Missing SPDX license identifier warnings #87
Comments
|
@uniibu I believe this has already been fixed in #2235, right? |
|
I think this is trickier than it seems. OpenZeppelin/openzeppelin-contracts#2235 sets the license to "MIT", but the end-user of the OpenZeppelin library may want to use a different license. Furthermore, it's common for Ethereum developers to flatten their contracts before going to to mainnet, and with a SPDX predefined by OpenZeppelin, there will be conflicting licenses in the final smart contract product. Ideally, the Solidity compiler should allow turning off some of its rules if the user annotates it (similar to how eslint does it). |
|
@PaulRBerg I agree that this is problematic, but I don't see that OpenZeppelin Contracts is doing anything wrong including the MIT license identifiers. Would you agree? If a project uses the files we provide as part of their project, my understanding is that it cannot claim a different license for those files. They can use a different license for their own files, however, and in that case I don't know what the SPDX comment should say for the flattened file. I've created these two issues to discuss and track this:
I am closing this issue as I believe we have resolved this on our side, but I'm keeping track of the issues linked above so that we can solve the problems this may be causing to users. |
|
Actually yeah you're right. If they do flatten the contracts, they can do a bit of extra work and de-dup the unfit licenses. |
|
Hi @PaulRBerg, I posted in the forum about SPDX license identifiers. Verification is the big impact, with the likelihood that we need to move away from flattened file verification. |
🧐 Motivation
This is in relation to OpenZeppelin/openzeppelin-contracts#2234 and OpenZeppelin/openzeppelin-contracts#2235
📝 Details
As of
Solidity 0.6.8Solidity issues warnings on all contracts that has noSPDX license identifieras shown by the image below.The text was updated successfully, but these errors were encountered: