search

EmbarkStudios / cargo-deny

❌ Cargo plugin for linting your dependencies 🦀
http://embark.rs
Apache License 2.0
1.62k stars 80 forks source link

Bug: adding 'version=2' makes license checks start failing. #628

Closed eric-seppanen closed 4 months ago

eric-seppanen commented 4 months ago

Describe the bug

I upgraded my deny.toml to use version = 2 in the [licenses] section.

After making that change, a new failure appears, due to the license string "LGPL-2.1-or-later WITH GCC-exception-2.0" in the systemd crate:

error[rejected]: failed to satisfy license requirements
  ┌─ systemd 0.10.0 (registry+https://github.com/rust-lang/crates.io-index):4:12
  │
4 │ license = "LGPL-2.1-or-later WITH GCC-exception-2.0"
  │            ^^^^^^^^^^^^^^^^^-----------------------
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license was not explicitly allowed
  │
  = LGPL-2.1 - GNU Lesser General Public License v2.1 only:
  =   - **DEPRECATED**
  =   - OSI approved
  =   - FSF Free/Libre
  =   - Copyleft
  = systemd v0.10.0
    └── license-test v0.1.0

I have tried allowing LGPL-2.1, and that fails with the same message. I also tried LGPL-2.1-or-later WITH GCC-exception-2.0, LGPL-2.1-or-later, LGPL-2.1+, but those appear to be the wrong syntax.

I have read through #606 and #611, and I wasn't able to figure out why this behavior changed.

To reproduce

A small project that shows the problem:

deny.toml

[licenses]
# Uncomment to see the problem
#version = 2

# List of explicitly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
allow = [
    "MIT",
    "Unicode-DFS-2016",
    "Unlicense",
]

Cargo.toml

[package]
name = "license-test"
version = "0.1.0"
edition = "2021"
license = "MIT"

[dependencies]
systemd = "0.10.0"

cargo-deny version

cargo-deny 0.14.16

What OS were you running cargo-deny on?

Linux

Additional context

No response

eric-seppanen commented 4 months ago

I found a string that works: LGPL-2.1-or-later WITH GCC-exception-2.0 -> LGPL-2.1 WITH GCC-exception-2.0, though I'm not sure if I was supposed to add + to reflect the -or-later part.

I'm still puzzled why the behavior changed when I added version = 2.

Jake-Shadle commented 4 months ago

This is documented. As are the annoyances with GPLish licenses.

eric-seppanen commented 4 months ago

I have read that documentation, and I'm afraid I don't understand which part of the version = 2 changes trigger different behavior with this license. Can you clarify?

Jake-Shadle commented 4 months ago

Copyleft licenses are warn by default before setting version = 2

eric-seppanen commented 4 months ago

Thanks for the clarification. I was going back through my output when I figured out part of my problem: I was confused because license warnings don't look the same as license deny errors.

My naive expectation is that a license warning and a license error would look similar, but one would fail the check and the other wouldn't.

A license warning says warning[accepted]: license requirements satisfied which I found (and still find) kind of misleading. It seems to be asserting something that's not true! The license requirements were not satisfied.

Jake-Shadle commented 4 months ago

That was one of the issues that this deprecation is addressing.