From 594a3bc993cd1d0df054ccc1ff06f5c047827fe6 Mon Sep 17 00:00:00 2001
From: Karen Arutyunov <karen@codesynthesis.com>
Date: Thu, 2 Jul 2020 17:06:24 +0300
Subject: Verify that package license has no scheme or 'other' scheme

---
 libbpkg/manifest.cxx      | 18 ++++++++++++++++++
 tests/manifest/testscript | 43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)

diff --git a/libbpkg/manifest.cxx b/libbpkg/manifest.cxx
index 4a104f4..3df1726 100644
--- a/libbpkg/manifest.cxx
+++ b/libbpkg/manifest.cxx
@@ -2006,7 +2006,25 @@ namespace bpkg
 
         list_parser lp (vc.first.begin (), vc.first.end ());
         for (string lv (lp.next ()); !lv.empty (); lv = lp.next ())
+        {
+          // Reserve the license schemes for the future use and only recognize
+          // the 'other' scheme for now, if specified. By default, the 'spdx'
+          // scheme is implied.
+          //
+          // Note that if the substring that precedes ':' contains the
+          // 'DocumentRef-' substring, then this is not a license scheme but
+          // the license is a SPDX License Expression (see SPDX user defined
+          // license reference for details).
+          //
+          size_t p (lv.find (':'));
+
+          if (p != string::npos            &&
+              lv.find ("DocumentRef-") > p &&
+              lv.compare (0, p, "other") != 0)
+            bad_value ("invalid package license scheme");
+
           l.push_back (move (lv));
+        }
 
         if (l.empty ())
           bad_value ("empty package license specification");
diff --git a/tests/manifest/testscript b/tests/manifest/testscript
index a271a74..3d6b060 100644
--- a/tests/manifest/testscript
+++ b/tests/manifest/testscript
@@ -102,6 +102,49 @@
       EOE
   }
 
+  : license
+  :
+  {
+    : no-scheme
+    :
+    $* <<EOF >>EOF
+      : 1
+      name: libfoo
+      version: 2.0.0
+      summary: Modern C++ parser
+      license: MIT
+      EOF
+
+    : other-scheme
+    :
+    $* <<EOF >>EOF
+      : 1
+      name: libfoo
+      version: 2.0.0
+      summary: Modern C++ parser
+      license: other:proprietary
+      EOF
+
+    : user-defined
+    :
+    $* <<EOF >>EOF
+      : 1
+      name: libfoo
+      version: 2.0.0
+      summary: Modern C++ parser
+      license: DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2; MIT-alike
+      EOF
+
+    : invalid-scheme
+    :
+    $* <<EOI 2>>EOE != 0
+      : 1
+      license: custom:proprietary
+      EOI
+      stdin:2:10: error: invalid package license scheme
+      EOE
+  }
+
   : topics
   :
   {
-- 
cgit v1.1