CFEP about license identifiers and support for license_family

[beckermr]

We've had some intense discussion of the purpose and scope of the license_family entry in the meta.yaml, along with associated issues around SPDX identifiers.

I am starting a discussion of a CFEP here. An initial proposal would be to

1. remove license_family from the examples on staged recipes
2. require SPDX license names where possible
3. add linting requirements for this
4. put in migrations

[isuruf]

Checking for SPDX is at conda-forge/conda-smithy#1220. Needs a conda package for license-expression python package.

[beckermr]

As another note greyskull is already using spdx

[beckermr]

The above is from @ocefpaf

[beckermr]

I also want to add that corporations support for free many parts of conda forge. If keep license_fanily is helpful to them, then maybe we should keep it. We can move to spdx and then write an admin migration to convert the recipes to have the right family.

[beckermr]

We could even have conda build put it in on rerender.

[marcelotrevisani]

Yeap, that is right grayskull is already using spdx, it is getting the information from opensource.org and doing some fuzzy comparinsons to see what is the right license for each package.

I also have plans to extract the whole license matching to a separated project, but it may take a while until I finish this part, because I already have other things to do before that.

[marcelotrevisani]

I really think we should adopt the spdx, because that is the common way to express the license. For example opensource.org, spdx.org (of course), tldrlegal.com and others use this short identifier. Which I think it is pretty good, it is one way to have consistency across our environment

[marcelotrevisani]

If you want to, you can copy the code or import grayskull. There is a module there called license which we can use to unify the license name for example:

from grayskull.license.discovery import get_short_license_id

get_short_license_id("MIT License") == "MIT"
get_short_license_id("Expat") == "MIT"
get_short_license_id("GPL 2.0") == "GPL-2.0"
get_short_license_id("2-Clause BSD License") == "BSD-2-Clause"
get_short_license_id("3-Clause BSD License") == "BSD-3-Clause"

Grayskull also tries to find the license given a sdist package or github repository, or even a folder with a license there

from grayskull.license.discovery import search_license_file

# given a folder with a license like LICENSE.txt
search_license_file(folder_path=PATH_FOLDER_LICENSE)

it will read the license file and it will try to match what is the license of that file using some fuzzy matching. For now, it is using a "database" which is present in the grayskull/license/data But I have plans to populate and get those "models" from spdx.org directly

[mbargull]

Needs a conda package for license-expression python package.

I added that one in November: https://github.com/conda-forge/staged-recipes/pull/10069/commits/bc96248b9224e67f1e10fc62a21e78fc2f1202e6

[isuruf]

Thanks @mbargull

[isuruf]

Added some docs on SPDX at https://github.com/conda-forge/conda-forge.github.io/pull/1002

[scopatz]

Note that GPL-2.0 and similar ones are deprecated identifiers and I don't think we should use them

[isuruf]

@scopatz, can you open an issue?

[scopatz]

Isn't this the issue?

[isuruf]

I meant one in conda-forge.github.io (to update docs) and conda-smithy (to remove deprecated ones), but this issue can be a meta issue.

[scopatz]

Done

[isuruf]

See also https://github.com/conda-forge/conda-forge-repodata-patches-feedstock/pull/36

[isuruf]

Now, conda-smithy warns if license is not a SPDX identifier and conda-forge/conda-forge-repodata-patches-feedstock#36 will add the license_family. This moves the maintenance burden from packagers to whoever is using those metadata to make sure the mapping from SPDX->license_family is kept up-to-date.

[beckermr]

Closing since basically this policy was decided by implementation. We auto generate license family and are now using spdx.

[scopatz]

I think we should leave this open as we should have a real CFEP and policy about it. Not just an implementation

[beckermr]

The cfep passed here so I’m going to close.