Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make license information machine readable #902

Open
Jake-Shadle opened this issue Oct 6, 2019 · 19 comments
Open

Make license information machine readable #902

Jake-Shadle opened this issue Oct 6, 2019 · 19 comments

Comments

@Jake-Shadle
Copy link

Currently, ring's top level LICENSE file spells out the licensing terms, which is great, except it makes it hard for tools such as askalono to reliably gather licensing information due to it being a concatenation of several licenses, as well as inline text describing the licensing and why it is how it is.

As far as I can tell, if the license field in Cargo.toml was specified as ISC AND MIT AND OpenSSL then this would reflect the terms under which others can license ring, without changing the LICENSE file as it stands, and allow tools and automated processes to handle ring.

@Jake-Shadle
Copy link
Author

Going to close this as no one else seems to care.

@briansmith
Copy link
Owner

I do care about this and I do want it to be done. However, there are a lot of layers to slog through and it will unfortunately be a bit of a non-transparent process until it is closer to being done.

@Jake-Shadle
Copy link
Author

Glad to hear that! Sorry for my short close comment.

@gdesmott
Copy link

I'm suffering the same problem. On my dep is using ring which triggers cargo deny check license:


   ┌── ring 0.13.5 (registry+https://github.com/rust-lang/crates.io-index):2:9 ───
   │
 2 │ name = "ring"
   │         ^^^^ a valid license expression could not be retrieved for the crate
   ·
 4 │ license = ""
   │            - license expression was not specified

@briansmith
Copy link
Owner

The documentation for cargo deny has an example of how to deal with ring specifically.

@gdesmott
Copy link

Oh indeed, perfect, thanks! 👍

@Veetaha
Copy link

Veetaha commented Jul 29, 2020

@briansmith this is unfortunate that ring has become an example of license.clarify clause of cargo-deny and indeed I've stumbled with the warning too.
Why not adding license = "ISC AND MIT AND OpenSSL" or what SPDX expression you see more appropriate to Cargo.toml.
I think it is easier done than discussed....

@briansmith
Copy link
Owner

I do now maintain a deny.toml to use for ring at https://github.com/briansmith/ring/blob/main/deny.toml.

@briansmith
Copy link
Owner

@briansmith this is unfortunate that ring has become an example of license.clarify clause of cargo-deny and indeed I've stumbled with the warning too.
Why not adding license = "ISC AND MIT AND OpenSSL" or what SPDX expression you see more appropriate to Cargo.toml.
I think it is easier done than discussed....

As soon as I am sure what SPDX expression to use, I will do so. My goal is to first reduce the chance that the SPDX expression would be wrong by reducing the amount of code where the license isn't obvious, and then after that figure out the appropriate SPDX expression. I worry about using or recommending a wrong or misleading SPDX expression for people to use that is over-simplified and/or otherwise wrong.

The issue is simply that the slogging through refactoring the code takes a long time.

@briansmith
Copy link
Owner

An example of a complication that I'm not yet prepared to resolve yet, that I encountered in the webpki project. The spdx.org website says the BSD 3-clause license has a warranty disclaimer that uses the term "COPYRIGHT HOLDER." Yet the license text Google used for Chromium says "COPYRIGHT OWNER" instead. So what SPDX expression covers that? No clue.

@briansmith
Copy link
Owner

An example of a complication that I'm not yet prepared to resolve yet, that I encountered in the webpki project. The spdx.org website says the BSD 3-clause license has a warranty disclaimer that uses the term "COPYRIGHT HOLDER." Yet the license text Google used for Chromium says "COPYRIGHT OWNER" instead. So what SPDX expression covers that? No clue.

That's now briansmith/webpki#148.

@cipriancraciun
Copy link

I'm also interested in this issue, because after using the CycloneDX tool for SBOM generation (https://github.com/CycloneDX/cyclonedx-rust-cargo), ring is my only dependency for which no license in detected.

At the moment I can just patch-it myself, however, given how high profile ring is, and perhaps how important SBOM's will become in the near future, properly specifying a license would be very welcome.

@kamulos
Copy link

kamulos commented Feb 25, 2022

+1

At my company we are using cargo-deny to ensure that all dependencies fit in the a pre-selected list of allowed licensed. With rustls we are intending to pull ring and webpki in our dependencies.

The fact, that the licenses are not automatically checkable is making everyone nervous. To be honest we currently have no clue how to proceed here except hand-checking each ring and webpki update.

@MarijnS95
Copy link

MarijnS95 commented Feb 25, 2022

@kamulos Fwiw cargo-deny has a special license.clarify section. This includes a checksum of the license file so that the manual clarification/checking only remains valid for as long as that file doesn't change.

@kamulos
Copy link

kamulos commented Feb 25, 2022

@MarijnS95 thanks, for clarifying 😁 This makes it basically painless 👍

@kamulos
Copy link

kamulos commented Mar 7, 2022

Note that it is easy for this file to get out of sync with the licenses in the source code files. It's recommended to compare the licenses in the source code with what's mentioned here.

This is still a tough one 😅 No idea how to solve it though...

@kpcyrd
Copy link

kpcyrd commented Jan 5, 2023

Is there an update on this? :) In the project I tested cargo-deny with, ring is the only dependency that has no machine readable license. Over in #1487 in seems consensus the license of the project is:

license = "ISC AND MIT AND OpenSSL"

This expression would be valid as long as no further licenses are being introduced, the specific attribution/licensing shouldn't matter since the expression says you need to be compliant with all three of them anyway.

@gitmalong
Copy link

Any update on this?

@briansmith
Copy link
Owner

Some thoughts:

  • What does "OpenSSL" mean in SPDX? There are actually two different OpenSSL licenses in use; one is SSLeay and the other is the OpenSSL license. Answered at https://spdx.org/licenses/OpenSSL.html: "The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit." So I guess "OpenSSL" does cover what we need.
  • license = "ISC AND MIT AND OpenSSL" is technically a compatibility-breaking change, if people have explicitly disallowed OpenSSL (or ISC or MIT) as a license. But I am OK with this.

Is there any CI tooling that exists that can help us enforce that license = "ISC AND MIT AND OpenSSL" is the actual correct SPDX expression, by having some kind of job in CI check that every file has a license header with one of those licenses in it?

weihanglo added a commit to weihanglo/rust that referenced this issue May 31, 2024
`ring` is included because it is an optional dependency of `hyer`,
which is a training data in rust-pref for optimized build.
The license of it is generally `ISC AND MIT AND OpenSSL`,
though the `package.license` field is not set.

See briansmith/ring#902

`git+https://github.com/rust-lang/team` git source is from
`rust_team_data`, which is used by `site` in src/tools/rustc-perf.
This doesn't really a part of the compiler,
so doesn't really affect the bootstrapping process.

See rust-lang/rustc-perf#1914.
weihanglo added a commit to weihanglo/rust that referenced this issue May 31, 2024
`ring` is included because it is an optional dependency of `hyper`,
which is a training data in rustc-pref for optimized build.
The license of it is generally `ISC AND MIT AND OpenSSL`,
though the `package.license` field is not set.

See briansmith/ring#902

`git+https://github.com/rust-lang/team` git source is from
`rust_team_data`, which is used by `site` in src/tools/rustc-perf.
This doesn't really a part of the compiler,
so doesn't really affect the bootstrapping process.

See rust-lang/rustc-perf#1914.
weihanglo added a commit to weihanglo/rust that referenced this issue Jun 5, 2024
`ring` is included because it is an optional dependency of `hyper`,
which is a training data in rustc-pref for optimized build.
The license of it is generally `ISC AND MIT AND OpenSSL`,
though the `package.license` field is not set.

See briansmith/ring#902

`git+https://github.com/rust-lang/team` git source is from
`rust_team_data`, which is used by `site` in src/tools/rustc-perf.
This doesn't really a part of the compiler,
so doesn't really affect the bootstrapping process.

See rust-lang/rustc-perf#1914.
weihanglo added a commit to weihanglo/rust that referenced this issue Jun 9, 2024
`ring` is included because it is an optional dependency of `hyper`,
which is a training data in rustc-pref for optimized build.
The license of it is generally `ISC AND MIT AND OpenSSL`,
though the `package.license` field is not set.

See briansmith/ring#902

`git+https://github.com/rust-lang/team` git source is from
`rust_team_data`, which is used by `site` in src/tools/rustc-perf.
This doesn't really a part of the compiler,
so doesn't really affect the bootstrapping process.

See rust-lang/rustc-perf#1914.
lcnr pushed a commit to lcnr/rust that referenced this issue Jun 12, 2024
`ring` is included because it is an optional dependency of `hyper`,
which is a training data in rustc-pref for optimized build.
The license of it is generally `ISC AND MIT AND OpenSSL`,
though the `package.license` field is not set.

See briansmith/ring#902

`git+https://github.com/rust-lang/team` git source is from
`rust_team_data`, which is used by `site` in src/tools/rustc-perf.
This doesn't really a part of the compiler,
so doesn't really affect the bootstrapping process.

See rust-lang/rustc-perf#1914.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants