897