fortran-lang / fpm-registry

Centralized registry of fpm packages
https://fpm.fortran-lang.org/en/registry/
MIT License
36 stars 17 forks source link

Required keywords for registry #24

Open awvwgk opened 4 years ago

awvwgk commented 4 years ago

I wonder why we require license, maintainer, author and copyright to be present in the package manifest of a submitted package. Shouldn't license and maintainer be sufficient for a package to be valid?

Then the question is how we specify the maintainer properly, for all packages registered it is an email address so far, while fpm new with both bootstrap fpm and Fortran fpm will currently create a name and an email address.

Also, for all packages so far, we have single author projects, which will change once we start porting larger projects to work with fpm, those usually have more than one maintainer and/or author. fpm itself is probably the simplest example for this purpose, there is just a placeholder for the maintainer available right now. I would suggest to allow or better require the maintainer entry to be an array of strings. Similar arguments hold for the author field, most packages will have more than one author.

Additionally, I want to add that putting up an email address might not be the easiest way to reach out to the maintainer. Depending on the project emailing the maintainer might work, but usually creating an issue is the preferred way to report bugs or request features, while questions are usually handled by various other platforms, like gitter, zulip or a forum. In short, this information is usually present on the homepage of the project or the projects README.

The copyright fields is especially tricky, since it is not always that easy to pin down. I have projects where I cannot put a copyright statement in one line and even if I could put several lines using a TOML multiline string, those wouldn't apply for the complete project. Another thing I was wondering, in case a package is dedicated to the public domain (Unlicense, CC0, ...), I wouldn't include a copyright statement at all, due to it being in public domain.

Finally, there seems to be no check if the license fields is actually a valid license or matches the license contained in the package itself. An easy way would be to follow Cargo or conda-forge and require at least a valid SPDX identifier for the license.

milancurcic commented 4 years ago

I agree. Without going into the specifics of each issue you raised, would the quick fix be to change this:

    # Must be present, copied to json
    required_keys = ["name", "version", "license", "author", 
                       "maintainer", "copyright"]

    # Optionally present, copied to json
    optional_keys = ["description", "executable", "dependencies",
                     "dev-dependencies"]

to

    # Must be present, copied to json
    required_keys = ["name", "license", "maintainer"]

    # Optionally present, copied to json
    optional_keys = ["author", "copyright", "description", "executable", "dependencies",
                     "dev-dependencies", "version"]

in the validate script?

certik commented 4 years ago

Yes, let's improve this. I think we all agree on the issues you raised, we just have to figure out a way to improve it.