search

pilosus / pip-license-checker

Check license types for third-party dependencies: permissive, copyleft, proprietory, etc.
https://blog.pilosus.org/posts/2021/09/07/pip-license-checker/
Other
69 stars 3 forks source link

Incorrect license detection for Python package build with poetry package manager #81

Closed pilosus closed 3 years ago

pilosus commented 3 years ago

aiofiles license on PyPI is detected as: 

Other/Proprietary License (Apache 2.0)

although the pyproject.toml clearly specifies Apache 2.0, just like the LICENSE file.

It could happen if poetry build somehow inserts the wrong trove classifier License :: Other/Proprietary License into project's metadata.

pilosus commented 3 years ago

It could happen if poetry build somehow inserts the wrong trove classifier License :: Other/Proprietary License into project's metadata.

This is exactly what happens:

➜  aiofiles-0.7.0.dist-info git:(master) pwd
/home/vitaly/.pyenv/versions/3.9.6/envs/py396/lib/python3.9/site-packages/aiofiles-0.7.0.dist-info

➜  aiofiles-0.7.0.dist-info git:(master) grep -r 'License' METADATA
License: Apache 2.0
Classifier: License :: Other/Proprietary License

The poetry docs say:

The license property will also set the License classifier automatically.

To make that automation happen properly, the license property has to contain an SPDX Open Source License Registry identifier (see the list in poetry's source code).

The aiofiles uses incorrect license identifier:

- license = "Apache 2.0"
+ license = "Apache-2.0"

A pull request to aiofiles to fix that is needed :-)

pilosus commented 3 years ago

Already fixed in pre-release version 0.8.0dev0. Nothing to fix from our end.