search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
121.36k stars 17.38k forks source link

x/pkgsite: support symlinks or LICENSES directory #40586

Open oxzi opened 3 years ago

oxzi commented 3 years ago

On a project I am working on, I recently implemented the Free Software Foundation Europe's REUSE (repository) recommendations for licensing. The used licenses are the GNU GPL for code and CC0 for some other stuff, both listed as supported licenses.

In a nutshell, REUSE stores all licenses named as their SPDX identifier in a LICENSES directory. Furthermore, each file starts with a SPDX header.

Because GitHub does not handled this, I created a LICENSE symlink to the GPL file within the LICENSES directory. GitHub then at least detects the presence of a license. (Edit: GitHub only detects a LICENSE file exists, but does not follow the symlink. Thus, I removed the symlink.)

However, the pkg.go.dev page is currently not able to process this. Furthermore, the documentation is "not displayed due to license restrictions". Compared to this, the old GoDoc has no limitations in this regard. Sorry, this is annoying.

Would it be possible to adjust pkg.go.dev to

Thanks a lot for all the great work!

jba commented 3 years ago

Please see this post to understand why we check licenses and godoc.org doesn't.

For legal reasons, we cannot consider SPDX headers authoritative. We must verify the license text itself.

A LICENSES directory is a reasonable request. We'll look into it.

oxzi commented 3 years ago

Please see this post to understand why we check licenses and godoc.org doesn't. Thanks for the background and clarification.

For the record, the following link also works without having a Google account. https://groups.google.com/d/msg/golang-dev/mfiPCtJ1BGU/qtCrqlrEEwAJ

A LICENSES directory is a reasonable request. We'll look into it. That would be very cool, thanks. Alternatively, could a license hint or link to such a file also be included in the go.mod file, for example?

jba commented 3 years ago

I don't think the go.mod file is the right place for that sort of information. We don't add information to go.mod that is obtainable elsewhere, or that is language-agnostic.

oxzi commented 3 years ago

Any updates? After closing down the good old godoc.org and redirecting to the new pkg.go.dev thingy, there is no more documentation for properly licensed code.

A promising alternative seems to be godocs.io. However, for my next release I will add a LICENSE file…

bernhardreiter commented 1 year ago

For legal reasons, we cannot consider SPDX headers authoritative. We must verify the license text itself.

The SPDX-headers list which license texts are to be verified in the first place.

E.g. there are many repositories, where the LICENCES file or COPYING file does not list all licenses used in the repository. So if you are believing this, from a legal point of view, you should also be able to believe the SPDX headers.

A LICENSES directory is a reasonable request. We'll look into it.

Yes, please make it reuse.software compatible. What would have to be done for this?

bernhardreiter commented 1 year ago

One current example of the problem is https://pkg.go.dev/github.com/csaf-poc/csaf_distribution/v2@v2.2.0/csaf .