-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPDX dual-license inconsistency #2039
Comments
I'd prefer to just remove that clause about multiple licenses. I'm already a little uncomfortable referencing a somewhat-obscure spec and sidestepping the problem altogether would be nice. |
To add additional motivation I went to a talk yesterday about fossology and my takeaway from that was, that what you should do as a good citizen is basically to conform to a SPDX tag, to make the license scanners happy. The person I talked to also recommended sprinkling the top of every source file with them, like this:
|
I'm also in favor of following SPDX more closely. |
Rust itself is dual licensed, and this encourages MIT/Apache-2.0 in the ecosystem, so it's not a fringe use case. |
@alexcrichton SPDX isn't exactly "obscure" — it's the Linux Foundation sponsored spec for licensing information, and npm uses it for one (there are probably a bunch of others) |
I’m in favor of warning for Rust’s own license is an |
@SimonSapin I think before we can really push for widespread adoption of SPDX in the Rust ecosystem there should be a fully featured SPDX license parser in Rust. The one used for crates.io is missing support for parens. |
I too would like to see a push toward following SPDX more closely and additional tooling related to licensing (although that may not be a cargo concern directly). In my case, I am working on embedded systems where we actually distribute devices with code to users. For cases like this (as opposed to just operating a service accessed via the web), it is important that we be able to correctly report the license information for all packages requiring that we do so. SPDX provides a standard for reporting this information and I think it makes sense to follow it. In addition...
I think user's should be encouraged to include a pointer to the license file even in cases where the license is standard (of course in addition to the license field). If you look at the MIT license, for instance, note the text that in addition to the license notice itself that the copyright notice be included. The copyright notice can probably only be included if the actual license file is included. |
I'd like to see this improved as well, so that a standard SPDX parser can process the entire license field, rather than having to split it on '/' first and treat that as OR. |
I was looking into code for this a few weeks back. It seems like we could transition to this the same way the transition to forbidding "*" versions on crates.io worked:
|
What a shame. Reference: rust-lang/cargo#2039
|
Looks like it grew one in rust-lang/crates.io@1cee6d8c (rust-lang/crates.io#473) with the Cargo side in f697b8c (#3301). We'd probably have to add a new structured field for license warnings (like we did for badges in #3546). |
This particular wrinkle may be related to #3537. |
@posborne: Does a license file need to referenced in metadata , though? There may be multiple license files, each copy may be in a different language, etc. It’s a can of worms and something better suited for human processing rather than automation. I propose to remove this field and stick with SPDX expressions in the metadata, accompanied with proper documentation on e.g. licensing, in a manner to be settled by projects themselves. |
@sanmai-NL I understand your point. One of the main reasons I see for including the license file (even for packages using a defined license) is that the LICENSE file will typically (almost universally based on templates) also include the copyright notice for the package. Including this copyright notice is a requirement of many licenses. The author information may be the same as the copyright notice or it may not. |
As there hasn't been any activity here in over 6 months I've marked this as stale and if no further activity happens for 7 days I will close it. I'm a bot so this may be in error! If this issue should remain open, could someone (the author, a team member, or any interested party) please comment to that effect? The team would be especially grateful if such a comment included details such as:
Thank you for contributing! (The cargo team is currently evaluating the use of Stale bot, and using #6035 as the tracking issue to gather feedback.) If you're reading this comment from the distant future, fear not if this was closed automatically. If you believe it's still an issue please leave a comment and a team member can reopen this issue. Opening a new issue is also acceptable! |
This issue still exists. Part of the work needs to happen in the license-exprs package. Cargo and crates.io can then use that to check it. |
So is this blocked on ehuss/license-exprs#5? |
Or something like it. We still need something to support parens and deprecation warnings. |
I'm pretty sure this should be closed for these reasons:
Ways forward IMO are:
Neither of these things seems well tracked in this repository. |
While I think this also needs handling in other repos, I do think cargo should help with this by warning if it can't parse the license field. |
@joshtriplett cargo currently does not parse the license field at all except that it must be a string, and any registry can establish any policy about what licenses are acceptable. SPDX is a crates.io specific requirement. |
Apparently there are crates.io specific requirements being enforced already, see #4840. Correct? So perhaps the fact that licenses aren't verified until the package is published is an outlier? |
@dwijnand IMO that's a mistake and the fix is to stop checking those requirements in cargo |
We have contacted all contributors to the code in `rust/` and that code is now all relicensed under the "standard Rust license" of `Apache 2.0 OR MIT`. [Due to an accident](coreos#1890), some GPLv2+ code was imported in the C side, and we're unlikely to easily change that now. Make this more official by adding the GPLv2. I'd like to go through the C code and add SPDX and possibly investigate relicensing some of the GPLv2+ code to LGPLv2+ but, not right now. For a bit more about Rust and SPDX, see [this issue](rust-lang/cargo#2039).
