homebrew-core
homebrew-core copied to clipboard
Homebrew
Deprecated SPDX license identifiers are used
brew gist-logs <formula> link OR brew config AND brew doctor output
HOMEBREW_VERSION: 4.3.18
ORIGIN: https://github.com/Homebrew/brew
HEAD: abc0584215659c5a8716d0798ea2801388d01368
Last commit: 2 days ago
Core tap JSON: 26 Aug 16:53 UTC
Core cask tap JSON: 26 Aug 16:53 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: nvim
HOMEBREW_MAKE_JOBS: 8
HOMEBREW_NO_COLOR: set
HOMEBREW_NO_EMOJI: set
HOMEBREW_NO_ENV_HINTS: set
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.3.4_1/bin/ruby
CPU: octa-core 64-bit arm_blizzard_avalanche
Clang: 15.0.0 build 1500
Git: 2.46.0 => /opt/homebrew/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 14.6.1-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: N/A
Rosetta 2: false
Your system is ready to brew.
Verification
- [X] My
brew doctoroutput saysYour system is ready to brew.and am still able to reproduce my issue. - [X] I ran
brew updateand am still able to reproduce my issue. - [X] I have resolved all warnings from
brew doctorand that did not fix my problem. - [X] I searched for recent similar issues at https://github.com/Homebrew/homebrew-core/issues?q=is%3Aissue and found no duplicates.
What were you trying to do (and why)?
I was trying to see if Hombrew allows deprecated SPDX identifiers.
What happened (include all command output)?
I found deprecated SPDX identifiers are used.
curl -s https://spdx.org/licenses/licenses.json |
jq -r '.licenses[] | select(.isDeprecatedLicenseId == true) | .licenseId' |
while read -r license; do
grep -r "license \"$license\"$"
done
I also found https://github.com/Homebrew/brew/blob/master/Library/Homebrew/formula_auditor.rb#L221-L232.
It seems to check for deprecated SPDX identifiers. How come deprecated SPDX identifiers are in use, despite this test. When is it run?
Taking a look at the commit log, it seems @cho-m might be interested in this ;)
What did you expect to happen?
I expect deprecated SPDX identifiers not to be used.
Step-by-step reproduction instructions (by running brew commands)
x
The use of deprecated SPDX license identifiers is a known issue, and largely due to legacy code. Your help in fixing those formulae would be appreciated.
How come deprecated SPDX identifiers are in use, despite this test. When is it run?
It's run for new formulae only.
I sent a PR, but it seemed like it caused the CI to be run for all 277 packages, which seems silly, so I closed it, hoping that would stop the CI.
What should I do?
It would be good to ask upstream to confirm the license status first, GPL-2.0 does not naturally mean GPL-2.0-or-later.
The formula/project might be unmaintained in terms of license usage.
ideally, all the formulae should be treated individually rather than blind batch update. :)
If you look at the PR it suggests that the batch update wasn't blind at all, so I think this approach is fine.
What about the three remaining formulae?
curl -s https://spdx.org/licenses/licenses.json |
jq -r '.licenses[] | select(.isDeprecatedLicenseId == true) | .licenseId' |
while read -r license; do
grep -r "\"$license\""
done
./n/net-snmp.rb: license "Net-SNMP"
./i/iprint.rb: license "GPL-2.0"
./i/intercal.rb: license "GPL-2.0"
intercal seems GPL-2.0-or-later https://web.archive.org/web/20240716025628if_/http://www.catb.org/~esr/intercal/intercal-0.30.tar.gz
iprint will be removed in a few months anyway, so I suppose there's no need to look into it further?
In that case, all that's left is for someone to figure out what licenses Net-SNMP corresponds to :)