search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.91k stars 4.18k forks source link

Go docs for MPL-2.0-licensed packages not displaying on https://pkg.go.dev #27775

Open hairyhenderson opened 2 months ago

hairyhenderson commented 2 months ago

Describe the bug

If you try to read the Go docs for e.g. the github.com/hashicorp/vault/api/auth/aws module, this error message shows up:

Documentation not displayed due to license restrictions.

This is despite that module apparently being licensed as MPL-2.0 (see the SPDX header here, for example).

It seems this is due to how the license detection works (listed here: https://pkg.go.dev/license-policy).

To Reproduce

Steps to reproduce the behavior:

  1. https://pkg.go.dev/github.com/hashicorp/vault/api/auth/aws
  2. Be disappointed at being unable to read the API docs

Expected behavior

I believe that all that's needed here is for a LICENSE file to be added to the root of the module (/api/auth/aws) to indicate that the module is MPL-2.0-licensed.

Environment:

n/a

Additional context

I'm reporting this as a bug because being able to easily read Go docs is important functionality to any Go module.

tsaarni commented 1 month ago

Here is the full list of packages without documentation due to missing LICENSE files

Another side effect is that the go tooling will download the module with "synthesized" BUSL license file while it should be MPL:

$ mkdir test
$ cd test
$ go mod init example.com/m
go: creating new go.mod: module example.com/m
$ go get github.com/hashicorp/vault/api/auth/azure
...
$ go mod download --json github.com/hashicorp/vault/api/auth/azure | jq .Dir
"/home/tsaarni/go/pkg/mod/github.com/hashicorp/vault/api/auth/azure@v0.6.0"

$ head /home/tsaarni/go/pkg/mod/github.com/hashicorp/vault/api/auth/azure@v0.6.0/LICENSE
License text copyright (c) 2020 MariaDB Corporation Ab, All Rights Reserved.
"Business Source License" is a trademark of MariaDB Corporation Ab.

Parameters

Licensor:             HashiCorp, Inc.
Licensed Work:        Vault Version 1.15.0 or later. The Licensed Work is (c) 2024
                      HashiCorp, Inc.
Additional Use Grant: You may make production use of the Licensed Work, provided
                      Your use does not include offering the Licensed Work to third

This can throw off tooling that depend on the info, such as go-licenses which reports error "cannot find a known open source license" and prints it as Unknown instead of MPL

$ go-licenses report github.com/hashicorp/vault/api/auth/azure
github.com/hashicorp/vault/api/auth/azure,Unknown,Unknown

The behavior of go module license is described here https://go.dev/ref/mod#vcs-license

When the go command creates a .zip file for a module that is not in the repository root directory, if the module does not have a file named LICENSE in its root directory (alongside go.mod), the go command will copy the file named LICENSE from the repository root directory if it is present in the same revision.