Copyleft "warn" will allow a license #354

lfrancke · 2021-07-16T14:27:17Z

Describe the bug

When copyleft is set to warn (which is the default) all the precedence checks after point 3 in this list https://embarkstudios.github.io/cargo-deny/checks/licenses/index.html#evaluation-precedence will not be considered anymore because warn is treated as allow:

https://github.com/EmbarkStudios/cargo-deny/blob/main/src/licenses/mod.rs#L127-L138

                    match cfg.copyleft {
                        LintLevel::Allow => {
                            allow!(IsCopyleft);
                        }
                        LintLevel::Warn => {
                            warnings += 1;
                            allow!(IsCopyleft);
                        }
                        LintLevel::Deny => {
                            deny!(IsCopyleft);
                        }
                    }

This basically resembles this config:

[licenses]

copyleft = "warn"
default = "deny"

Expected behavior
I would expect warn to behave like neither from allow-osi-fsf-free with an additional warning message: Fall through to the next check.

In theory I'd be happy to provide a PR but I haven't looked at the code yet on how to emit a warning and continue.

Device:

Version 0.9.1

The text was updated successfully, but these errors were encountered:

reivilibre · 2024-01-11T15:24:31Z

I find it odd how, with the default config from cargo deny init, I get failures for permissive licences like MIT but only warning[accepted] for copyleft licences like MPL-2.0.

I would expect the default opinion for the tool to not take a stance on copyleft and let you specify individual licences to approve like normal.

This PR deprecates several fields which will be removed in a future update. I'll explain in detail why below, but the TLDR is that cargo-deny surfaces several configuration options that were added because we _could_, but not necessarily because they are useful in practice. ## Licenses ### [`deny`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-allow-and-deny-fields-optional) This field was only added for consistency with `[bans]` but makes no sense for `[licenses]`, if a license you don't explicitly allow is used it is implicitly denied. ### [`copyleft`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-copyleft-field-optional) There is no reason to treat these differently from any other license, if it's not explicitly allowed it should be denied, and it just adds confusion due to the terrible default. See: #602 See: #354 ### [`allow-osi-fsf-free`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-allow-osi-fsf-free-field-optional) Similarly to copyleft, this field just makes no sense and was only added because the SPDX metadata allowed us to query this information. ### [`default`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-default-field-optional) This was added so that users could just ignore/warn all their dependencies not following the set of allowed licenses, but just isn't much value. Even in large projects with literally hundreds of external dependencies the set of licenses that need to be allowed are relatively small compared to the total set of licenses in SPDX due to the Rust ecosystem generally using only a handful of licenses, with rare exceptions. ### [`unlicensed`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-unlicensed-field-optional) Crates that don't specify a license via `[package.license/license-file]` or have a license file in their package source are incredibly rare, and there is already a [mechanism](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-clarify-field-optional) to provide/override license information for those rare crates. ## Advisories ### Blanket - [`vulnerability`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-vulnerability-field-optional) - [`unmaintained`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unmaintained-field-optional) - [`unsound`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unsound-field-optional) - [`notice`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-notice-field-optional) There's no need to blanket handle any of these specific advisory types, there just aren't enough advisories (currently, this could change in the future) that a typical workspace will encounter that they can't be handled explicitly via `ignore`. See: #449 ### [`severity-threshold`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-severity-threshold-field-optional) This optional field is available in rustsec advisories, but provides no real value as it's just flavor on top of a reported vulnerability, but doesn't fundamentally change that it is a vulnerability, and can either be ignored or better yet, updated to a version without the vulnerability.

lfrancke added the bug Something isn't working label Jul 16, 2021

JonathanWoollett-Light mentioned this issue Feb 7, 2024

Bug: Copyleft licenses are exempted from deny by default #602

Closed

Jake-Shadle mentioned this issue Feb 21, 2024

Deprecate several fields #606

Merged

Jake-Shadle mentioned this issue Feb 23, 2024

Add version = 2 #611

Merged

Jake-Shadle closed this as completed in #611 Feb 23, 2024

Jake-Shadle closed this as completed in c5721db Feb 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Copyleft "warn" will allow a license #354

Copyleft "warn" will allow a license #354

lfrancke commented Jul 16, 2021 •

edited

Loading

reivilibre commented Jan 11, 2024

Copyleft "warn" will allow a license #354

Copyleft "warn" will allow a license #354

Comments

lfrancke commented Jul 16, 2021 • edited Loading

reivilibre commented Jan 11, 2024

lfrancke commented Jul 16, 2021 •

edited

Loading