ADR-1036: Correct SPDX license identifiers and add missing libsvm copyright¶
- Status: Accepted
- Date: 2026-06-04
- Deciders: Lusoris
- Tags:
license,security,supply-chain
Context¶
Two classes of licensing defect were identified in the r7 review:
SPDX identifier mismatch. The LICENSE file (line 2) declares SPDX short identifier: BSD-2-Clause-Patent. All eight package manifests (Cargo.toml workspace, bindings/rust/vmafx/Cargo.toml, and six Python pyproject.toml files) instead carry BSD-3-Clause-Plus-Patent, which is not a recognised SPDX identifier. Crates.io would advertise an unknown license expression, PyPI rejects PEP 639 uploads with unrecognised identifiers, and pip-audit tools flag such packages as having an unknown license.
Missing upstream copyright in svm.cpp. The vendored libsvm implementation in core/src/svm.cpp carries only the Netflix copyright header. The upstream libsvm BSD-3-Clause copyright (Copyright (c) 2000-2019 Chih-Chung Chang and Chih-Jen Lin) is present in the paired svm.h but absent from svm.cpp. BSD-3- Clause clause 1 requires that source redistributions retain the copyright notice. svm.h was correct; svm.cpp was not.
Decision¶
- Replace all
BSD-3-Clause-Plus-Patentlicense =values in the eight package manifests withBSD-2-Clause-Patentto match the actualLICENSEfile SPDX identifier. Comments in those files that referenceBSD-3-Clause-Plus-Patentas prose are updated too to avoid future confusion. - Prepend the verbatim libsvm BSD-3-Clause copyright block to
core/src/svm.cpp, ahead of the Netflix header, matching the format insvm.h.
Alternatives considered¶
| Option | Pros | Cons | Why not chosen |
|---|---|---|---|
| Update LICENSE to say BSD-3-Clause-Plus-Patent | Manifests stay unchanged | Non-SPDX identifier propagates upstream; crates.io/PyPI still reject | Wrong direction |
Use Apache-2.0 WITH LLVM-exception | SPDX-valid | Does not match the actual license | Wrong license |
| NOLINT the crates.io publish flag | Silences warning | Does not fix the legal defect | Unacceptable |
Consequences¶
- Positive: Package manifests are now SPDX-valid and match the actual
LICENSEfile; crates.io and PyPI packaging no longer advertised an unknown license identifier;svm.cppnow satisfies BSD-3-Clause clause 1 for source redistributions. - Negative: The
deny.toml[licenses]allow-list entry forBSD-3-Clause-Plus-Patentshould be reviewed, but leaving it in does not break the build. - Neutral / follow-ups: The SPDX header comments in
.c/.hfiles that sayBSD-3-Clause-Plus-Patentare out-of-scope for this PR (they are source-file prose comments, not machine-parsed license declarations). A follow-up sweep can normalise them.
References¶
- r7 review findings: [r7-licensing] Cargo.toml wrong SPDX; ai/pyproject.toml wrong SPDX; svm.cpp missing libsvm copyright
LICENSESPDX short identifier:BSD-2-Clause-Patent(line 2)