Open bartelink opened 3 months ago
Not understanding where release 1.1.0 came from, and why the packageversion was not up to date?
Just curious (since I have the same in TaskSeq, and I also have MIT), why is this change needed?
This way, the nuspec gets a top level field that authoritatively defines the license in terms of a known set of approved OSI licenses (i.e. the string MIT has a very specific meaning in that context, mapping to the full license text) NuGet.org can also render authoritatively e.g. https://www.nuget.org/packages/equinox The actual driver here is that the corp sec scanner notes the package as having an unknown license type (because it doesn't search within packages)
The actual driver here is that the corp sec scanner notes the package as having an unknown license type (because it doesn't search within packages)
Ah, do you mean the scanner of projects that download and use the package? Sounds like a bug in the scanner to me, but if this fixes it, I should update my packages similarly. Don't want SOC2 compliance or similar to prevent companies from using your libs.
Sorry to barge in and hijack your thread, btw, but your change caught me ;).
Edit: just checked for comparison, indeed, F# uses the same format: PackageLicenseExpression
Not really. The high level rules are that you either have a SPDX expression, or a file or a url. https://learn.microsoft.com/en-us/nuget/reference/msbuild-targets#packing-a-license-expression-or-a-license-file
I'm note sure the current PackageLicense
xml was ever correct. The outcome is that the package has no license of any kind and hence is effectively unlicensed: https://nuget.info/packages/FSharp.UMX/1.1.0
But, even for PackageLicense files vs expressions, the scanner would need to implement parsing to be able to conclusively determine that it was an unaltered version of a given known license text.
I see your edit as I glance now! Everything looks in order there (it would also have appeared on the scanner list my side)
I see your edit as I glance now! Everything looks in order there (it would also have appeared on the scanner list my side)
Haha, indeed, no change in TaskSeq needed. I made a typo when searching and turned out it was PackageLicenseExpression
all along, I just forgot. Sorry for the noise 😆.
Gotta keep those scanners quiet