search

fsprojects / FSharp.UMX

F# units of measure for primitive non-numeric types
MIT License
154 stars 10 forks source link

Switch to PackageLicenseExpression #31

Open bartelink opened 3 months ago

bartelink commented 3 months ago

Gotta keep those scanners quiet

bartelink commented 3 months ago

Not understanding where release 1.1.0 came from, and why the packageversion was not up to date?

abelbraaksma commented 3 months ago

Just curious (since I have the same in TaskSeq, and I also have MIT), why is this change needed?

bartelink commented 3 months ago

This way, the nuspec gets a top level field that authoritatively defines the license in terms of a known set of approved OSI licenses (i.e. the string MIT has a very specific meaning in that context, mapping to the full license text) NuGet.org can also render authoritatively e.g. https://www.nuget.org/packages/equinox The actual driver here is that the corp sec scanner notes the package as having an unknown license type (because it doesn't search within packages)

abelbraaksma commented 3 months ago

The actual driver here is that the corp sec scanner notes the package as having an unknown license type (because it doesn't search within packages)

Ah, do you mean the scanner of projects that download and use the package? Sounds like a bug in the scanner to me, but if this fixes it, I should update my packages similarly. Don't want SOC2 compliance or similar to prevent companies from using your libs.

Sorry to barge in and hijack your thread, btw, but your change caught me ;).

Edit: just checked for comparison, indeed, F# uses the same format: PackageLicenseExpression

bartelink commented 3 months ago

Not really. The high level rules are that you either have a SPDX expression, or a file or a url. https://learn.microsoft.com/en-us/nuget/reference/msbuild-targets#packing-a-license-expression-or-a-license-file

I'm note sure the current PackageLicense xml was ever correct. The outcome is that the package has no license of any kind and hence is effectively unlicensed: https://nuget.info/packages/FSharp.UMX/1.1.0

But, even for PackageLicense files vs expressions, the scanner would need to implement parsing to be able to conclusively determine that it was an unaltered version of a given known license text.

I see your edit as I glance now! Everything looks in order there (it would also have appeared on the scanner list my side)

abelbraaksma commented 3 months ago

I see your edit as I glance now! Everything looks in order there (it would also have appeared on the scanner list my side)

Haha, indeed, no change in TaskSeq needed. I made a typo when searching and turned out it was PackageLicenseExpression all along, I just forgot. Sorry for the noise 😆.