Add copyleft handling (#38)

* Update dependencies
* Add license.copyleft config
* Add copyleft example
* Add precedence note

CHANGELOG.md

@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added  `[license.copyleft]` config which can be used to determine what happens when a copyleft license is encountered.
 
 ## [0.3.0-beta] - 2019-10-07
 ### Added

README.md

@@ -26,24 +26,42 @@ One important aspect that one must always keep in mind when using code from othe
 
 So `cargo-deny` allows you to ensure that all of your dependencies have license requirements that align with your configuration.
 
+### Precedence
+
+Currently, the precedence for determining whether a particular license is accepted or rejected is as follows:
+
+1. A license specified in the `deny` list is **always rejected**.
+1. A license specified in the `allow` list is **always accepted**.
+1. If the license is considered [copyleft](https://en.wikipedia.org/wiki/Copyleft), the [`[license.copyleft]`](#the-copyleft-field) configuration determines its status
+1. If the license is [OSI Approved](https://opensource.org/licenses) or [FSF Free/Libre](https://www.gnu.org/licenses/license-list.en.html), the [`[license.allow-osi-fsf-free]`](#the-allow-osi-fsf-free-field) configuration determines its status
+1. If the license does not match any of the above criteria, it is implicitly **rejected**.
+
 ### The `[licenses]` section
 
-Contains all of the configuration for `cargo deny check license`
+Contains all of the configuration for `cargo deny check license`.
 
 #### The `unlicensed` field
 
 Determines what happens when a crate has not explicitly specified its license terms, and no license
 information could be easily detected via `LICENSE*` files in the crate's source.
 
 * `deny` (default) - All unlicensed crates will emit an error and fail the license check
-* `allow` - All unlicensed crates will be allowed with no feedback
+* `allow` - All unlicensed crates will show a note, but will not fail the license check
 * `warn` - All unlicensed crates will show a warning, but will not fail the license check
 
 #### The `allow` and `deny` fields
 
 The licenses that should be allowed or denied. The license must be a valid SPDX v2.1 identifier, which must either be in version 3.6 of the [SPDX License List](https://spdx.org/licenses/), with an optional [exception](https://spdx.org/licenses/exceptions-index.html) specified by `WITH <exception-id>`, or else a user defined license reference denoted by `LicenseRef-<idstring>` for a license not on the SPDX License List.
 
-The same license cannot appear in both the `allow` and `deny` lists.
+**NOTE:** The same license cannot appear in both the `allow` and `deny` lists.
+
+#### The `copyleft` field
+
+Determines what happens when a license that is considered [copyleft](https://en.wikipedia.org/wiki/Copyleft) is encountered.
+
+* `warn` (default) - Will emit a warning that a copyleft license was detected, but will not fail the license check
+* `deny` - The license is not accepted if it is copyleft, but might not fail the license check if part of an expression that containe
+* `allow` - The license is accepted if it is copyleft
 
 #### The `allow-osi-fsf-free` field
 
@@ -88,6 +106,7 @@ Contains one or more files that will be checked to ensure the license expression
 [licenses]
 unlicensed = "deny"
 allow-osi-fsf-free = "either"
+copyleft = "ignore"
 confidence-threshold = 0.92
 deny = [
     "GPL-3.0-or-later",

deny.toml

@@ -10,18 +10,13 @@ skip = [
     { name = "regex", version = "=0.2.11" },
     { name = "regex-syntax", version = "=0.5.6" },
     { name = "aho-corasick", version = "=0.6.10" },
-
-    # some macro crates use the pre 1.0 syn dependencies
-    { name = "syn", version = "<=0.15" },
-    { name = "proc-macro2", version = "<=0.4" },
-    { name = "quote", version = "<=0.6" },
-    { name = "unicode-xid", version = "=0.1" },
 ]
 
 [licenses]
 unlicensed = "deny"
 unknown = "deny"
 allow-osi-fsf-free = "neither"
+copyleft = "deny"
 # We want really high confidence when inferring licenses from text
 confidence-threshold = 0.93
 allow = [

examples/02_deny_license/Cargo.toml

@@ -6,5 +6,5 @@ license = "MIT AND Apache-2.0"
 edition = "2018"
 
 [[bin]]
-name = "allow-license"
+name = "deny-license"
 path = "main.rs"

examples/03_deny_copyleft/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "deny-copyleft"
+version = "0.1.0"
+authors = ["Jake Shadle <[email protected]>"]
+license = "GPL-3.0 AND MIT"
+edition = "2018"
+
+[[bin]]
+name = "deny-copyleft"
+path = "main.rs"

examples/03_deny_copyleft/README.md

@@ -0,0 +1,25 @@
+# 02_deny_copyleft
+
+This example shows how to explicitly deny certain licenses that will be checked against
+the license requirements of every crate in your dependency graph.
+
+## Requirement
+
+```toml
+license = "MIT AND Apache-2.0"
+```
+
+## Config
+
+```toml
+[licenses]
+allow = [ "MIT" ]
+deny = [ "Apache-2.0" ]
+```
+
+## Description
+
+Just as we can allow specific licenses, we can deny specific ones via `[licenses.deny]`. Note that the license requirement
+has changed to use the operator `AND` instead of `OR` which means that the user is required to license the crate under
+both of the licenses, so even though we still allow `MIT`, our denial of `Apache-2.0` causes the expression to fail and
+cargo-deny to emit an error that we did not accede to the license requirements of the crate.

examples/03_deny_copyleft/deny.toml

@@ -0,0 +1,3 @@
+[licenses]
+allow = [ "MIT" ]
+copyleft = "deny"

examples/03_deny_copyleft/main.rs

@@ -0,0 +1 @@
+fn main() {}

src/cargo-deny/check.rs

@@ -186,7 +186,7 @@ pub fn cmd(
         move || {
             if let Some((summary, lic_cfg)) = lic_cfg {
                 log::info!("checking licenses...");
-                licenses::check_licenses(summary, max_severity, &lic_cfg, send.clone());
+                licenses::check_licenses(summary, &lic_cfg, send.clone());
             }
 
             if let Some(bans) = ban_cfg {