-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why no license file? #1
Comments
I acknowledge that there might be some subtle legal ramifications with not having the license text with the source code. I'll happily revisit this issue at such a point that legal disputes become a real issue. |
The technique employed herein allows the license to be simply declared as a reference to a known license that is reflected in the metadata and available in PyPI and at run time. For example:
|
@jaraco So when you do not include such license text in your packages (including down to the wheels and not only the sdist) your are in a bizantyne way making every user non-licensed? unless --like I do-- you recheck and add back a license text to your packages, e.g. https://github.com/nexB/scancode-toolkit/blob/develop/thirdparty/prod/yg.lockfile.LICENSE . I end up having to go through the hoops of crafting one by guessing your intent.... Yeah! I am licensed! but millions of your users may not be properly licensed to use your wares. |
As I understand it, to be in compliance, a license must be included with each and every file. Most people accept that such an approach is generally unsustainable, so they cheat by including the license near the files and possibly (though rarely) referencing the license from each of the files. I maintain enough packages that the same sustainability problem applies to each project as well. It's for this reason that I've created a separate repository just to maintain the skeleton of the projects. To that end, I could lean on this skeleton to copy the license and ensure that it's included in wheels and installs, but even then, I'd probably still not be technically in compliance with the legal standards. The attribution and copyright would probably still need to be individually maintained. So perhaps you're right, that technically these packages appear unlicensed, but I still assert that no legal challenge to the licensing of these projects will ever come under legal scrutiny. The intention is clear and unambiguous. Even with wheel installs, the license is indicated in the package metadata, so every file affiliated with the installed package is linked explicitly to the license.
I forget in which package someone mentioned it, but I pointed out that if Python Packaging or the larger Open Source community were to come up with a way to either embed or (preferably) declare a license and tooling to manage the cascading of that license through the packaging and distribution chains, I'd be all for adopting that, but I'm not interested in doing the tedious busy work required to comply manually still to only be somewhat compliant. |
Is there anyone who seriously believes that if I (as copyright owner) were to challenge another's incorporation or use of the code in court that they couldn't use that metadata to defend their right to use the code according to the terms of the MIT license? If someone can show precedent of such a case, I'll concede and include the license text. |
@jaraco
There is no such precedent. It is just that dealing with exceptions (as in this project is MIT-licensed, but does-not-have-a-license-text) is a tad harder. And since one or more of your packages are eventually used in every python app and installation, you are at the bottom of the stack which has some consequences:
You wrote:
FWIW the MIT does not require you to copy anything in each file. A single copy of the text is enough.
And if you want a concise mention in every file, you could use this blessed approach: See https://spdx.org/sites/cpstandard/files/pages/files/using_spdx_license_list_short_identifiers.pdf
I guess this was me here: pombredanne/spdx-pypi-pep#1 So for now, I guess you can do as you like and leave your ways as they are. You are correct that we should best come with a common way that can work for everyone first. Thank you ++ for your code and for taking the time to reply here! |
What if the MIT license changes its text to something you don't agree with? As far as I know, many licenses don't version themselves. Having the actual license text guarantees that no matter what the source license changes to, you're sticking to the license in your code. |
Then I will correct the situation, and update the license to reference another resource with the intended license or maybe I'll consider bundling the license then. |
This package is licensed MIT but the original author doesn't seem to understand how to use MIT, so there is no provided license file. Since this quite prolific author is opposed to following the standard license management practices (and indeed those likely mandated by the text of the license itself) I leave here in this commit message a pointer to where numerous people have tried to convince the author to just use the license in the manner in which it was designed. No one has thus far been successful... jaraco/skeleton#1
