brew
brew copied to clipboard
formula_auditor: use SPDX data to check for open source licenses.
- [x] Have you followed the guidelines in our Contributing document?
- [x] Have you checked to ensure there aren't other open Pull Requests for the same change?
- [x] Have you added an explanation of what your changes do and why you'd like us to include them?
- [ ] Have you written new tests for your changes? Here's an example.
- [x] Have you successfully run
brew style
with your changes locally? - [x] Have you successfully run
brew typecheck
with your changes locally? - [ ] Have you successfully run
brew tests
with your changes locally?
Follow-up to #13858.
Review period will end on 2022-09-14 at 13:39:28 UTC.
Thanks for this!
Review period skipped due to critical
label.
Looks like we have 89 formulae that have licenses that are neither isOsiApproved
nor isFsfLibre
.
We can do one (or possibly multiple) of the following:
- Make this check
--strict
, so thattest-bot
runs it only for new formulae. We can make this check not require--strict
once those formulae have been fixed. - Investigate all those formulae first and fix their license or remove them as appropriate before merging this.
- Exclude those formulae from the audit (probably in-line) while they still have problematic licenses to enable merging this and fix them later.
- Add a list of licenses we consider open source but are not
isOsiApproved
/isFsfLibre
.
Looks like we have 89 formulae that have licenses that are neither
isOsiApproved
norisFsfLibre
.
Additionally, some of these formulae have multiple licenses, and may have an any_of:
that includes a problematic license. They'll be flagged by this audit, even if one might argue that they don't need to be. Dealing with it correctly could get a bit hairy though.
We don't always strictly follow OSI and FSF approval. We more follow DFSG.
For example, the FreeImage license is not OSI or FSF approved technically, but it's widely accepted as it's very similar to MPL 1.0.
Though in the FreeImage case, it should probably be any_of: ["GPL-2.0-only", "GPL-3.0-only", "FreeImage"]
which could avoid the issue in that particular case.
I suppose having it a --new-formula
check might be sufficient. However, we should note the list of failures now and investigate each of them.
Additionally, some of these formulae have multiple licenses, and may have an
any_of:
that includes a problematic license. They'll be flagged by this audit, even if one might argue that they don't need to be. Dealing with it correctly could get a bit hairy though.
Shouldn't be too hairy, IMO. Should only be flagged if all_of
these licenses or it has a single license and they are all "bad".
We don't always strictly follow OSI and FSF approval. We more follow DFSG.
IMO we should just change to follow either OSI or FSF approved as we now have an actual programmatic way of checking/enforcing these.
I suppose having it a
--new-formula
check might be sufficient. However, we should note the list of failures now and investigate each of them.
Agreed 👍🏻
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.