Formulae missing license stanza

[SeekingMeaning]

See https://github.com/SeekerTestBot/license-checklist/blob/master/all.md

Valid license list: https://spdx.org/licenses/

[SeekingMeaning]

• sflowtool: https://github.com/sflow/sflowtool/blob/master/COPYING
• semtag: pnikosis/semtag#15

[miccal]

Would anyone know what licence code to use for the sqlite family of formula:

All of the code and documentation in SQLite has been dedicated to the public domain by the authors.

[gromgit]

SPDX says blessing.

[miccal]

Thank you @gromgit -- I should have searched for the word sqlite on that list :)

[SMillerDev]

@SeekingMeaning could you remove the formula that doesn't have a valid license and disable the one that doesn't have any license?

[miccal]

Please see the PR https://github.com/Homebrew/homebrew-core/pull/58414 for an example of how to handle formula with multiple licenses.

[miccal]

I have 97 formula installed on my machine, and I figured that the best place to start helping with this issue was to add a license stanza to each of my installed formula.

Of the 97 formula I have installed, 93 of them now have a license stanza, leaving just 4 without. These are:

• docbook

• gd

• popt

• qt

For docbook, I have no idea.

For gd their licence is here, but I am not sure what to call it.

For popt their license is here -- could this be RHeCos-1.1?

For qt their license is detailed here, but I am not sure what to call it.

[jonchang]

Pretty sure qt is LGPL3: https://doc.qt.io/qt-5/opensourcelicense.html

popt looks like MIT with an advertising clause.

gd... looks like a weird MIT but it's hard to say.

[gromgit]

popt is X11, though Erik Troan forgot to change the reference to "X Consortium" in the final paragraph.

docbook seems to sport a custom license from OASIS. gd's license is also a custom job.

[jonchang]

Let's cheat and just look at what Debian says: https://salsa.debian.org/debian/docbook5-xml/-/raw/master/debian/copyright

I believe our docbook formula only includes the DTD and schemas, so it's the much shorter DTD license instead of the long specification license.

[gromgit]

The DocBook DTD/schema license looks like a condensed MIT, though I'm not sure it's legally equivalent.

I guess it boils down to the purpose of this whole licensing issue (apologies if I missed any previous discussion). If it's simply to record software licenses in a form that can be looked up on SPDX, then "MIT" is probably the closest match.

[MikeMcQuaid]

Pretty sure qt is LGPL3: https://doc.qt.io/qt-5/opensourcelicense.html

Qt has multiple licenses: LGPLv3 for some bits, GPLv3 for others and all available under commercial licenses.

[miccal]

So in summary:

• docbook --> license "MIT"

• gd --> license "MIT"

• popt --> license "X11"

• qt --> license "LGPL-3.0" with a comment # license ["LGPL-3.0", "GPL-3.0"] - pending https://github.com/Homebrew/brew/pull/7953

Thoughts?

[chenrui333]

haxe license is little bit complicated:

• The Haxe Compiler (GPLv2+)
• The Haxe Standard Library (MIT)
• Neko (MIT and others)

[chenrui333]

https://github.com/rharder/imagesnap#a-note-about-public-domain

I have released this software into the Public Domain. That means you can do whatever you want with it. Really. You don't have to match it up with any other open source license — just use it. You can rename the files, do whatever you want. If your lawyers say you have to have a license, contact me, and I'll make a special release to you under whatever reasonable license you desire: MIT, BSD, GPL, whatever.

[chenrui333]

jsmin missing license (https://github.com/douglascrockford/JSMin/issues/7#issue-3561785)

[jonchang]

https://github.com/rharder/imagesnap#a-note-about-public-domain

I have released this software into the Public Domain. That means you can do whatever you want with it. Really. You don't have to match it up with any other open source license — just use it. You can rename the files, do whatever you want. If your lawyers say you have to have a license, contact me, and I'll make a special release to you under whatever reasonable license you desire: MIT, BSD, GPL, whatever.

We might need to remove this formula or let it go without a license. Alternatively we can ask the author to license it under e.g. CC0 since "public domain" isn't really a thing: https://wiki.spdx.org/view/Legal_Team/Decisions/Dealing_with_Public_Domain_within_SPDX_Files

jsmin missing license (douglascrockford/JSMin#7 (comment))

We will probably have to remove jsmin since it doesn't comply with DFSG.

[Rylan12]

Question about rbenv-gemset:

According to the README:

License

This code is placed in the public domain by the author, Jamis Buck. Use it as you wish. Please prefer good over evil.

In #59026 this was added as Unlicense but this isn't the Unlicense license text.

It looks like the same situation as imagesnap mentioned above. What was decided? I think rbenv-gemset should be handled in a similar way.