I'm trying to use cherrypy in an embedded linux distribution for a controller board in an industrial application and that distribution will be built using the yocto/openembedded build platform. CherryPy indirectly depends on portend So I have to write a bitbake recipe to pull portend from pypi In order to write a bitbake recipe and have it run without fatal QA errors I need to provide it with a license file URL in the unpacked source tree and an md5sum of that file. Please consider reopening this issue and provide a license file. Thank you. |
That sounds to me like a defect in bitbake. Is there an option for bitbake to indicate "project doesn't bundle a license file because it more consisely links to its license" or even better for bitbake to automatically detect that the license is declared in the metadata for the package? I presume the answer is no, in part because there's no endorsed standard. And there's little motivation for someone to create a standard because the status quo is to bully every project into copying the license file into their project. So fine. I'm sufficiently bullied. I'll put the license file in the skeleton and copy it across all the projects. If it falls out of sync with the declared license, I'll leave it to the lawyers to figure it out. |
…uptools-scm#212. Jason R. Coombs (65): Set the origin date once and forget it. Add python_requires directive. Don't bother with copyright year(s). Let the repository history track the changes and copyright years. YAGNI. Include the project (for docstrings). Include Sphinx (for environments where it's not an implied provision). Include pytest-sugar for nicer test output. Rely on jaraco.packaging for loading the package metadata from the package for Sphinx. Use single-quotes to satisfy the style nazis. The requirement is no longer needed for tests. Add readthedocs yml file Move requirements for docs and testing into extras Add appveyor script for CI testing on Windows. Require tox 2.4 or later; fixes #2. Remove namespace_packages declaration, no longer needed. Use a simple build number rather than prefixing with '1.0.' Restore support for namespace package declaration, selected on a 'nspkg_technique' setting Inspired by pypa/setuptools#1059, use the preferred bdist_wheel heading. Check the docs during tests Use stages in travis to have deployment depend on success in all Python versions. Remove 'bootstrap', artifact from setuptools --add doesn't work in a list Add a license file. Fixes jaraco/skeleton#1. Remove downloads shield, no longer available. Add documentation badge. Normalize indentation in docs/conf.py Declare 'python' factor at top level Correct travis syntax reference the license file in metadata Use https Add build-docs env in tox. Run only default environment by default. To support namespace packages, Setuptools must be 31.0.1. This change is necessary with the adoption of tox-venv, which uses Python's venv, which does not install the latest setuptools by default. Need to avoid .eggs in recursing dirs. Ref pypa/setuptools-scm#212. Use tox-venv for future compatibility. Disable pytest-sugar until Teemu/pytest-sugar#133 is addressed. Bring back pytest-sugar with a minimum version to support Pytest 3.4. Save the pip cache across builds. Ref pypa/setuptools#1279. Add workaround for build failures on Python 3.7 (yaml/pyyaml#126). Run flake8 with tests. Add flake8 config to ignore common exclusions. Add comments to testing and docs extras to aid with merges. Add appveyor badge (commented). Disable RTD by default. Limit workaround to affected Python Bump minimum pytest version Add pyproject.toml declaring build dependencies. When ignoring linter warnings, document the reason. Merge https://github.com/jaraco/skeleton Drop support for Python 2.6 Feed the hobgoblins (delint). dos2unix Fix test failures by restoring working directory in fixtures. Fix test failures in checkdocs Remove setuptools plugin Use behavior from other packages dos2unix Use relative import Use packaging for version parsing Drop support for Python 2.7 and 3.4 Revert "Remove setuptools plugin" Revert "Drop support for Python 2.7 and 3.4" Update changelog Use new style classes through the lib. Revert "Use packaging for version parsing" Revert "Use behavior from other packages" Rename util to _vendor Update iter_subclasses to latest version from jaraco.classes Update one from more_itertools Update changelog
