Homebrew / homebrew-core

🍻 Default formulae for the missing package manager for macOS (or Linux)
https://brew.sh
BSD 2-Clause "Simplified" License
13.74k stars 12.43k forks source link

Deprecated SPDX license identifiers are used #182712

Closed leoheitmannruiz closed 1 month ago

leoheitmannruiz commented 2 months ago

brew gist-logs <formula> link OR brew config AND brew doctor output

HOMEBREW_VERSION: 4.3.18
ORIGIN: https://github.com/Homebrew/brew
HEAD: abc0584215659c5a8716d0798ea2801388d01368
Last commit: 2 days ago
Core tap JSON: 26 Aug 16:53 UTC
Core cask tap JSON: 26 Aug 16:53 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: nvim
HOMEBREW_MAKE_JOBS: 8
HOMEBREW_NO_COLOR: set
HOMEBREW_NO_EMOJI: set
HOMEBREW_NO_ENV_HINTS: set
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.3.4_1/bin/ruby
CPU: octa-core 64-bit arm_blizzard_avalanche
Clang: 15.0.0 build 1500
Git: 2.46.0 => /opt/homebrew/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 14.6.1-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: N/A
Rosetta 2: false

Your system is ready to brew.

Verification

What were you trying to do (and why)?

I was trying to see if Hombrew allows deprecated SPDX identifiers.

What happened (include all command output)?

I found deprecated SPDX identifiers are used.

curl -s https://spdx.org/licenses/licenses.json | 
jq -r '.licenses[] | select(.isDeprecatedLicenseId == true) | .licenseId' | 
while read -r license; do
    grep -r "license \"$license\"$"
done

I also found https://github.com/Homebrew/brew/blob/master/Library/Homebrew/formula_auditor.rb#L221-L232.

It seems to check for deprecated SPDX identifiers. How come deprecated SPDX identifiers are in use, despite this test. When is it run?

Taking a look at the commit log, it seems @cho-m might be interested in this ;)

What did you expect to happen?

I expect deprecated SPDX identifiers not to be used.

Step-by-step reproduction instructions (by running brew commands)

x
leoheitmannruiz commented 2 months ago

Mainly licenses from the GPL family, but also one Net-SNMP :)

ZhongRuoyu commented 2 months ago

The use of deprecated SPDX license identifiers is a known issue, and largely due to legacy code. Your help in fixing those formulae would be appreciated.

How come deprecated SPDX identifiers are in use, despite this test. When is it run?

It's run for new formulae only.

leoheitmannruiz commented 2 months ago

I sent a PR, but it seemed like it caused the CI to be run for all 277 packages, which seems silly, so I closed it, hoping that would stop the CI.

What should I do?

ZhongRuoyu commented 2 months ago

What should I do?

I've left you a comment in the PR.

chenrui333 commented 1 month ago

It would be good to ask upstream to confirm the license status first, GPL-2.0 does not naturally mean GPL-2.0-or-later.

The formula/project might be unmaintained in terms of license usage.

chenrui333 commented 1 month ago

ideally, all the formulae should be treated individually rather than blind batch update. :)

SMillerDev commented 1 month ago

If you look at the PR it suggests that the batch update wasn't blind at all, so I think this approach is fine.

leoheitmannruiz commented 1 month ago

What about the three remaining formulae?

curl -s https://spdx.org/licenses/licenses.json |
jq -r '.licenses[] | select(.isDeprecatedLicenseId == true) | .licenseId' |
while read -r license; do
    grep -r "\"$license\""
done
./n/net-snmp.rb:  license "Net-SNMP"
./i/iprint.rb:  license "GPL-2.0"
./i/intercal.rb:  license "GPL-2.0"
leoheitmannruiz commented 1 month ago

intercal seems GPL-2.0-or-later https://web.archive.org/web/20240716025628if_/http://www.catb.org/~esr/intercal/intercal-0.30.tar.gz

leoheitmannruiz commented 1 month ago

iprint will be removed in a few months anyway, so I suppose there's no need to look into it further?

In that case, all that's left is for someone to figure out what licenses Net-SNMP corresponds to :)