search

pilosus / pip-license-checker

Check license types for third-party dependencies: permissive, copyleft, proprietory, etc.
https://blog.pilosus.org/posts/2021/09/07/pip-license-checker/
Other
68 stars 3 forks source link

Add Artistic license to permissive list #45

Closed pilosus closed 3 years ago

pilosus commented 3 years ago

https://en.wikipedia.org/wiki/Artistic_License

quassy commented 3 years ago

I'm not sure if that is an issue with the GitHub Action which might not use the latest version of pip-license-checker, how licenses are prioritized for the overall “rating” or with how the package declares it's two licenses, but at least for text-unidecode I get a (for me) false positive.

text-unidecode:1.3                  Artistic License, GNU General Public License (GPL), GNU General Public License v2 or later (GPLv2+) StrongCopyleft

As I can use text-unidecode under the permissive Artistic License I would like to have a way that the check succeeds here. Is this an error or is there any way to change the priority of the rating?

P.S.: Also, thanks for this project! It makes my life quite a bit easier 😉.

pilosus commented 3 years ago

@quassy dual-licenses cases are tricky to automate. Although in the majority of the cases that I've seen dual- or multi-licensing means "choose either of the following licenses" it's not necessarily true for all the cases. Sometimes multi-licensing requires complying with the terms and conditions of all the licenses listed. Detecting the conditions of multi-licensing (either of/all of) may require some more sophisticated heuristics. It's error-prone because we will need to deal with the natural language like in text-unidecode's license.

There are some attempts to codify multi-licensing info in a unambiguous way, e.g. using SPDX license ids:

EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0

I even got a ticket to incorporate SPDX ids into the project. Once implemented it would be easier to add some kind of the option flag to alter behaviour for checking multi-licensed deps (like preferring the most permissive).

For now, the behaviour for multi-licensed deps is just as for anything else: we try to detect with the most "restrictive" licenses first, then less restrictive and eventually permissive ones. That's why we detect copyleft GPL in text-unidecode rather than permissive Artistic to stay on the safer side.

For now, I would advise simply using --exclude option (exclude input field in GHA), e.g. something like that:

--exclude '^(text-unidecode|cchardet|your-company-packages-prefix[-_]).*'

You may also have some kind of separate checks for excluded packages once in a while, just in case they change their license (it's more relevant for the packages in their early stage of development).

pilosus commented 3 years ago

I'll cover multi-licensed dep's checks to docs Q&A section, see #93