We have contacted all contributors to the code in `rust/` and that code is now all relicensed under the "standard Rust license" of `Apache 2.0 OR MIT`. [Due to an accident](coreos#1890), some GPLv2+ code was imported in the C side, and we're unlikely to easily change that now. Make this more official by adding the GPLv2. I'd like to go through the C code and add SPDX and possibly investigate relicensing some of the GPLv2+ code to LGPLv2+ but, not right now. For a bit more about Rust and SPDX, see [this issue](rust-lang/cargo#2039). Closes: coreos#1890
We have contacted all contributors to the code in `rust/` and that code is now all relicensed under the "standard Rust license" of `Apache 2.0 OR MIT`. [Due to an accident](coreos#1890), some GPLv2+ code was imported in the C side, and we're unlikely to easily change that now. Make this more official by adding the GPLv2. I'd like to go through the C code and add SPDX and possibly investigate relicensing some of the GPLv2+ code to LGPLv2+ but, not right now. For a bit more about Rust and SPDX, see [this issue](rust-lang/cargo#2039). Closes: coreos#1890
We have contacted all contributors to the code in `rust/` and that code is now all relicensed under the "standard Rust license" of `Apache 2.0 OR MIT`. [Due to an accident](coreos#1890), some GPLv2+ code was imported in the C side, and we're unlikely to easily change that now. Make this more official by adding the GPLv2. I'd like to go through the C code and add SPDX and possibly investigate relicensing some of the GPLv2+ code to LGPLv2+ but, not right now. For a bit more about Rust and SPDX, see [this issue](rust-lang/cargo#2039). Closes: coreos#1890
We have contacted all contributors to the code in `rust/` and that code is now all relicensed under the "standard Rust license" of `Apache 2.0 OR MIT`. [Due to an accident](#1890), some GPLv2+ code was imported in the C side, and we're unlikely to easily change that now. Make this more official by adding the GPLv2. I'd like to go through the C code and add SPDX and possibly investigate relicensing some of the GPLv2+ code to LGPLv2+ but, not right now. For a bit more about Rust and SPDX, see [this issue](rust-lang/cargo#2039). Closes: #1890 Closes: #1897 Approved by: jlebon
We have contacted all contributors to the code in `rust/` and that code is now all relicensed under the "standard Rust license" of `Apache 2.0 OR MIT`. [Due to an accident](#1890), some GPLv2+ code was imported in the C side, and we're unlikely to easily change that now. Make this more official by adding the GPLv2. I'd like to go through the C code and add SPDX and possibly investigate relicensing some of the GPLv2+ code to LGPLv2+ but, not right now. For a bit more about Rust and SPDX, see [this issue](rust-lang/cargo#2039). Closes: #1890 Closes: #1897 Approved by: jlebon
cargo supports the legacy '/' format to specify multiple licenses and the consensus is that crates.io should only accept SPDX 2.1 license expressions, but this is not enforced as of yet. see: rust-lang/cargo#2039 Signed-off-by: Gabriel Féron <gabriel.feron@here.com>
With #12235, I think this is a lot more doable. I would recommend two lints
On an edition boundary, we could even make those lints The main issue this proposed design is working around is that our list of licenses can be out of date (hence separate lints to always give some protection, using a lint instead of an error to not block people) |
According to the current SPDX spec, dual-licensing should be done as:
(Apache-2.0 OR MIT)
(and there's alsoAND
,+
andWITH
), but our manifest format says one should simply separate licences with/
without being 100% clear on whether that means an "AND" or "OR".This just seems to be an unnecessary inconsistency with the SPDX spec. Can we change the doc to encourage dual-licensing using the
(x OR y)
syntax instead?The text was updated successfully, but these errors were encountered: