Packaging license files with fpm

[awvwgk]

Since fpm is built around the sole purpose of linking Fortran dependencies statically into applications, there should be a mechanism do deal with license files. Currently the specified license only takes a string or maybe SPDX identifier, but this might not be sufficient for some projects, e.g. packaging for conda-forge requires to package the project license files and all license files of the statically linked dependencies.

Requiring every project to specify the license with an SPDX identifier and either let fpm automatically collect the license files (look for COPYING*, LICENSE*, ... in the project root directory) or require the author to provide a list of license files would allow fpm to know about the more or less exact licensing situation of the application.

This affects packages under multiple licenses as well, the Apache-2.0 / MIT dual licensing from the Rust community is probably relevant here.

[milancurcic]

Why do we want to do this?

Is it to safeguard the user from inadvertently importing a less permissive dependency into their project, for example, GPL dependency into a MIT project? In that case, do we want to not allow it or simply warn the user? What does Cargo do in this scenario?

Are there other reasons to handle dependency licenses?

[awvwgk]

Most licenses require to be included with source or binary distributions in some form. I think this becomes important once we start creating distributions of any kind with fpm. But I can only speak about the projects I'm usually packaging for.

If fpm should support producing conda-build input like suggested in #70, it would be certainly necessary. Packing the license files is a requirement to publish on conda-forge (see https://conda-forge.org/docs/maintainer/adding_pkgs.html).
Packaging for Arch Linux requires the inclusion of the license files as well (see https://wiki.archlinux.org/index.php/PKGBUILD#license).

I also checked Cargo and it requires either SPDX identifiers or the license file(s) to be packaged (see https://doc.rust-lang.org/cargo/reference/manifest.html#the-license-and-license-file-fields).

[milancurcic]

Thank you for further explaining that, I now understand better. It seems like the right thing to do.

[certik]

Yes, I think we have to package the license.

…

On Sat, Sep 12, 2020, at 11:29 AM, Milan Curcic wrote: Thank you for further explaining that, I now understand better. It seems like the right thing to do. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#169 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAFAWBLSDIBATGERB7DXATSFOVYHANCNFSM4RJM47GA>.