Skip to content

RFE: warn / error if published crates do not contain necessary LICENSE files #10277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
decathorpe opened this issue Jan 9, 2022 · 2 comments
Closed

RFE: warn / error if published crates do not contain necessary LICENSE files #10277

decathorpe opened this issue Jan 9, 2022 · 2 comments
Labels
C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`

Comments

@decathorpe
Copy link
Contributor

Problem

Some licenses (most notably, the MIT and Apache-2.0 licenses, which are most commonly chosen for crates) require that redistributed sources contain a copy of the actual license text. In most cases, this is solved by, for example, including LICENSE-MIT and LICENSE-Apache files in the crate's git repository, and have cargo include them in packaged / published crates.

However, there is a non-trivial amount of crates that are redistributed on crates.io that are not compliant with this license requirement, as they don't include any license texts. This is also a big problem when building Rust packages for linux distributions, where compliance with license terms is one of the main hurdles a new package has to take before being included.

Another problem is workspace crates, where the license crates are only included in the root of the project's git repository, but not symlinked into workspace members, so they also don't get included in published crates.

A different problem altogether is people using wrong include or exclude statements, which result in important files not getting included in published crates (like license files).

Some crates use "creative" names for their license files, which is also sometimes problematic. Standardizing LICENSE-Foo file names as the expected format would help here, too.

Proposed Solution

It should be safe to require a license file for all SPDX identifiers (?), whether the terms of those licenses require redistributed sources to contain the license text or not.

In this case, parsing the "license" key from Cargo.toml's [package] section into individual licenses (SPDX has a simple grammar), and then checking if LICENSE-Foo files for all licenses are present in the directory created by cargo package should work.

For crates that use a license-file, presence of that file could be checked instead.

TL;DR: cargo can parse the [package] license = "foo" key from Cargo.toml and check whether the expected license files are present in packaged crates. If they are not, it should either warn, or maybe even error out before uploading sources to crates.io. I assume that should also make the operators of crates.io website and service happy, since redistributing source code without license compliance is not a good idea.

Notes

No response
@decathorpe decathorpe added the C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` label Jan 9, 2022
@weihanglo
Copy link
Member

Probably related issue: #9972

@decathorpe
Copy link
Contributor Author

Oh yeah ... I swear I didn't find that issue when I searched the open issues for cargo. Looks like my RFE is basically asking for the same thing (cargo warning about license non-compliance before publishing crates to crates.io). So, closing in favor of #9972

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@decathorpe @weihanglo