hackage-server icon indicating copy to clipboard operation
hackage-server copied to clipboard

Published 20 hours ago verified publisher icon haskell

Can't upload package with license OtherLicense

Open patapizza opened this issue 6 years ago • 16 comments

Hi,

We can't upload a package with the license OtherLicense anymore:

Invalid package This server does not accept packages with 'license' field set to e.g. AllRightsReserved. See https://hackage.haskell.org/upload for more information about accepted licenses.

This is related to https://github.com/haskell/hackage-server/issues/710.

Is this not supported anymore by design or is this just a bug?

Thanks!

patapizza avatar Apr 20 '18 22:04 patapizza

Which OtherLicense in particular are you trying to use?

gbaz avatar Apr 21 '18 16:04 gbaz

Yeah, it doesn't let me to upload my WTFPL-licensed code now!

l29ah avatar Apr 22 '18 23:04 l29ah

as per the discussion here, spdx lets you specify directly WTFPL as a license if you use cabal-version: 2.2: https://www.reddit.com/r/haskell/comments/87t7nn/releasing_packages_as_public_domain_creative/

However, wtfpl isn't osi approved, and I think the current hackage check would filter on that, as opposed to say, the superset of fsf free or osi approved.

cc @phadej @hvr, etc. We probably need a proper trustee discussion on implications of the license policy?

gbaz avatar Apr 23 '18 00:04 gbaz

Note: FSF approves, but not recommends

We do not recommend this license. If you want a lax permissive license for a small program, we recommend the X11 license. A larger program usually ought to be copyleft; but if you are set on using a lax permissive license for one, we recommend the Apache 2.0 license since it protects users from patent treachery.

X11 license is more know as MIT

I don't see a point in WTFPL

WTFPL version 2 author Sam Hocevar later confirmed that the WTFPL is a parody of the GPL.

https://softwareengineering.stackexchange.com/questions/149050/should-i-change-the-name-of-the-wtfpl#comment617907_161949

Yet I don't want spend cycles on debating which licenses are good or bad. "OSI-approved" is a pragmatic choice: SPDX people maintain that meta info. There are no FSF/Debian/Fedora/Ubuntu/etc data in their master files. Neither I want Hackage to be one more "license approver". Unfortunately we already slightly deviate by allowing (undecided) CC0, which OSI has lengthy FAQ entry about https://opensource.org/faq#cc-zero, please read also a PD entry too.

I'm sincerely sorry that I introduce inconveniences by making software more pedantic.

Sent from my iPhone

On 23 Apr 2018, at 3.00, gbaz [email protected] wrote:

as per the discussion here, spdx lets you specify directly WTFPL as a license if you use cabal-version: 2.2: https://www.reddit.com/r/haskell/comments/87t7nn/releasing_packages_as_public_domain_creative/

However, wtfpl isn't osi approved, and I think the current hackage check would filter on that, as opposed to say, the superset of fsf free or osi approved.

cc @phadej @hvr, etc. We probably need a proper trustee discussion on implications of the license policy?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

phadej avatar Apr 23 '18 22:04 phadej

My problem is really that changing license policy should have been done by a hackage admin/trustee decision rather than the process we followed, where we didn't get to have that broad discussion. I think we really should kick one off now. Further, there is data on fsf/libre licenses in the spdx datafiles -- just buried in "details". i.e.: https://github.com/spdx/license-list-data/blob/master/json/details/WTFPL.json. Note that cc0 also has the flag, so it would make our allowance of cc0 less ad-hoc to take the union of the two lists, rather than either of them.

gbaz avatar Apr 24 '18 03:04 gbaz

I'm trying to use OtherLicense as is, as I have a PATENTS file too.

patapizza avatar Apr 24 '18 17:04 patapizza

For reference, this seems to be the facebook patent license: https://hackage.haskell.org/package/duckling-0.1.4.0/src/PATENTS

Ugh, what a minefield this is :-/

This license was quite controversial when introduced, and subsequently many large facebook projects moved to MIT instead: https://code.facebook.com/posts/300798627056246/relicensing-react-jest-flow-and-immutable-js/

However, I guess not all projects did. This license is, afaik, not in the SPDX list at all, so is "legitimately" an OtherLicense. There is also no analogue to it that we could ask FB to "just" relicense to. Honestly I think it is an icky and problematic license, but I also don't think that it is something that fails to meet our general criteria for an appropriate license for hackage to redistribute.

From this discussion it looks like there's not even a clear single SPDX guideline yet on how to handle this: https://lists.spdx.org/pipermail/spdx-legal/2017-August/002123.html

I think the checking code currently prevents WITH clauses in hackage uploads with spdx: https://github.com/haskell/hackage-server/blob/master/Distribution/Server/Packages/Unpack.hs#L517

Perhaps we should loosen things up to allow these exception clauses?

gbaz avatar Apr 24 '18 17:04 gbaz

@gbaz Thanks for debugging this. Is there a way to explicitly allow for OtherLicense in Hackage until the SPDX guidelines clear up?

patapizza avatar Apr 26 '18 16:04 patapizza

I've kicked off a discussion with various hackage admin people. We should be able to sort this out soon-ish, I hope.

gbaz avatar Apr 26 '18 16:04 gbaz

Effective immediately (I just redeployed Hackage a few minutes ago), license: OtherLicense is accepted again for the pre-SPDX cabal spec versions which supported it. This was an unintentional side-effect of updating the licence check to cabal 2.2's SPDX framework; it wasn't intended to affect legacy cabal spec versions before cabal-version: 2.2.

hvr avatar Apr 30 '18 08:04 hvr

I think that should resolve this for now, but we will need a broader discussion to confirm how we intend to handle things as more packages migrate to new cabal-versions that use the spdx framework.

gbaz avatar Apr 30 '18 17:04 gbaz

Thank you!

patapizza avatar May 03 '18 17:05 patapizza

Neither I want Hackage to be one more "license approver".

Why do you filter for licenses at all then?

l29ah avatar Jun 08 '20 13:06 l29ah

Still an issue today with license: WTFPL:

Error uploading dist-newstyle/sdist/hsendxmpp-0.1.2.5.tar.gz: http code 400
Error: Invalid package

This server does not accept packages with 'license' field set to e.g.
AllRightsReserved. See https://hackage.haskell.org/upload for more information
about accepted licenses.

l29ah avatar Apr 18 '21 12:04 l29ah

I note that the issue is because this is now a cabal 3.0 file, not a legacy 2.2 file. Following the related tickets I see https://github.com/haskell/cabal/pull/6878 is merged and we should be able to start using the new function licenseIsFsfLibre and take the union of osf and fsf as our accepted licenses.

gbaz avatar Jun 07 '21 01:06 gbaz

Here's what we need to change. Should do it before next release https://github.com/haskell/hackage-server/blob/8cebbe6c6341537b1c75281482cc1ca9a5c4153a/Distribution/Server/Packages/Unpack.hs#L505

gbaz avatar Aug 12 '21 23:08 gbaz