Can somebody explain the semantics of SPDX when it comes to GPL licenses?
There is:
I don't understand why "Only GPL 2.0" is not expressed as GPL-2.0 and "GPL 2.0 or later" as GPL-2.0+.
Or to put it another way: why there are 2 IDs GPL-2.0-only and GPL-2.0-or-later when the "or later" logic can be expressed using + operator.
What would be the meaning of GPL-2.0-only+ or GPL-2.0-or-later+?
There is no need for a specific logic behind the names on the SPDX License List. The only requirement is that it is clear and unambiguous.
While in Release 2.0 of the SPDX Specifications the '+' indicator was used to indicate "or later versions", the Linux Foundation changed that in Release 3.0 of the SPDX Specification. They replaced it for GNU licenses with more explicit Identifiers to reflect the "this version only" or "any later version" option specific to those licenses. As such, the previously used Identifiers for those licenses are deprecated as of v3.0. (partly quoted from the above mentioned website).
The '+' indicator (for later versions) now only shows up in depreciated license identifiers. My recommendation is to always use the identifiers according to the latest specification.
The meaning of GPL-2.0-only+ or GPL-2.0-or-later+ are undefined, because it appears to mix up V2 and V3 of the SPDX Specifications. No reasonable person would use that.
+ operator is deprecated too in v3? I missed that