…1.4.1 David Aguilar (56): tests: add tests for pandas Series with multi indexes pandas: improve serialization for Series objects pandas: improve serialization for Series objects pandas: add more tests for pandas.Series multi-indexes tests: add enum tests demonstrating more supported use cases jsonpickle: improve serialization for non-string keys pickler: simplify _flatten_key_value_pair() jsonpickle: preserve dict order on Python3 travis: disable python3.5 for now compat: support python3.4 + 3.5 docs: update author details conf: wrap filter() in list() unpickler: use only add or append, but not both handlers: add a custom handler for array.array bson: add tests demonstrating incremental restoration datetime: use ISO format for string representation tests: add a unit test demonstrating Exceptions that take arguments pickler: document the numeric_keys keyword argument jsonpickle: add `indent` and `separators` to `encode()` tests: make sure we can skip the bson tests tests: add the Wizard tests from #92 tests: flake8 tweaks for the wizard tests tests: add a test to ensure numpy.random.random() is supported Makefile: pass flags as late as possible Makefile: fix "make tox V=1" Makefile: mention "tox" in "make help" Makefile: run tox in parallel tox: sort env-specific sections jsonpickle: python3.8 support travis: python3.8 travis: run tests serially docs: Python3.8 support requirements-dev.txt: add pytest-black and pytest-flake8 .gitignore: cleanup and ignore .eggs + docs/build Makefile: clean __pycache__ cruft .gitignore: ignore .coverage travis: set latest_py to 3.8 Revert "Finish dropping support for Python 2 (I hope)." Python 2.7 compatibility coverage: customize for jsonpickle Makefile: update for skeleton semantics requirements+setup: prepare for davvid/skeleton README.rst: document the multi-version "make tox multi=1" feature Makefile: pair down "make tox multi=1" versions to sensible versions per davvid/skeleton Makefile: improve cpu detection on macOS Makefile: document make tox mulit=1 Makefile: update tox --parallel comment tox: guard against parallel pytest coverage execution coverage: lock down to coverage 4 Revert "Prefer pytest-black to pytest-black-multipy" Makefile: clean coverage during "make tox multi=1" requirements-dev: pytest-cov requires coverage<5 Makefile: remove obsolete "check" target jsonpickle: allow importing from the source tree Makefile: update tox --parallel comment version: catch OSError for Python 3.8 importlib_metadata support Hugo (1): Fix AppVeyor typo Hugo van Kemenade (2): Spelling and capitalisation (#8) Link badge to PyPI rather than static image Jason R. Coombs (188): Generate project skeleton Remove the package from the skeleton. It has no value. Add gitignore. Make .hgignore empty - there's nothing here that's project specific. Upon further reading, hg-git supports .gitignore, so omit .hgignore. Update copyright Learning from lessons in the keyring 8.4 release (jaraco/keyring#210), always clean the build artifacts before cutting a release. Derive description, url, and namespace_packages from name Add PyPI deployment Remove duplicate provider line Add support for linking to issues and adding datestamps to changelog entries. Move Python 3.5 condition to 'on' section Update comment to reflect the Github-backed skeleton model (preferred to the generation library-backed model). Exclude the skeleton branch from testing Add badges for PyPI, downloads, and Travis-CI. Change indentation to match that which the travis tool generates when adding the password. Use shields.io, as some of these other providers seem to have gone out of business. Also add pyversions Path is now .org Update release process to use warehouse rather than legacy PyPI. Ref pypi/warehouse#1422. The name of the project need not be in the README No need for a .gitignore file; projects may want to add one, but I recommend not having one unless the project has project-specific files to ignore. Remove support for building docs, now that docs support for pypi is deprecated. I hope at some point RTD comes up with an API that once again allows automatic building of docs. Use tox instead of pytest-runner Use pkg_resources to resolve the version. Requires that the necessary package metadata have been built before building docs. Each requirement line is passed as a single parameter to pip, so you can't have a space separating the option and its value. Python Packaging -- never do with one command what you can do with two. Provide a reference to the license declaration in the readme. Fixes jaraco/skeleton#1. Use usedevelop to workaround tox-dev/tox#373 Incorporate pre-release of setuptools to cause releases to include the PEP-420 deferral. Just upgrade to released setuptools now. Exclude versions of setuptools_scm due to pypa/setuptools-scm#109. Allow passing posargs Need a later version of setuptools_scm until it's released. Update to setuptools_scm 1.15.0rc1 Gotta get an sdist - so use one jaraco built Bump to setuptools_scm 1.15.0. Update config to support building on ReadTheDocs Add