core
core copied to clipboard
dotnet
NuGet package license URL has changed the meaning
There are several NuGet packages (e.g. System.Buffers 4.3.0) on nuget.org that use the URL http://go.microsoft.com/fwlink/?LinkId=329770 as license information. At the time these packages were released, the URL was redirected to https://dotnet.microsoft.com/dotnet_library_license.htm. This means that these packages are licensed under the "MICROSOFT SOFTWARE LICENSE TERMS" "MICROSOFT .NET LIBRARY".
According to archive.org, the redirect was changed to https://github.com/dotnet/core/blob/main/license-information.md on September 12, 2024. (This document was created and updated with #9069 and #9440.) The new documentation states: "This document is provided for informative purposes only and is not itself a license."
So, old packages no longer have valid license information.
I don't know why that change was made. I don't have access to that link (via our internal link database). We could change it to point to MIT but I don't know what the scope of usage is for that link.
I see that new System.Buffers packages are correctly stating their license, with the latest version.
https://github.com/dotnet/maintenance-packages/blob/51e098d3161fcc48e9f3cee414df9df3e8b0fcac/Directory.Build.props#L7
We want all license statements/references to be correct, however, if the latest supported is correct, we consider that good enough. We only support the latest version.
We wrote a document that describes which license each asset should be using: https://github.com/dotnet/runtime/blob/main/docs/project/licensing-assets.md
Related: https://github.com/dotnet/runtime/issues/108905
Older version of packages are in the world. If you want to ensure that the packages are used under the correct license, the linked license information shall be correct. So far I understood that these old packages are licensed under .NET Library License. So, the redirect shall point to this document.
We already have an automated process of license analysis. Please advice, how to interpret the link http://go.microsoft.com/fwlink/?LinkId=329770
So far I understood that these old packages are licensed under .NET Library License.
It's possible that some of the old packages were intended to use that license, but most of them were not. We made a variety of licensing mistakes like this over time. We didn't have a clear document written on what we were supposed to do so were using a more ad hoc approach. That's the part that was recently fixed.
Please advice, how to interpret the link http://go.microsoft.com/fwlink/?LinkId=329770
It is describing the license burden of using the various assets we provide. We just updated that text to make it easier to consume/understand. The update doesn't change the terms, but (hopefully) increases clarity.
So far, the information are less clear to me. Once you stated:
It's possible that some of the old packages were intended to use that license, but most of them were not.
That means that some packages (which?) are licensed under NET Library License. But, the current document states:
Library packages use the MIT license, for example System.Text.Json.
How to know which packages is released under which license? In the past it seems to be clear, now: total confusion.