briansmith
cargo deny unknown license warnings
cargo-deny is unable to figure out the license for ring and generating warnings. the exit code is still 0 so ci should be fine for those using this, but would be nice to clean up.
any suggestions for resolving this?
$ cargo deny check
warning[L003]: ring = 0.16.20 is unlicensed
┌─ ring 0.16.20 (registry+https://github.com/rust-lang/crates.io-index):2:9
│
2 │ name = "ring"
│ ^^^^ a valid license expression could not be retrieved for the crate
3 │ version = "0.16.20"
4 │ license = ""
│ - license expression was not specified
5 │ license-files = [
6 │ { path = "LICENSE", hash = 0xbd0eed23, score = 0.67, license = "OpenSSL" },
│ ---- low confidence in the license text
│
= ring v0.16.20
├── rustls v0.20.4
│ └── ureq v2.4.0
│ └── mycrate v0.1.0
├── sct v0.7.0
│ └── rustls v0.20.4 (*)
└── webpki v0.22.0
├── rustls v0.20.4 (*)
├── ureq v2.4.0 (*)
└── webpki-roots v0.22.3
└── ureq v2.4.0 (*)
advisories ok, bans ok, licenses ok, sources ok
Ran into this today as well. I am not a license guru so I'll just pile on here and hope it helps others. I'm going to figure out how to make an exception for this crate, since it seems like it's in ISC/MIT license territory. The license file seems large and complex though, so who knows?
https://github.com/briansmith/ring/blob/0f3bf0031a8dbba741b26f1f02ebde6b7db4a3d6/LICENSE#L5-L9
Ah the generated deny.toml has "ring" as the example :D
My exception ended up being:
[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [
{ path = "LICENSE", hash = 0xbd0eed23 }
]
and I followed the helpful boilerplate in deny.toml to get there:
# Some crates don't have (easily) machine readable licensing information,
# adding a clarification entry for it allows you to manually specify the
# licensing information
#[[licenses.clarify]]
# The name of the crate the clarification applies to
#name = "ring"
# The optional version constraint for the crate
#version = "*"
# The SPDX expression for the license requirements of the crate
#expression = "MIT AND ISC AND OpenSSL"
# One or more files in the crate's source used as the "source of truth" for
# the license expression. If the contents match, the clarification will be used
# when running the license check, otherwise the clarification will be ignored
# and the crate will be checked normally, which may produce warnings or errors
# depending on the rest of your configuration
#license-files = [
# Each entry is a crate relative path, and the (opaque) hash of its contents
#{ path = "LICENSE", hash = 0xbd0eed23 }
#]
@jakswa if not something that can be fixed here would this be worth reporting to cargo-deny project to solve more "officially" ?
@jakswa if not something that can be fixed here would this be worth reporting to cargo-deny project to solve more "officially" ?
If that question was directed at me, I would have to bow out :bow:. I'm not a contributor to either of these repos/tools. If things don't improve organically, it seems like cargo-deny has built a documented path to get around it, which I followed above.
Adding license = "ISC AND MIT AND OpenSSL" to Cargo.toml would solve this problem.