note about the broken docs problem. Skip upload docs as it's deprecated anyway Remove rant about docs. If there's no link to the docs, then this is the docs. Prefer get_distribution No longer rely on the package being installed to retrieve the version. Instead, load the project name and version by invoking the setup script. Also get the URL from the project metadata Also grab the author from the package metadata Strip the trailing newline and then split on newline. Default upload URL is now in Python 3.6. Use that. setup is already present in the module name. Just call them params. Use Python 3.6 by default No longer rely on setup_requires for wheel. Add PEP substitution in changelog. Add support for Python 2.6 in docs conf Set the origin date once and forget it. Add python_requires directive. Don't bother with copyright year(s). Let the repository history track the changes and copyright years. YAGNI. Include the project (for docstrings). Include Sphinx (for environments where it's not an implied provision). Include pytest-sugar for nicer test output. Rely on jaraco.packaging for loading the package metadata from the package for Sphinx. Use single-quotes to satisfy the style nazis. The requirement is no longer needed for tests. Add readthedocs yml file Move requirements for docs and testing into extras Add appveyor script for CI testing on Windows. Require tox 2.4 or later; fixes #2. Remove namespace_packages declaration, no longer needed. Use a simple build number rather than prefixing with '1.0.' Restore support for namespace package declaration, selected on a 'nspkg_technique' setting Inspired by pypa/setuptools#1059, use the preferred bdist_wheel heading. Check the docs during tests Use stages in travis to have deployment depend on success in all Python versions. Remove 'bootstrap', artifact from setuptools --add doesn't work in a list Add a license file. Fixes jaraco/skeleton#1. Remove downloads shield, no longer available. Add documentation badge. Normalize indentation in docs/conf.py Declare 'python' factor at top level Correct travis syntax reference the license file in metadata Use https Add build-docs env in tox. Run only default environment by default. To support namespace packages, Setuptools must be 31.0.1. This change is necessary with the adoption of tox-venv, which uses Python's venv, which does not install the latest setuptools by default. Need to avoid .eggs in recursing dirs. Ref pypa/setuptools-scm#212. Use tox-venv for future compatibility. Disable pytest-sugar until Teemu/pytest-sugar#133 is addressed. Bring back pytest-sugar with a minimum version to support Pytest 3.4. Save the pip cache across builds. Ref pypa/setuptools#1279. Add workaround for build failures on Python 3.7 (yaml/pyyaml#126). Run flake8 with tests. Add flake8 config to ignore common exclusions. Add comments to testing and docs extras to aid with merges. Add appveyor badge (commented). Disable RTD by default. Limit workaround to affected Python Bump minimum pytest version Add pyproject.toml declaring build dependencies. When ignoring linter warnings, document the reason. Disable the (broken) IPv6 in Travis. Ref travis-ci/travis-ci#8361. Don't match issues if preceeded by some other indicator. skip_upload_docs is default Drop the dot; http://blog.pytest.org/2016/whats-new-in-pytest-30/ Rely on declarative config to create long_description. Remove workaround for pyyaml 126. Revert "Remove workaround for pyyaml 126." We're getting close, but Python 3.7 still requires a workaround Use xenial to include support for Python 3.7. Remove release, no longer needed. Use twine instead. Also ignore W504 in flake8, following the indication in OCA/maintainer-quality-tools that neither W503 nor W504 are worthwhile in general. Release of pyyaml 3.13 seems to have fixed install issues on Python 3.7. Block pytest 3.7.3 due to pytest-dev/pytest#3888. Move most package config to declarative config Ignore pycodestyle warning. Seems it's not going to be fixed anytime soon. Also ignore flake8 error Require setuptools 34.4 to support python_requires in declarative config. Add workaround for Teemu/pytest-sugar#159. Add black config, pre-commit including black, check code with black. Remove workaround for pytest-sugar 159, now fixed. Remove pytest-sugar plugin from standard pipelines as recommended in Teemu/pytest-sugar#159. Prefer pytest-checkdocs to collective.checkdocs Suppress deprecation warning in docutils Remove use of setup_requires. Builders now require pip 10 or later to build/install from sdist. Older installers will still install the packages from wheels. Ref tox-dev/tox#809. Revert "Remove use of setup_requires. Builders now require pip 10 or later to build/install from sdist. Older installers will still install the packages from wheels. Ref