The license field should validate against a list of SPDX identifiers. We should also provide an API for tool builders (including us!) to use to pull that list for use with frontend validation and select list building.
The backend storage could be a model + a fixture file to populate the db or some more static listing. Take a look at SPDX bits and see if there is something that seems easy to keep in sync.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| api: Add SPDX endpoints | wikimedia/toolhub | main | +338 -55 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T271712 Require tools to host a valid toolinfo.json file (e.g. while upgrading from one Debian version to another) | |||
| Resolved | srishakatux | T195682 Direct tool registration | |||
| Resolved | bd808 | T273670 Add storage and API for getting a list of SPDX license identifiers |
https://github.com/spdx/license-list-data might be the right place to pull data files from.
https://gitlab.com/uniqx/spdx-license-list is a python library that collects a subset of data from https://github.com/spdx/license-list-data and presents it as a python dict. This looks like a relatively easy way to include the data and keep it updated as things change in the SPDX published data.
After re-reading https://docs.djangoproject.com/en/2.2/ref/models/fields/#choices I don't think it will be a good idea to integrate the SPDX list as a choices=... option on our Tool model. The "A new migration is created each time the order of choices changes." note is part of why, but also I don't think it will be useful to have the ~450 license identifiers embedded in our generated OpenAPI spec.
I think we can however make a custom validator class that we can connect into the model save workflow.
Change 661243 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[wikimedia/toolhub@main] api: Add SPDX endpoints
Change 661243 merged by jenkins-bot:
[wikimedia/toolhub@main] api: Add SPDX endpoints