Edit same for re2c. We should decide what to do about these formulae because the Unlicense license isn't the same as being in the public domain.

[chenrui333]

Question about rbenv-gemset:

According to the README:

License

This code is placed in the public domain by the author, Jamis Buck. Use it as you wish. Please prefer good over evil.

In #59026 this was added as Unlicense but this isn't the Unlicense license text.

It looks like the same situation as imagesnap mentioned above. What was decided? I think rbenv-gemset should be handled in a similar way.

Edit same for re2c. We should decide what to do about these formulae because the Unlicense license isn't the same as being in the public domain.

it was decided in my mind, I honestly did not expect it to merge too soon, and we can always circle back on the decision call. The license is wild game, and lots of license decisions in the upstream repo are kind of ad-hoc decisions. I did not fully conform with my readings in the spdx license data.

With that being said, that is a good call out, I will submit a PR on this theme to force the upstream to conform with the unlicense. :)

[Rylan12]

Second question: do we want to use only non-deprecated SPDX licenses?

For example, GPL-1.0 has been deprecated in favor of GPL-1.0-only or GPL-1.0-or-later.

Pros:

• Right now we have some formulae that use the general GPL-1.0 and some that use GPL-1.0-or-later (I don't know the exact numbers). This would remove ambiguity (which might be necessary for HOMEBREW_FORBIDDEN_LICENSES to work well).

Cons:

• Will take some work to convert existing deprecated licenses
• The GitHub license API doesn't seem to respect this. This means that there are instances where the GitHub API returns e.g. GPL-3.0 and the formula specifies GPL-3.0-or-later causing audit to fail when it shouldn't.

I have a PR ready but it won't work correctly because of the GitHub API issue. If this is something worth doing, we can figure out how to handle these situations.

[jonchang]

Checking the SPDX website again, I note that there's a "license expression" specification that seems like it would knock out a few of our needs. We'd be able to properly say "this formula has software that is BSD, but bundles a GPLv3 library" (BSD-2-clause AND GPL-3.0-or-later), or "this formula is dual licensed under MIT and BSD" (BSD-2-clause OR MIT). We'd need to write a parser for these expressions but it looks fairly straightforward.

For example, GPL-1.0 has been deprecated in favor of GPL-1.0-only or GPL-1.0-or-later.

We should fix the audit to permit these kinds of situations then, as our license should be as accurate as possible; the GitHub audit is only there as an additional check.

Also mirrored from our rbenv-gemset conversation:

Do we support NOASSERTION in our license field? It's correct according to spec and I think it would cover the cases where we think a formula is compliant with our definition of what is acceptable in Homebrew/core but otherwise is not in the SPDX license list.

[MikeMcQuaid]

The license is wild game, and lots of license decisions in the upstream repo are kind of ad-hoc decisions. I did not fully conform with my readings in the spdx license data.

With that being said, that is a good call out, I will submit a PR on this theme to force the upstream to conform with the unlicense. :)

@chenrui if in doubt: please don't add a license if you're not 100% sure that the license text matches exactly. If it's on GitHub that means: GitHub correctly detects the license. Please remove any licenses you've added you aren't 100% sure on. This stuff matters legally.

Second question: do we want to use only non-deprecated SPDX licenses?

Yes! Ideally brew audit will complain about these and we'll fix any we've added.

• The GitHub license API doesn't seem to respect this. This means that there are instances where the GitHub API returns e.g. GPL-3.0 and the formula specifies GPL-3.0-or-later causing audit to fail when it shouldn't.

I guess we could map these internally based on GitHub responses to meet our needs?

We'd be able to properly say "this formula has software that is BSD, but bundles a GPLv3 library" (BSD-2-clause AND GPL-3.0-or-later), or "this formula is dual licensed under MIT and BSD" (BSD-2-clause OR MIT). We'd need to write a parser for these expressions but it looks fairly straightforward.

With the DSL we have right now we're already handling the latter. Instead of a parser I'd say we should provide a way of specifying the prior (which may just be literally the AND string and .split(" AND "))

Do we support NOASSERTION in our license field? It's correct according to spec and I think it would cover the cases where we think a formula is compliant with our definition of what is acceptable in Homebrew/core but otherwise is not in the SPDX license list.

If it's not got an SPDX License: it's not acceptable in Homebrew/core. Their licenses are a superset of what we allow.

[miccal]

Second question: do we want to use only non-deprecated SPDX licenses?

Yes! Ideally brew audit will complain about these and we'll fix any we've added.

@MikeMcQuaid I added the license wxWindows to wxmac, which is on the list of deprecated license identifiers.

I am not sure what to replace it with:

wxWidgets licence is a modified version of LGPL explicitly allowing not distributing the sources of an application using the library even in the case of static linking.

[MikeMcQuaid]

@miccal I'd say just the LGPL in this case. If in doubt (and a modified version of an existing license) we want to ensure that we default to the stricter terms.

[Rylan12]

I've opened https://github.com/Homebrew/brew/pull/8201 to require non-deprecated licenses. It's still a work in progress. Hopefully, I'll have some time later today to work on handling the GitHub API issue.

[Rylan12]

Here are three more PRs disabling formulae that were mistakenly given the Unlicense license when they were actually one of these "public domain" formulae:

• 59094

• 59109

• 59110

I've looked at all of the licenses that currently have the Unlicense license and I think all of the other ones are appropriately labeled.

[MikeMcQuaid]

@Rylan12 Sorry that I was unclear before but "public domain" may not be an approved license but it's definitely fine in Homebrew/homebrew-core (because it's even more permissive than an open source license). I'm up for updating tooling and documentation to better clarify this.

[jonchang]

Unlicense is still incorrect though. We should support NOASSERTION for these cases per the spec.

[MikeMcQuaid]

Unlicense is still incorrect though.

Agreed.

We should support NOASSERTION for these cases per the spec.

We should support it but I think if they are specified as "public domain" we should have license "Public Domain" or license :public_domain or similar.

[gromgit]

If there are no implementation issues, I think :public_domain would help distinguish it as a Homebrew-specific license classification, separate from SPDX license strings.

[MikeMcQuaid]

We should support it but I think if they are specified as "public domain" we should have license "Public Domain" or license :public_domain or similar.

Have opened a PR for this: https://github.com/Homebrew/brew/pull/8208

[MikeMcQuaid]

And fixing up relevant formulae in https://github.com/Homebrew/homebrew-core/pull/59133.

[Bo98]

With the DSL we have right now we're already handling the latter. Instead of a parser I'd say we should provide a way of specifying the prior (which may just be literally the AND string and .split(" AND "))

I agree we need something like this. There's also WITH that's used in cases like Apache-2.0 WITH LLVM-exception.

What we do depends on how far we want to take it: is there any cases where we would expect to do something like a AND (b OR c)? I'm asking as it's important to be comprehensive and not omit licenses just because the DSL isn't flexible enough, like we appear to be doing now. (Note that the current multiple licenses DSL hasn't made a stable release yet should any changes be necessary.)

[Rylan12]

it's important to be comprehensive and not omit licenses just because the DSL isn't flexible enough like we appear to be doing now.

I definitely want to emphasize this point. I think we need to put a hold on mass-adding licenses until we feel that we've covered all of the bases. I think there's been an attitude of "we just need to get close and it will be okay" for the licenses (I'm very much complicit here) which isn't really appropriate for licenses.

[MikeMcQuaid]

omit licenses just because the DSL isn't flexible enough, like we appear to be doing now.

This is exactly what I think we should be doing. In this cases we should be making a note (in an issue, not the formula) of what the license should be and why we can't do that yet.

[Bo98]

By "omit" I should have said "partially omit". As in where there's multiple licenses we are just providing one and saying it's "good enough" for now. I don't think it's good enough.

In this cases we should be making a note (in an issue, not the formula)

Can someone come up with a quick grep for all comments appearing directly before a license line? That'll give an idea of some cases.

[MikeMcQuaid]

By "omit" I should have said "partially omit". As in where there's multiple licenses we are just providing one and saying it's "good enough" for now. I don't think it's good enough.

Oh, in that case: strongly agreed 👍🏻

I think there's been an attitude of "we just need to get close and it will be okay" for the licenses (I'm very much complicit here) which isn't really appropriate for licenses.

This, too. We've had no licenses for over 10 years. We can take our time to do things properly.

[SMillerDev]

By "omit" I should have said "partially omit". As in where there's multiple licenses we are just providing one and saying it's "good enough" for now. I don't think it's good enough.

I think that comes from a decision I made to allow this in a new formula. I completely agree with this statement, but I don't think we should be blocking normal core operations until we have a complete license implementation. Allowing new formula to do this so they don't have to wait 👍, adding it to existing formula 👎 .

[Rylan12]

I think that comes from a decision I made to allow this in a new formula. I completely agree with this statement, but I don't think we should be blocking normal core operations until we have a complete license implementation. Allowing new formula to do this so they don't have to wait 👍, adding it to existing formula 👎 .

So to clarify, this is just talking about the large batch PRs? I interpreted this to main we should just put a hold on any license stuff for now but based on #59231 and #59232 it sounds like we want to move forward with adding licenses for individual formulae as they are updated normally.

