formula_auditor: reject more SPDX licenses

[cho-m]

Also require licenses on non-disabled formulae

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

I am working on adding licenses to all non-disabled formulae, so opening PR to make some license checks stricter.

The extra licenses are only some examples for now (too much effort to make exhaustive), e.g.

• BUSL-1.1 and Elastic-2.0 are ones we have manually rejected in Homebrew/core. For now, just reject all versions (can modify if terms change)
• CC-BY-NC I believe are going to be non-free due to non-commercial restriction
  • Debian has CC-BY-NC-SA example - https://wiki.debian.org/DFSGLicenses#Creative_Commons_Attribution-NonCommercial-ShareAlike_.28CC_BY-NC-SA.29
  • Fedora rejects all CC-BY-NC-* licenses. They do allow CC-BY-ND-x.y for "Allowed content". See https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
  • https://www.gnu.org/licenses/license-list.html#NonFreeDocumentationLicenses
  • No check marks for any on FSF of OSI-approved on SPDX list
• JSON is non-free pretty much everywhere - https://wiki.debian.org/qa.debian.org/jsonevil

Could consider out-sourcing lists but not sure if there is one that fully matches our preferences.

Fedora has their own list but no idea on what their legal requirements are - https://docs.fedoraproject.org/en-US/legal/not-allowed-licenses/

[Bo98]

May also be worth doing a pass over license :cannot_represent formulae. A lot are missing comments and I reckon some may just be a sneaky bypass for non-open-source software.

[MikeMcQuaid]

May also be worth doing a pass over license :cannot_represent formulae. A lot are missing comments and I reckon some may just be a sneaky bypass for non-open-source software.

I agree. Honestly, I think license :cannot_represent should be probably removed from Homebrew/homebrew-core.

We should have an attitude of "only include open source software and, if in doubt, exclude" rather than "if in doubt, include".

[cho-m]

May also be worth doing a pass over license :cannot_represent formulae.

On my todo list. Already have some (like iozone and wpscan) that need to be checked. Others may now be able to use new SPDX identifiers.

---

I agree. Honestly, I think license :cannot_represent should be probably removed from Homebrew/homebrew-core.

That is the ideal, but SPDX is not ready for that given some important software like DocBook is still pending license identifiers.

Fedora seems to be doing a large scale legal cleanup and have contributed a number of SPDX updates, which has helped reduce some of our :cannot_represent.

---

On Homebrew side, the next step would be to take any :cannot_represent and link them to corresponding issues/PRs in SPDX repo so we can update them.

[MikeMcQuaid]

Sounds great, thanks @cho-m!

[cho-m]

Should be ready for review now.

I've added a short list of examples. May extract this to JSON in future for easier updates. Sadly Debian has no master list. Fedora has one which can be fetched by us, but they have slightly different opinions compared to DFSG (e.g. Artistic-1.0, CC-BY-1.0).