search

open-lasso-python / lasso-python

Home of the open-source CAE library lasso-python 🐍
BSD 3-Clause "New" or "Revised" License
50 stars 12 forks source link

Is Lasso-Python licensed as proprietary? #54

Closed Unearthed2112 closed 2 months ago

Unearthed2112 commented 2 months ago

Hello,

NexusIQ (OSS scanning tool) is flagging Lasso-python as having a Proprietary License clause. I noticed also that on Pypi, it also has it listed as "Other/Proprietary License".

image

However, when I view the license text provided with lasso-python, here in this repo, , it appears to be a BSD 3-Clause, not listed as proprietary.

So, is Lasso-Python proprietary, or is NexusIQ and Pypi incorrect?

Thank you very much for your time.

codie3611 commented 2 months ago

It's free and will stay free forever. Looks more like an artifact from the migration we did a while ago.

Unearthed2112 commented 2 months ago

Thank you! I think this should be enough proof for NexusIQ's support team.

For any other readers who also use NexusIQ, I'm putting in a ticket with them about this :)

Unearthed2112 commented 1 month ago

Update:

Sonatype/NexusIQ is not going to fix this on their end despite the proof here in this thread. Not until the pypi page gets updated to show it doesn't have proprietary in it. It seems its their process to rely on pypi as the source of truth exclusively.

"Best option would be to request the package developer to update this License Classifier to correct license, as pypi uses this classifier to correctly identify the license associated with the component."

Honestly, this has caused too much time waste on my end already so I'm just going to waive the license false positive in NexusIQ. @codie3611 If you would like, I can open another issue for this if you believe this would be valuable/worth your time to fix. Just let me know.

Thank you again.

codie3611 commented 1 month ago

I just wonder how to fix it as it is explicitly specified as BSD-3.

Unearthed2112 commented 1 month ago

From what the Sonatype support folks told me, you have to fix it by changing the License Classifier in the PKG-INFO file that comes with the tar bundle or whl file when downloaded from pypi.

Screenshot 2024-03-22 at 3 27 07 PM

From googling a bit, I get the impression that file gets created when you create a pypi package? I'm not sure though.

codie3611 commented 1 month ago

Hmmm weird as the repo does not contain the classifier anymore.