-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make license information machine readable #902
Comments
Going to close this as no one else seems to care. |
I do care about this and I do want it to be done. However, there are a lot of layers to slog through and it will unfortunately be a bit of a non-transparent process until it is closer to being done. |
Glad to hear that! Sorry for my short close comment. |
I'm suffering the same problem. On my dep is using
|
The documentation for |
Oh indeed, perfect, thanks! 👍 |
@briansmith this is unfortunate that ring has become an example of |
I do now maintain a deny.toml to use for ring at https://github.com/briansmith/ring/blob/main/deny.toml. |
As soon as I am sure what SPDX expression to use, I will do so. My goal is to first reduce the chance that the SPDX expression would be wrong by reducing the amount of code where the license isn't obvious, and then after that figure out the appropriate SPDX expression. I worry about using or recommending a wrong or misleading SPDX expression for people to use that is over-simplified and/or otherwise wrong. The issue is simply that the slogging through refactoring the code takes a long time. |
An example of a complication that I'm not yet prepared to resolve yet, that I encountered in the webpki project. The spdx.org website says the BSD 3-clause license has a warranty disclaimer that uses the term "COPYRIGHT HOLDER." Yet the license text Google used for Chromium says "COPYRIGHT OWNER" instead. So what SPDX expression covers that? No clue. |
That's now briansmith/webpki#148. |
I'm also interested in this issue, because after using the CycloneDX tool for SBOM generation (https://github.com/CycloneDX/cyclonedx-rust-cargo), At the moment I can just patch-it myself, however, given how high profile |
+1 At my company we are using The fact, that the licenses are not automatically checkable is making everyone nervous. To be honest we currently have no clue how to proceed here except hand-checking each |
@kamulos Fwiw |
@MarijnS95 thanks, for clarifying 😁 This makes it basically painless 👍 |
This is still a tough one 😅 No idea how to solve it though... |
Is there an update on this? :) In the project I tested cargo-deny with,
This expression would be valid as long as no further licenses are being introduced, the specific attribution/licensing shouldn't matter since the expression says you need to be compliant with all three of them anyway. |
Any update on this? |
Some thoughts:
Is there any CI tooling that exists that can help us enforce that |
`ring` is included because it is an optional dependency of `hyer`, which is a training data in rust-pref for optimized build. The license of it is generally `ISC AND MIT AND OpenSSL`, though the `package.license` field is not set. See briansmith/ring#902 `git+https://github.com/rust-lang/team` git source is from `rust_team_data`, which is used by `site` in src/tools/rustc-perf. This doesn't really a part of the compiler, so doesn't really affect the bootstrapping process. See rust-lang/rustc-perf#1914.
`ring` is included because it is an optional dependency of `hyper`, which is a training data in rustc-pref for optimized build. The license of it is generally `ISC AND MIT AND OpenSSL`, though the `package.license` field is not set. See briansmith/ring#902 `git+https://github.com/rust-lang/team` git source is from `rust_team_data`, which is used by `site` in src/tools/rustc-perf. This doesn't really a part of the compiler, so doesn't really affect the bootstrapping process. See rust-lang/rustc-perf#1914.
`ring` is included because it is an optional dependency of `hyper`, which is a training data in rustc-pref for optimized build. The license of it is generally `ISC AND MIT AND OpenSSL`, though the `package.license` field is not set. See briansmith/ring#902 `git+https://github.com/rust-lang/team` git source is from `rust_team_data`, which is used by `site` in src/tools/rustc-perf. This doesn't really a part of the compiler, so doesn't really affect the bootstrapping process. See rust-lang/rustc-perf#1914.
`ring` is included because it is an optional dependency of `hyper`, which is a training data in rustc-pref for optimized build. The license of it is generally `ISC AND MIT AND OpenSSL`, though the `package.license` field is not set. See briansmith/ring#902 `git+https://github.com/rust-lang/team` git source is from `rust_team_data`, which is used by `site` in src/tools/rustc-perf. This doesn't really a part of the compiler, so doesn't really affect the bootstrapping process. See rust-lang/rustc-perf#1914.
`ring` is included because it is an optional dependency of `hyper`, which is a training data in rustc-pref for optimized build. The license of it is generally `ISC AND MIT AND OpenSSL`, though the `package.license` field is not set. See briansmith/ring#902 `git+https://github.com/rust-lang/team` git source is from `rust_team_data`, which is used by `site` in src/tools/rustc-perf. This doesn't really a part of the compiler, so doesn't really affect the bootstrapping process. See rust-lang/rustc-perf#1914.
Currently, ring's top level LICENSE file spells out the licensing terms, which is great, except it makes it hard for tools such as askalono to reliably gather licensing information due to it being a concatenation of several licenses, as well as inline text describing the licensing and why it is how it is.
As far as I can tell, if the
license
field in Cargo.toml was specified asISC AND MIT AND OpenSSL
then this would reflect the terms under which others can license ring, without changing the LICENSE file as it stands, and allow tools and automated processes to handle ring.The text was updated successfully, but these errors were encountered: