Closed pilosus closed 3 years ago
I'm not sure if that is an issue with the GitHub Action which might not use the latest version of pip-license-checker, how licenses are prioritized for the overall “rating” or with how the package declares it's two licenses, but at least for text-unidecode
I get a (for me) false positive.
text-unidecode:1.3 Artistic License, GNU General Public License (GPL), GNU General Public License v2 or later (GPLv2+) StrongCopyleft
As I can use text-unidecode
under the permissive Artistic License I would like to have a way that the check succeeds here. Is this an error or is there any way to change the priority of the rating?
P.S.: Also, thanks for this project! It makes my life quite a bit easier 😉.
@quassy dual-licenses cases are tricky to automate. Although in the majority of the cases that I've seen dual- or multi-licensing means "choose either of the following licenses" it's not necessarily true for all the cases. Sometimes multi-licensing requires complying with the terms and conditions of all the licenses listed. Detecting the conditions of multi-licensing (either of/all of) may require some more sophisticated heuristics. It's error-prone because we will need to deal with the natural language like in text-unidecode
's license.
There are some attempts to codify multi-licensing info in a unambiguous way, e.g. using SPDX
license ids:
EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
I even got a ticket to incorporate SPDX ids into the project. Once implemented it would be easier to add some kind of the option flag to alter behaviour for checking multi-licensed deps (like preferring the most permissive).
For now, the behaviour for multi-licensed deps is just as for anything else: we try to detect with the most "restrictive" licenses first, then less restrictive and eventually permissive ones. That's why we detect copyleft GPL in text-unidecode
rather than permissive Artistic
to stay on the safer side.
For now, I would advise simply using --exclude
option (exclude
input field in GHA), e.g. something like that:
--exclude '^(text-unidecode|cchardet|your-company-packages-prefix[-_]).*'
You may also have some kind of separate checks for excluded packages once in a while, just in case they change their license (it's more relevant for the packages in their early stage of development).
I'll cover multi-licensed dep's checks to docs Q&A section, see #93
https://en.wikipedia.org/wiki/Artistic_License