Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MIT and Apache-2.0 license detection in Rust crate.io package should be considered MIT OR Apache-2.0 #2516

Open
JonoYang opened this issue May 3, 2021 · 4 comments
Open

MIT and Apache-2.0 license detection in Rust crate.io package should be considered MIT OR Apache-2.0 #2516

JonoYang opened this issue May 3, 2021 · 4 comments
Labels
bug license scan package scan

Comments

@JonoYang
Copy link
Member

JonoYang commented May 3, 2021

A significant amount of Rust crate.io packages are licensed under MIT or Apache-2.0. We should modify scancode such that if Apache-2.0 and MIT was detected as licenses for a crate.io package, this license should be normalized to the expression mit OR apache-2.0 instead of mit AND apache-2.0
@hyandell
Copy link

What about any MIT AND Apache-2.0 projects?

@pombredanne
Copy link
Member

pombredanne commented May 24, 2021
edited
Loading

@hyandell good point!

Actually I think @JonoYang meant specific cases of Apache-2.0/MIT or MIT/Apache-2.0 and this represents about 39,374 crates as of today. These are legacy expressions that date from a time when Cargo accepted a list of licenses separated by a slash. The use of / is deprecated now and no longer accepted.
This would not for things worded as MIT AND Apache-2.0 which are bona-fide and clear SPDX expressions.

IMHO we would still need to double check these ~40K crates in details to verify that this holds on all and if this does not we can track a list of exceptions.

For reference see these too:

@hyandell
Copy link

hyandell commented Jun 1, 2021

I should have said "MIT and Apache-2.0 projects" :)

I spent a weekend doing a big slog of the Rust crate licensing and generally found that it was 50/50 as to whether a '/' meant AND or OR. Generally speaking, the more permissively licensed, the more likely it was OR, but I was also filtering out things like 'MIT/Apache-2.0' as I didn't care if it was an AND or OR for that analysis. Summary: I was surprised '/' was so inconsistently interpreted.

@pombredanne
Copy link
Member

I spent a weekend doing a big slog of the Rust crate licensing and generally found that it was 50/50 as to whether a '/' meant AND or OR. Generally speaking, the more permissively licensed, the more likely it was OR, but I was also filtering out things like 'MIT/Apache-2.0' as I didn't care if it was an AND or OR for that analysis. Summary: I was surprised '/' was so inconsistently interpreted.

That's valuable input. It means that eventually the Rust declared license cannot be too trusted.. and we should err towards reporting these as AND by default may be?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug license scan package scan
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hyandell @pombredanne @JonoYang