Cargo should warn during publish if a user's selected license(s) require including some text that's missing

[durin42]

Describe the problem you are trying to solve As we've been working on deploying a supported Rust compiler at work, we've hit some snags with crates that are MIT and/or Apache2 licensed, but don't include the license text(s). Per our OSS compliance folks, the text of MIT and Apache 2 have specific text that needs to be included with the distribution (eg MIT "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software." Apache2 has "You must give any other recipients of the Work or Derivative Works a copy of this License").

Describe the solution you'd like Cargo should issue a warning during cargo publish if the required texts are missing, since technically the archive doesn't comply with the terms of the declared license.

Notes I assume there are other licenses where this happens, but these two seem to come up a lot in our experience.

[Eh2406]

There is some previous discussion at https://github.com/rust-lang/cargo/issues/8537 My understanding is that this is the same behavior as other packaging tools. So how do you deal with it for npm?

[durin42]

Node is still strongly discouraged for us, so we may see less of it (and it's unclear how often the human reviewers catch it). When we see the problem, we end up sending the importer to upstream to ask them to include the LICENSE text.

I'm trying to head off the problem at the source, by proposing that cargo warn people when they've got an inconsistency between their SPDX declaration and the contents of the archive (since by omitting these license texts the distribution doesn't meet the terms of the claimed license.) Does that make sense?

I agree #8537 is semi-related, but this is about a guard-rail that the SPDX identifier is consistent with the reality of the distribution (we don't need the license text in the license-file field, just somewhere in the archive, though I suppose it'd be nicer if the text was in the license-file?).

[Manishearth]

Note that license-file is often not set for dual licensed projects since there are multiple license files, and the vast majority of crates.io is dual licensed. (Perhaps we should also allow for arrays in license-file)

[decathorpe]

Sorry for creating a basically duplicate RFE, I closed mine in favor of this one.

I just want to mention that those crates that are non-compliant with their own licenses are also a problem with linux distributions who want to package them (as compliance with the upstream license is a strict requirement there). And I imagine that crates.io should also not be happy with redistributing sources that are not compliant with the author's license(s) of choice (even if that's the author's fault) ...

[JanBeh]

Related feature request: #12053.