fix: Add PackageLicenseExpression for /src #236
Conversation
|
Key differences this makes:
|
|
Hmm, looks like this doesn't mix well. |
|
Ah, doh! I'll research how to resolve it later... (I actually made the change locally in a clone but neglected to try to build it, 🤦) |
Will have a deeper read to understand the nuance though. e.g. microsoft/MSBuildSdks#312 I'll work on the assumption you want to preserve the inclusion of the license file in the nupkg (though cc @abelbraaksma did you have a particular reasoning for not including the license in the package and/or are you aware of a convention? Or, if you want me to do a PR to align FS.C.TS with this (i.e. include the MIT license file in the nupkg?) |
It doesn't matter that much to me but it's more surprising, that since this is a typical scenario of including the file, the scanner you're using can't support it. |
|
I believe the TL;DR of the issue is that the NuGet PackageLicenseExpression assertion is more complete; it's saying "no need to parse the text of any license - the author of the package has, by specifying it this way, made an assertion that all licensing end to end is in compliance with the definition of that license", thus adding the PLE means that the link from FsCodec's nuget page is to https://licenses.nuget.org/Apache-2.0, not to the license text. That means that the scanner software and/or people leaning on the conclusions it draws are "not on the hook for" and/or having to having to lean on the heuristics such as those used in the rendering of https://github.com/demystifyfp/FsToolkit.ErrorHandling/blob/master/License which presumably does some form of textual comparison that's tolerant of whitespace diffs and a copyright clause at the top (though IIRC it ignores stuff after too, which would probably give Lawyers kittens). The PLEs are references to https://spdx.org/licenses/ FWIW the scanner in question is Black Duck, but I have no reason to believe that it's unique in following this approach. |
|
I get it's a lot easier to just look for a key in a xml file than doing all the extra work, it's just strange to me that tool lacks some ability for this since there's 45k results in a naive search across github with people using
Yeah just remove the license file from the packing. |
Thanks, Will do (later)
I suspect the reason for that it is primarily that it's a relatively recent addition to NuGet's tooling. And I definitely agree that scanners can be assess, and there needs to be reasonable pushback e.g. serilog/serilog-sinks-console#145 (comment) But it is pretty clear that this is the correct path for packages on mainstream licenses: https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/nuget#important-nuget-package-metadata |
|
OK, applied https://learn.microsoft.com/en-us/nuget/create-packages/package-authoring-best-practices |
| <IsTestProject>false</IsTestProject> | ||
| <PackageTags>f#;fsharp;railway oriented programming;ROP;result type;error handling</PackageTags> | ||
| <PackageReadmeFile>README.md</PackageReadmeFile> <!--https://docs.microsoft.com/en-gb/nuget/reference/msbuild-targets#packagereadmefile --> | ||
| <PackageTags>f#, fsharp, railway oriented programming, ROP, result type, error handling</PackageTags> |
There was a problem hiding this comment.
https://learn.microsoft.com/en-us/nuget/create-packages/package-authoring-best-practices suggests comma separation
| <IsTestProject>false</IsTestProject> | ||
| <PackageTags>f#;fsharp;railway oriented programming;ROP;result type;error handling</PackageTags> | ||
| <PackageReadmeFile>README.md</PackageReadmeFile> <!--https://docs.microsoft.com/en-gb/nuget/reference/msbuild-targets#packagereadmefile --> | ||
| <PackageTags>f#, fsharp, railway oriented programming, ROP, result type, error handling</PackageTags> | ||
| <!-- Sourcelink --> | ||
| <PublishRepositoryUrl>true</PublishRepositoryUrl> |
There was a problem hiding this comment.
These settings can be consolidated via DotNet.ReproducibleBuilds which @baronfel introduced me to, e.g. https://github.com/jet/equinox/blob/master/Directory.Build.props#L19C39-L19C57
But that's a step too far for this PR/batch of changes in this space
| @@ -6,7 +6,7 @@ | |||
| <LangVersion>preview</LangVersion> | |||
| <DebugType>portable</DebugType> | |||
|
|
|||
| <PackageTags>($PackageTags);fable-library;fable-dotnet;fable-javascript;fable-python</PackageTags> | |||
| <PackageTags>$(PackageTags), fable-library, fable-dotnet, fable-javascript, fable-python</PackageTags> | |||
There was a problem hiding this comment.
was mangled, see https://nuget.info/packages/FsToolkit.ErrorHandling/4.11.0
|
OK, I think I'm happy with this as it is now Note there's no rush on merging and/or releasing - we'll feed it through as and when it happens And finally, thanks for the stewardship of the project; as a newcomer to the project in recent times I've found the docs do a good job in general |
- [fix: Add PackageLicenseExpression for /src](#236) Credits @bartelink - [Fix netstandard2 package version drift](#237) Credits @TheAngryByrd
|
Thanks for the release - I can confirm the scan is now clear, and the NuGet listing looks like everything has percolated correctly |
Applies a PackageLicenseExpression to projects under
/srctree, in order that this information pass through to the emitted.nupkgfiles.The field is used by automated security vulnerability scanning tools to avoid having to parse a potentially ambiguous license file. I believe this to be standard practice in recent years:
FSharp.Control.TaskSeqhttps://github.com/fsprojects/FSharp.Control.TaskSeq/blob/349124b7e53dd5b37e87921e6bdc5b3e8a0e26e1/src/FSharp.Control.TaskSeq/FSharp.Control.TaskSeq.fsproj#L20