Check the License of contracts before verification

[kuzdogan]

Currently we are not checking the licenses of the contracts during verification. Potentially there may be contracts we should not store/verify with restrictive licenses.

• [ ] Research what licenses we should avoiding
• [ ] Parse and check licenses prior to verification

_{View in Huly HI-396}

[sealer3]

Does this make sense to do?

Suppose I am malicious and verify a contract despite the license. To do this, I will just remove all the SPDX identifiers or change them to a permissive license and submit a partial match. I mess with the metadata and dev comments to confuse users.

Now the developer of the contract has this source code notices and wants everyone to know the file with the correct comments and correct metadata for a perfect match. But he can't upload it, because Sourcify notices the license is not allowed, and rejects it. He could try to change the metadata, but there is already a partial match uploaded.

[kuzdogan]

Yes Good point.

This was a rather not thought-through issue after a short discussion. So I'm also not sure if it makes sense.

I wonder if there's even a "secret" license that we need to avoid. Even if that is the case, one can still host it on IPFS publicly for everyone to see.