search

EmbarkStudios / cargo-deny

❌ Cargo plugin for linting your dependencies 🦀
http://embark.rs
Apache License 2.0
1.62k stars 80 forks source link

Easy access to FSF Free/Libre and OSI Approved licenses #666

Open daniel-pfeiffer opened 3 weeks ago

daniel-pfeiffer commented 3 weeks ago

In the generated deny.toml, you point to https://spdx.org/licenses/.

But you don't accept the listed any-OSI. Nor is it clear which meta-licence covers the FSF column. FSFAP is the only FSF* licence with a Y in the FSF column, but also doesn't include them all.

I fear the last 2 columns might not actually constitute categories of licences which don't contradict each other. If they do, it would help a lot, to make these categories accessible with one specifier!

If not, assuming someone has even analyzed this, it would help to point out these contradictions for any crate that is incompatible with its dependencies! If you could also show which licenses, if any, would make it compatible, that would be genius!

Jake-Shadle commented 1 week ago

But you don't accept the listed any-OSI. Nor is it clear which meta-licence covers the FSF column. FSFAP is the only FSF* licence with a Y in the FSF column, but also doesn't include them all.

any-OSI is accepted...but only for crates that actually use that license, not for any license that is OSI approved. I don't know why that is its SPDX id. There are no such thing as "meta-license", cargo-deny used to have https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-allow-osi-fsf-free-field-optional to allow OSI and/or FSF licenses, but it's being removed since it is more explicit to just allow select licenses, the total set of licenses a project will end up using is generally quite low.

I fear the last 2 columns might not actually constitute categories of licences which don't contradict each other. If they do, it would help a lot, to make these categories accessible with one specifier!

This is partly why the option to choose them is being removed in favor of only allowing licenses by explicit ID.

If not, assuming someone has even analyzed this, it would help to point out these contradictions for any crate that is incompatible with its dependencies! If you could also show which licenses, if any, would make it compatible, that would be genius!

I'm not sure what you mean by this, are you saying you want cargo-deny to tell you if two licenses can not be used together?