aboutcode-org / scancode-toolkit

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
https://aboutcode.org/scancode/
2.13k stars 550 forks source link

License scan reports conjunctive rather than disjunctive license expression for slint v1.0.0 #3316

Open DennisClark opened 1 year ago

DennisClark commented 1 year ago

A recent scan using SCIO v32.1.0 of the code available at https://github.com/slint-ui/slint/archive/refs/tags/v1.0.0.tar.gz reported a declared license expression of gpl-3.0 AND proprietary-license even though the notices state that there is actually a choice of licenses.

from README.md:

License

Slint is available under either a proprietary license or GNU GPLv3

The proprietary license is provided free-of-charge in exchange for (1) consent that we can showcase the application, (2) attribution of Slint in the application and (3) feedback to improve Slint. Check out our ambassador program.

from LICENSE.md

Slint License

Slint is available under either a proprietary license or GNU GPLv3.

Third party licenses listed in the LICENSES folder also apply to parts of the product.

The either/or construction clearly indicates a disjunctive choice of licenses rather than a conjunctive combination of licenses. The correct license expression would be: gpl-3.0 OR proprietary-license

Scan results attached

slint-1.0.0.tar.gz_scan.json.zip

pombredanne commented 1 year ago

@DennisClark @AyanSinhaMahapatra note how they are using a their own SPDX licenseref in the style of REUSE https://github.com/slint-ui/slint/tree/master/LICENSES

There are a few things here to unpack:

  1. we may need to better handle these REUSE conventions
  2. we may want to also track these usages of LicenseRef as rules, though they may be local to a repo