brew icon indicating copy to clipboard operation
brew copied to clipboard

Published 20 hours ago verified publisher icon Homebrew

formula_auditor: use SPDX data to check for open source licenses.

Open carlocab opened this issue 1 year ago • 7 comments

  • [x] Have you followed the guidelines in our Contributing document?
  • [x] Have you checked to ensure there aren't other open Pull Requests for the same change?
  • [x] Have you added an explanation of what your changes do and why you'd like us to include them?
  • [ ] Have you written new tests for your changes? Here's an example.
  • [x] Have you successfully run brew style with your changes locally?
  • [x] Have you successfully run brew typecheck with your changes locally?
  • [ ] Have you successfully run brew tests with your changes locally?

Follow-up to #13858.

carlocab avatar Sep 13 '22 13:09 carlocab

Review period will end on 2022-09-14 at 13:39:28 UTC.

BrewTestBot avatar Sep 13 '22 13:09 BrewTestBot

Thanks for this!

MikeMcQuaid avatar Sep 13 '22 15:09 MikeMcQuaid

Review period skipped due to critical label.

BrewTestBot avatar Sep 13 '22 15:09 BrewTestBot

Looks like we have 89 formulae that have licenses that are neither isOsiApproved nor isFsfLibre.

We can do one (or possibly multiple) of the following:

  1. Make this check --strict, so that test-bot runs it only for new formulae. We can make this check not require --strict once those formulae have been fixed.
  2. Investigate all those formulae first and fix their license or remove them as appropriate before merging this.
  3. Exclude those formulae from the audit (probably in-line) while they still have problematic licenses to enable merging this and fix them later.
  4. Add a list of licenses we consider open source but are not isOsiApproved/isFsfLibre.

carlocab avatar Sep 13 '22 15:09 carlocab

Looks like we have 89 formulae that have licenses that are neither isOsiApproved nor isFsfLibre.

Additionally, some of these formulae have multiple licenses, and may have an any_of: that includes a problematic license. They'll be flagged by this audit, even if one might argue that they don't need to be. Dealing with it correctly could get a bit hairy though.

carlocab avatar Sep 13 '22 15:09 carlocab

We don't always strictly follow OSI and FSF approval. We more follow DFSG.

For example, the FreeImage license is not OSI or FSF approved technically, but it's widely accepted as it's very similar to MPL 1.0.

Though in the FreeImage case, it should probably be any_of: ["GPL-2.0-only", "GPL-3.0-only", "FreeImage"] which could avoid the issue in that particular case.

I suppose having it a --new-formula check might be sufficient. However, we should note the list of failures now and investigate each of them.

Bo98 avatar Sep 13 '22 17:09 Bo98

Additionally, some of these formulae have multiple licenses, and may have an any_of: that includes a problematic license. They'll be flagged by this audit, even if one might argue that they don't need to be. Dealing with it correctly could get a bit hairy though.

Shouldn't be too hairy, IMO. Should only be flagged if all_of these licenses or it has a single license and they are all "bad".

We don't always strictly follow OSI and FSF approval. We more follow DFSG.

IMO we should just change to follow either OSI or FSF approved as we now have an actual programmatic way of checking/enforcing these.

I suppose having it a --new-formula check might be sufficient. However, we should note the list of failures now and investigate each of them.

Agreed 👍🏻

MikeMcQuaid avatar Sep 14 '22 11:09 MikeMcQuaid

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] avatar Oct 06 '22 00:10 github-actions[bot]