pilosus / pip-license-checker

Check license types for third-party dependencies: permissive, copyleft, proprietory, etc.
https://blog.pilosus.org/posts/2021/09/07/pip-license-checker/
Other
69 stars 3 forks source link

Use SPDX license identifiers #85

Open pilosus opened 3 years ago

pilosus commented 3 years ago

We must adopt the SPDX License List. Because SPDX license identifiers are precise, unambiguous, short and become to be adopted little by little (see more details).

The exact matching with the SPDX id means the exact license name and version, which in turn means the exact license type. SPDX id exact matching must be a prioritized way of license name/type detection with the fallback to existing heuristics.

Having an unambiguous license identifier means that in addition to excluding licenses with the --exclude-license REGEX option we could also exclude licenses by predefined identifiers.

Preliminary TODO

  1. Introduce SPDX ids map (Clojure's keyword to a string holding a SPDX id)
  2. Introduce a mapping SPDX id to License type (public domain, permissive, weak/strong/network copyleft, proprietory, etc.)
  3. Revise existing regex (PCRE) to match a license's SPDX id, instead of a license type. See SPDX matching guidelines
PCRE -> SPDX id -> License type
  1. Include SPDX id to the report's output (sure enough, only free/libre/open-source licenses expected to have an SPDX id, others should get an NA or equivalent)
| Package           | License Name                               | License ID                | License Type   |
| package1:0.1.2    | Apache 2.0 License                         | Apache-2.0                | Permissive     |
| package2:3.141592 | GNU General Public License v2 or any later | GPL-2.0-or-later          | StrongCopyleft |
| package3:21.09    | Other/Proprietary License (EULA)           | NA                        | Other          |
| package4          | GPL-3.0 Linking Exception                  | GPL-3.0-linking-exception | WeakCopyleft   |
| package5:2.19.2   | null                                       | NA                        | Error          |

Could be, possibly, an optional column turned on/off with the option flag?

  1. Introduce --exclude-license-id option to exclude by SPDX id
  2. Introduce --fail-license-id option to fail if a package with the provided license SPDX id found
  3. Introduce stats for SPDX ids found with --stats-by-license-id option
  4. (breaking change) Change --with-totals to --stats-by-license-type to provide stats for license types found a
pilosus commented 3 years ago

NB: SPDX got a dedicated page for tooling supporting SPDX license ids. May be worth contacting