search

hughsie / appstream-glib

This library provides objects and helper methods to help reading and writing AppStream metadata.
GNU Lesser General Public License v2.1
65 stars 103 forks source link

Appstream-builder might be mishandling license strings #478

Closed CtrlZmaster closed 9 months ago

CtrlZmaster commented 9 months ago

After generating metadata with appstream-builder just for cockpit-389-ds and cockpit from Fedora 40, a metadata file with a mangled license string in <project_license> for org.port389.cockpit_console is generated. I assume that this element is added by appstream-builder since it is not defined in the metainfo file of cockpit-389-ds:

<?xml version="1.0" encoding="UTF-8"?>
<component type="addon">
  <id>org.port389.cockpit_console</id>
  <metadata_license>CC0-1.0</metadata_license>
  <name>389 Directory Server</name>
  <summary>389 Directory Server Management</summary>
  <description>
    <p>
      389 Directory Server is a highly usable, fully featured, reliable and
      secure LDAP server implementation. It handles many of the largest LDAP
      deployments in the world.
    </p>
  </description>
  <extends>org.cockpit_project.cockpit</extends>
  <launchable type="cockpit-manifest">cockpit-389-console</launchable>
  <url type="homepage">https://www.port389.org/</url>
  <update_contact>389-devel_AT_lists.fedoraproject.org</update_contact>
</component>

The HEADER file of cockpit-389-ds-3.0.1-2.fc40.noarch.rpm contains this license string: GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT

The generated metadata contains this license string (and even appstream-builder complains it's not SPDX valid): GPL-3.0-or-later AND (0BSD-3-Clause OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-3.0-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0-1.0) AND (MIT OR CC0-1.0) AND 0BSD-3-Clause AND Apache-2.0 AND BSD-3-Clause-2-Clause AND BSD-3-Clause-3-Clause AND ISC AND MIT AND MPL-2.0 AND PSF-2.0

Console log: cockpit-40-4.log Package log for cockpit-389-ds: cockpit-389-ds.log Resulting metadata: x86-cockpit-4-40.xml.gz

I used libappstream-glib-builder-0.8.2-2.fc38.x86_64 on Fedora 38. The command was:

appstream-builder --verbose --origin=fedora --log-dir=/root/asb-logs/cockpit-40-4 --packages-dir=/root/cockpit-packages --temp-dir=/tmp/AppStream --output-dir=./repodata --basename="x86-cockpit-4-40" | tee /root/asb-logs/cockpit-40-4.log
hughsie commented 9 months ago

So I guess this is the smoking gun:

WARNING: Unable to currently map Fedora license '0BSD-3-Clause' to SPDX
WARNING: Unable to currently map Fedora license 'WITH LLVM-exception' to SPDX
WARNING: Unable to currently map Fedora license 'CC-BY-3.0-4.0' to SPDX
WARNING: Unable to currently map Fedora license 'CC0-1.0-1.0' to SPDX
WARNING: Unable to currently map Fedora license '0BSD-3-Clause' to SPDX
WARNING: Unable to currently map Fedora license 'BSD-3-Clause-2-Clause' to SPDX
WARNING: Unable to currently map Fedora license 'BSD-3-Clause-3-Clause' to SPDX

I'm a bit confused; I thought all software in F40 was supposed to have SPDX license IDs now?

ximion commented 9 months ago

An OT question, but what would be needed to convert this usecase to using appstreamcli compose or appstream-generator? @Conan-Kudo might know...

Would be nice to make it a bit easier for Fedora to adopt AppStream over maintenance-mode appstream-glib (but for that I need to know which features are missing).

hughsie commented 9 months ago

I think that's the plan -- although nobody seems super interested in actually migrating the Fedora/RHEL scripts[1] and then checking the output. It'd be interested to see how close we could get for https://github.com/hughsie/appstream-scripts/blob/master/fedora/fedora-39.sh

[1] https://github.com/hughsie/appstream-scripts

Conan-Kudo commented 9 months ago

I'd like to look into switching things over in Fedora 41, but I don't have time at the moment.

ximion commented 9 months ago

There is also a few "nice to have" issues related to RPM support against appstream-generator. Once I have the time to work on asgen again, I'll look into those! :-)