SPDX: Multiple licenses in same file

[frangio]

Flattening entire source trees into a single file is very common practice as it's an easy way of verifying contract source code. This causes a few issues with the new SPDX comments.

1. Multiple SPDX comments cause a compiler error, so the existing flattening tools will stop working unless they combine the comments into one in some smart way.
2. Different parts of the combined file may be licensed in different ways. I took a look at the SPDX documentation but couldn't understand if this situation is supported by the standard. I understand that there are license expressions that can combine multiple licenses but I'm not sure if it's okay to use that when each license applies to a different section of a file. Can you provide some guidance on this topic?

Is it possible at least to remove the compiler error if multiple equal SPDX comments are found?

[axic]

Some potential answers:

1. While we do not encourage the use of these flattening tools, they can just remove all the license statements.

2. Do not take this as legal advice! But many licenses have different regulations to source and bytecode, and are usually peculiar what applies to bytecode. If different licenses allow combining sources into a single bytecode, then usually the least permissive license takes precedence (aka applies to the resulting bytecode). It is also possible that licenses are incompatible and such projects should not have been deployed in the first place.

Basically what this means is that projects should have already been aware what is the license of the final product if they use sources with different licenses. Now they have to choose an appropriate SPDX setting based on this knowledge.

[frangio]

Thank you, that sounds reasonable.

What do you think about removing the compiler error when the multiple SPDX comments found contain exactly the same identifier?

[axic]

I think it still makes sense error out on having multiple identical identifiers, if the only realistic case this is happening is after "flattening".

[chriseth]

I agree with what @axic says. Note that flattening modifies the source code, which might already be illegal depending on the license.

[abcoathup]

Flattening appears to be the only issue.
For mixed identifiers the community will need to verify using multiple files.

Discussion in OpenZeppelin Community Forum: https://forum.openzeppelin.com/t/solidity-0-6-8-introduces-spdx-license-identifiers/2859

[lebed2045]

I think it still makes sense error out on having multiple identical identifiers, if the only realistic case this is happening is after "flattening".

because of this errors plugins like https://github.com/rkalis/truffle-plugin-verify can't simply be use without some sort of workaround. You also can't simple upload many files on etherscan if you use lots of libs from oz. Wouldn't be better to emit a warning instead of an error?

[ducquangkstn]

Before the feature so called "license" is introduced, everything was smooth.
For example, when I read a contract on etherscan, I just need to copy the code into remix or my ide and read everything.
And right now, I have to copy every single files on it or find the project (sometimes it is not available).

Flattening file helps developers a lot. Why not allow multiple licenses in a single file?
When I code golang or js code, do I have to care about license?
Is ethereum about freedom, why you create a non-sense rule for people?

[chriseth]

The license is not the only problem:

/// a.sol
struct X { uint a; }
/// b.sol
struct X { uint b; }

All the languages like go, js and Solidity have a proper module system that defines namespaces. If you flatten everything, names can clash and it just gets messy. If you are concerned about the usability of etherscan, please talk to them so that the provide a convenient multi-file download with a standard-json or metadata structure. You can also use sourcify, if you want:

Navigate to

https://repo.sourcify.dev/contracts/full_match/1/<address>

and press the arrow button on the top left to download.

The 1 is the chain ID, so you have to change that to switch to a different chain.

[ducquangkstn]

All the languages like go, js and Solidity have a proper module system that defines namespaces. If you flatten everything, names can clash and it just gets messy.

Most of the time in solidity, flattening works.

You can also use sourcify

Thanks anyway. But it is undeniable that using flatten is still more easier for reading code or verifying source code

My thinking is that you should not restrict non-technical thing. E.g:

• When a file does not have a license -> a warning is good
• When a file has multiple licenses -> an error is bad, why not a warning
• Flattening may good or bad, but you should not break compatibility between versions. These guys above are asking a way out for every parties. Why not?