Either way, it sounds like this is the list of what we're currently missing:

• Dual license support (will be enabled in the next release)
• Public domain support (technically works but will be enabled for real in the next release)
• AND/OR/WITH support to clarify the difference between dual licenses, multiple different licenses and exceptions

I think it's probably fine to move ahead with individual license PRs that don't fall into any of the above categories and wouldn't have any incorrect or misleading information.

[SMillerDev]

So to clarify, this is just talking about the large batch PRs?

It is/was just a statement on making comments when multiple licenses apply.

---

If people want to add a license to a formula and that is possible using the current state of the DSL I'm all for it. I don't think we should be batch adding licenses unless we're really sure though.

[chenrui333]

wireshark license seems little bit complicated too, https://github.com/Homebrew/homebrew-core/pull/59603#issuecomment-674445109

[waldyrious]

Any thoughts about what to do with the rmtrash license? I downloaded the source code but the only references to copyright are these two lines in the manpage:

Copyright \(co 2003 Night Productions.
.br
This is free software.  There is NO warranty; not even for merchantability or fitness for a particular purpose.

[SMillerDev]

If it's not a valid license it needs to be removed from homebrew.

[sjackman]

This is free software.

Contact the upstream author to ask what the license is. Their e-mail address is directly above the copyright statement. If we haven't heard from the upstream author in say thirty days, remove the formula.

[sjackman]

The same author's other tool timeLoop is OSL-2.0. https://spdx.org/licenses/OSL-2.0.html http://www.nightproductions.net/cli.htm

[waldyrious]

I've just messaged the author, using the email address in the manpage and the one listed in the contact page. I'll keep you posted about any response.

[Rylan12]

https://github.com/Homebrew/brew/pull/8260 has been merged which means that we have some new license syntax options available. Here's a brief summary, because there have been some changes since the most recent update in this issue.

Note that this functionality has been added, but will not be able to be used in homebrew-core formulae until a new version of Homebrew has been released.

---

Single licenses can be specified in the same way

license "MIT"

Use a symbol for the public domain

license :public_domain

Add a + to indicate that the user can choose a later version of the same license (this doesn't apply to GNU licenses like GPL, LGPL, AGPL and GFDL which require either -only or -or-later)

license "EPL-1.0+"

Use :any_of to indicate that the user can choose which license applies

license any_of: ["MIT", "0BSD"]

Use :all_of to indicate that the user must comply with multiple licenses

license all_of: ["MIT", "0BSD"]

Use :with to indicate a license exception

license "MIT" => { with: "LLVM-exception" }

You can nest these expressions as needed

license any_of: [
  "MIT",
  all_of: ["0BSD", "Zlib", "Artistic-1.0+"],
  "Apache-2.0" => { with: "LLVM-exception" },
]

[gromgit]

Thanks much, @Rylan12! Since it's quite a substantive list, perhaps all these details can be put in a separate page and linked from https://docs.brew.sh/Formula-Cookbook#fill-in-the-license?

[Rylan12]

Good idea! There's a minimal explanation here but we should definitely add it to the formula cookbook as well. I'll open a PR sometime today or tomorrow when I have some time.

[SeekingMeaning]

These formulae should be updated:

% grep -R 'license \[' .
./Formula/transmission-cli.rb:  # license ["GPL-2.0", "GPL-3.0"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/libnice.rb:  # license ["LGPL-2.1", "MPL-1.1"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/ttf2eot.rb:  # license ["LGPL-2.0", "BSD-*"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/rainbarf.rb:  # license ["Artistic-1.0", "GPL-1.0"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/libiodbc.rb:  # license ["BSD-3-Clause", "LGPL-2.0"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/ipfs.rb:  # license ["Apache-2.0", "MIT"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/mongoose.rb:  # license ["GPL-2.0", "Cesanta"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/libical.rb:  # license ["LGPL-2.1", "MPL-2.0"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/pkcs11-helper.rb:  # license ["BSD-3-Clause", "GPL-2.0"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/nettle.rb:  # license ["GPL-2.0", "GPL-3.0", "LGPL-3.0"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/log4cplus.rb:  # license ["Apache-2.0", "BSD-2-Clause"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/hypre.rb:  # license ["MIT", "Apache-2.0"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/peg-markdown.rb:  # license ["GPL-2.0", "MIT"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/libfreenect.rb:  # license ["Apache-2.0", "GPL-2.0"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/plenv.rb:  # license ["Artistic-1.0", "GPL-1.0"] - pending https://github.com/Homebrew/brew/pull/7953
./Formula/osquery.rb:  # license ["Apache-2.0", "GPL-2.0-only"] - pending https://github.com/Homebrew/brew/pull/7953