Update license-expr dependency. #385
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'd also like to get feedback from the crates.io maintainers on ehuss/license-exprs#6. This PR removes some licenses which have been deprecated, which is a breaking change. Fortunately, a licensing survey showed that there are no crates on crates.io using any of the deprecated licenses. Would crates.io be willing to upgrade to a list that excluded deprecated licenses? |
|
I would be okay with doing that. |
|
Sounds good to me as well! Thanks @withoutboats! |
|
Cool. I'll accept the other PR to license-expr as well, push up a 2.0.0 version of the crate, and open another PR to upgrade crates.io to that version. |
|
Sounds good to me, thanks! |
wking
added a commit
to wking/cargo
that referenced
this pull request
Jan 4, 2018
Before this commit, the license-list URL was floating, which lead to issues when manifest authors used IDs from the list that had not yet made it into crate.io's whitelist [1]. This commit pins both the SPDX-spec version (to avoid floating the license-expresion syntax) and the license-list version (to avoid floating the license/exception identifiers). I've also deprecated the / syntax, since it was not clear whether that was conjunctive (like AND) or disjunctive (like OR). crates.io is using license-exprs 1.3^ [2], and that version supports WITH, AND, OR, and the + suffix [3], so as far as crates.io-validation is concerned, the value can use vanilla license expressions. It's unfortunate that there's not an easily-browsable version of the 2.4 license list up anywhere canonical (as far as I know). Starting with the 3.0 license list, there's a Markdown page in the authoritative list-data repository [4]. I can also see about getting earlier versions of the HTML (e.g. [5]) up on spdx.org somewhere. I'm expecting the version-bump procedure will look something like: 1. SPDX cuts a new spec and/or license list release. 2. license-exprs updates to cover the change. 3. crates.io updates to depend on the new license-exprs version. 4. cargo updates the documentation to allow the new version. 5. authors read the new cargo docs and start using the new expression syntax and/or identifiers. There's a window there where crates.io will be validating to a different version than the cargo docs recommend, so it would be good to have 4 follow 3 as closely as possible. But the SPDX maintainers have been good about providing long deprecation windows, so a bit of a gap is acceptable. It's possible that crates.io will want to warn authors about their use of deprecated identifiers or syntax (e.g. the '/' I've deprecated here) so they can upgrade before the deprecated element is dropped (probably years after the initial deprecation). That would help limit the gap between 3 and 5 (although warnings sent before 4 might be confusing). The parallel edits to the two manifest files are based on Carol Nichols' recommendation. She points out on IRC that the goal is to drop the src/doc/manifest.md reference soon with the book up on doc.rust-lang.org/cargo today [6]. [1]: rust-lang#4888 [2]: rust-lang/crates.io#385 [3]: https://github.com/withoutboats/license-exprs/blob/5bdb5355540792234e10011b9bbe4766cd08ff26/src/lib.rs#L53-L56 [4]: https://github.com/spdx/license-list-data/blob/v3.0/licenses.md [5]: https://github.com/spdx/license-list-data/tree/v2.4/website [6]: https://botbot.me/mozilla/cargo/2018-01-04/?msg=95358280&page=2
bors
added a commit
to rust-lang/cargo
that referenced
this pull request
Jan 4, 2018
src/doc/manifest: Pin 'license' to SPDX 2.1 expressions and the 2.4 list Before this commit, the license-list URL was floating, which lead to issues when manifest authors used IDs from the list that had not yet made it into crate.io's whitelist (#4888). This commit pins both the SPDX-spec version (to avoid floating the license-expresion syntax) and the license-list version (to avoid floating the license/exception identifiers). I've also deprecated the `/` syntax, since it was not clear whether that was conjunctive (like `AND`) or disjunctive (like `OR`). crates.io is [using license-exprs 1.3^][2], and [that version supports `WITH`, `AND`, `OR`, and the `+` suffix][3], so as far as crates.io-validation is concerned, the value can use vanilla license expressions. It's unfortunate that there's not an easily-browsable version of the 2.4 license list up anywhere canonical (as far as I know). Starting with the 3.0 license list, there's [a Markdown page in the authoritative list-data repository][4]. I can also see about getting [earlier versions of the HTML][5] up on spdx.org somewhere. I'm expecting the version-bump procedure will look something like: 1. SPDX cuts a new spec and/or license list release. 2. license-exprs updates to cover the change. 3. crates.io updates to depend on the new license-exprs version. 4. cargo updates the documentation to allow the new version. 5. authors read the new cargo docs and start using the new expression syntax and/or identifiers. There's a window there where crates.io will be validating to a different version than the cargo docs recommend, so it would be good to have 4 follow 3 as closely as possible. But the SPDX maintainers have been good about providing long deprecation windows, so a bit of a gap is acceptable. It's possible that crates.io will want to warn authors about their use of deprecated identifiers or syntax (e.g. the `/` I've deprecated here) so they can upgrade before the deprecated element is dropped (probably years after the initial deprecation). That would help limit the gap between 3 and 5 (although warnings sent before 4 might be confusing). The parallel edits to the two manifest files are based on @carols10cents' recommendation. She [points out on IRC][6] that the goal is to drop the `src/doc/manifest.md` reference soon with the book up on `doc.rust-lang.org/cargo` today. Fixes #4888, although it would be good to start the upgrade cycle to pull in the [newly-released SPDX license list 3.0][7] so folks can start using the new identifiers. [2]: rust-lang/crates.io#385 [3]: https://github.com/withoutboats/license-exprs/blob/5bdb5355540792234e10011b9bbe4766cd08ff26/src/lib.rs#L53-L56 [4]: https://github.com/spdx/license-list-data/blob/v3.0/licenses.md [5]: https://github.com/spdx/license-list-data/tree/v2.4/website [6]: https://botbot.me/mozilla/cargo/2018-01-04/?msg=95358280&page=2 [7]: https://lists.spdx.org/pipermail/spdx/2017-December/001159.html
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The new version includes additional license recognized as valid by the SPDX spec.