I noticed that the license for this project on Pypi^1 lists two licenses (BSD License, Other/Proprietary License (BSD)) when it should probably only list the first.
Software supply chain tools like Sonatype^2 rely on these fields being set correctly when determining whether to block or allow packages to be installed. Because a license of type Other/Proprietary is being shown on Pypi, Sonatype is restricting access to this package for my organization even though it is BSD licensed and valid for commercial use. I believe this is because the pyproject.toml license attribute is set to an unrecognized string and thus mapped to Other/Proprietary.
This PR attempts to fix the issue by instead specifying a valid SPDX^3 short code as specified in the Poetry docs^4.
JonasKs
commented
1 year ago
I noticed that the license for this project on Pypi^1 lists two licenses (BSD License, Other/Proprietary License (BSD)) when it should probably only list the first.
Software supply chain tools like Sonatype^2 rely on these fields being set correctly when determining whether to block or allow packages to be installed. Because a license of type Other/Proprietary is being shown on Pypi, Sonatype is restricting access to this package for my organization even though it is BSD licensed and valid for commercial use. I believe this is because the
pyproject.tomllicense attribute is set to an unrecognized string and thus mapped to Other/Proprietary.This PR attempts to fix the issue by instead specifying a valid SPDX^3 short code as specified in the Poetry docs^4.