search

EmbarkStudios / cargo-deny

❌ Cargo plugin for linting your dependencies 🦀
http://embark.rs
Apache License 2.0
1.63k stars 81 forks source link

Bug: Copyleft licenses are exempted from deny by default #602

Closed JonathanWoollett-Light closed 4 months ago

JonathanWoollett-Light commented 5 months ago

Describe the bug

When an allow list of licenses is specified e.g.

[licenses]
allow = [
    "MIT",
    "Apache-2.0",
    "BSD-3-Clause",
    "ISC",
    "Unicode-DFS-2016"
]

it should deny all licenses not in the list.

Current behavior denies all licenses outside the list, except copyleft licenses.

Thus to also deny copyleft licenses requires:

copyleft = "deny"

This is misleading behavior and a trap by which crates might accidentally introduce copyleft dependencies.

To reproduce

Run cargo deny check licenses with a licenses allow list with a dependency with a licenses that is GPL-2.0 but not in the allow list and see it passes.

cargo-deny version

cargo-deny 0.14.11

What OS were you running cargo-deny on?

Linux

Additional context

A similar concern https://github.com/EmbarkStudios/cargo-deny/issues/354#issuecomment-1887410425