An elaboration of concepts proposed in this issue.
Many(/most?) licenses do not adhere to a strict total compatibility ordering; for example, one license may be more strict than another in one regard but less strict in another. This imposes some design constraints on our mechanism for checking compatibility between a package checkout and its dependency:
- There is a shared, static set of licenses corresponding to valid SPDX identifiers.
- There will be a shared set of requirements that all licenses impose.
- Each license declares a set of
⊂
or⊃
"compatibility" relationships to other licenses along the relevant "requirement" axes.- This is to say: each
⊂
or⊃
corresponds to exactly one requirement.
- This is to say: each
- Each package checkout declares at most one license.
- Each package checkout consumes each of its dependencies in a particular manner, which activates some subset of the license