Verify validity of SPDX license identifiers

[Su5eD]

Please confirm the following.

• I checked the existing issues for duplicate feature requests
• I have checked that this feature request is not on our roadmap

What parts of Modrinth is your feature request related too?

Modrinth.com website

Is your suggested feature related to a problem? Please describe.

I'm pulling license information for projects from Modrinth and I've noticed several projects that are using crayon licenses have incorrectly specified nonexistent SPDX license identifiers in their settings.

For example: Sodium specifies "Polyform-Shield-1.0.0" or FancyMenu has "DSMSLv3".

Modrinth's UI hint for the SPDX id field goes:

If your license does not have an offical SPDX license identifier, check the box and enter the name of the license instead.

However, despite none of the above being officially recognized identifiers, Modrinth still lets you use them.

The problem that comes from this is that you cannot safely rely on the id given by the API so resolve the license name or URL, partly defeating its purpose.

Describe the solution you'd like

Modrinth should validate whether a provided SPDIX identifier actually exists, for example using some of the machine-readable datasets published by SPDX.

Custom/crayon licenses should appear in the name field of the API, while id remains used strictly for licenses with a valid SPDX id.

Describe alternatives you've considered

No response

Additional context

No response

[triphora]

All of these start with LicenseRef-, making them valid SPDX licenses. See: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/