tox-dev/tox#809." Indicate build backend of setuptools Add support for cutting releases without DPL and using pep517. Rely on pep517 0.5 Add documentation on the skeleton. Fixes #5. Add workaround for DeprecationWarning in flake8 Use consistent encoding quoting in pyproject.toml Clarify purpose of local/upstream extras Suppress E117 as workaround for PyCQA/pycodestyle#836 Amend skeleton documentation to expand on the value of the approach. Remove sudo declaration in Travis config. Enable tox-pip-extensions ext_venv_update if available. Fixes jaraco/skeleton#6 Rely on tox 3.2 and pip 10 or later for all builds It adds no value to add a pip requirement for the tox install Pin to pip 19.0 for now for pypa/pip#6434. Revert "Pin to pip 19.0 for now for pypa/pip#6434." Only install and invoke pytest-black on Python 3 Use pytest-black-multipy to enable simple support for pytest-black where available. Ref pytest-dev/pytest#5272. Update skeleton documentation to reflect black adoption. Rely on twine 1.13 or later Upgrade tox and virtualenv to ensure that environments get recent pips Define passenv in tox release section. Rely on __token__ for default username. Update docs to reflect changes to deployment. Python 3 only Enable coverage reporting on project Report the lines missing coverage Ensure that a late version of pip is installed without special versions of tox-venv. Disable tox-pip-version as it interacts badly with tox-venv causing tox to use the wrong Python version to install packages and run tests. Ref pglass/tox-pip-version#20 and tox-dev/tox-venv#40. Bring back tox-pip-version now that pglass/tox-pip-version#20 is fixed. Test/release on Python 3.8 Apply black to docs/conf.py Update black version and links Expect flake8 3.6 or later and remove suppression of warnings from Flake8 prior to 3.6. Rely on pytest-checkdocs 1.2.3, eliminating workaround for docutils warning. Remove workaround for gitlab.com/PyCQA/flake8/issues/275, apparently no longer necessary. Normalize indentation Include keyring support from twine Rename 'build-docs' to simply 'docs' (matching more popular convention). Prefer 'path' to 'path.py' Cover Python 3.8 in Windows tests Update black in pre-commit and add blacken-docs. Test and release using Azure Pipelines Correct guidance on project creation. Rely on setuptools_scm 3.4 and setuptools 42. Now setup.py is optional. Remove setuptools from test environment. Finish dropping support for Python 2 (I hope). Normalize whitespace Revert "setup.cfg: let python-tag mirror python_requires" Declare pep518 build requirements. Fixes #290 Also declare the file in manifest to include it in the source dist. 👹 Feed the hobgoblins (delint). Fade to black Normalize whitespace In jsonpickle.version, reflect the version from metadata. Remove sphinxtogithub. Replace changelog headings to match tagged releases. Now release dates are injected automatically during docs builds. Replace references to jsonpickle.github.io to reference readthedocs. Remove submodules and thirdparty. Update to bionic for Travis. Correct comment about IPv6 workaround. Run on the same python as tox by default. Restore test execution on older Pythons. By default, just run tests once. Only in CI run the matrix of envs. Simplify test and development workflow based on tox. Move sqlalchemy deps back to tox. Update the bands so they're not overlapping, but key correctly into specific minor version. Add 'sqlalchemy' as a standard test and defer to 'saNN' for older versions. Don't bother testing on Python 3.4 as master doesn't and pandas tests fail. Mark tests as xfail for now. Ref #281. Suppress warnings in pytest-flake8, pytest-black, and pytest-checkdocs. Prefer pytest-black to pytest-black-multipy Test against Windows and Mac Sebastian Kriems (1): spaces, style and formatters (#4) Sebastian Pipping (2): readme: Fix syntax issue "Title underline too short" readme: Inform about security implications Vincent Fazio (1): setup.cfg: let python-tag mirror python_requires johnthagen (1): Line wrap LICENSE file layday (1): Require toml extra for setuptools_scm (#12)
In many of the projects I maintain, I'm asked to create and maintain a license file separate from the license declaration in the metadata. I'd rather not paste a license file into the source, maintain the license declaration separately, and ensure that those stay in sync. In fact many times I've seen them fall out of sync. I'd like instead to have a single point where the license is referenced and let that serve as the authoritative indication of the license under which the project is released.
To communicate this, I'm filing this ticket with the project skeleton from which many of the projects I maintain is derived.
The text was updated successfully, but these errors were encountered: