Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to PackageLicenseExpression #31

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Switch to PackageLicenseExpression #31

wants to merge 1 commit into from

Conversation

bartelink
Copy link
Member

Gotta keep those scanners quiet

@bartelink
Copy link
Member Author

Not understanding where release 1.1.0 came from, and why the packageversion was not up to date?

@abelbraaksma
Copy link
Member

Just curious (since I have the same in TaskSeq, and I also have MIT), why is this change needed?

@bartelink
Copy link
Member Author

This way, the nuspec gets a top level field that authoritatively defines the license in terms of a known set of approved OSI licenses (i.e. the string MIT has a very specific meaning in that context, mapping to the full license text)
NuGet.org can also render authoritatively e.g. https://www.nuget.org/packages/equinox
The actual driver here is that the corp sec scanner notes the package as having an unknown license type (because it doesn't search within packages)

@abelbraaksma
Copy link
Member

abelbraaksma commented Jun 1, 2024
edited
Loading

The actual driver here is that the corp sec scanner notes the package as having an unknown license type (because it doesn't search within packages)

Ah, do you mean the scanner of projects that download and use the package? Sounds like a bug in the scanner to me, but if this fixes it, I should update my packages similarly. Don't want SOC2 compliance or similar to prevent companies from using your libs.

Sorry to barge in and hijack your thread, btw, but your change caught me ;).

Edit: just checked for comparison, indeed, F# uses the same format: PackageLicenseExpression

@bartelink
Copy link
Member Author

Not really. The high level rules are that you either have a SPDX expression, or a file or a url. https://learn.microsoft.com/en-us/nuget/reference/msbuild-targets#packing-a-license-expression-or-a-license-file

I'm note sure the current PackageLicense xml was ever correct. The outcome is that the package has no license of any kind and hence is effectively unlicensed: https://nuget.info/packages/FSharp.UMX/1.1.0

But, even for PackageLicense files vs expressions, the scanner would need to implement parsing to be able to conclusively determine that it was an unaltered version of a given known license text.

I see your edit as I glance now! Everything looks in order there (it would also have appeared on the scanner list my side)

@abelbraaksma
Copy link
Member

I see your edit as I glance now! Everything looks in order there (it would also have appeared on the scanner list my side)

Haha, indeed, no change in TaskSeq needed. I made a typo when searching and turned out it was PackageLicenseExpression all along, I just forgot. Sorry for the noise 😆.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bartelink @abelbraaksma