license-gather: Handling of multi-license dependencies

[DreierF]

Dependencies that specify multiple licenses in the POM file are currently a bit hard to deal with. The code assumes when multiple licenses are given that all need to apply (AND). While this obviously does not make any error it seems too strict to me.

The Maven POM specification states:

licenses/license* List<License> (Many) This element describes all of the licenses for this project. Each license is described by a license element, which is then described by additional elements. Projects should only list the license(s) that applies to the project and not the licenses that apply to dependencies. If multiple licenses are listed, it is assumed that the user can select any of them, not that they must accept all.

While there are various older resources stating that that the semantics are not defined in that case, the spec makes this pretty clear.

Currently I have to override the licenses for all those dependencies. But just overriding is also not very safe as it needs to be re-checked whether licenses have been removed for example after an update. I guess this is where the expectedLicense option comes into play, but listing those sometimes 5 licenses as a conjunction expression is a bit tedious.

But I think this could work better out of the box by implementing the semantic as stated in the specs of using OR to combine multiple licenses. I have not yet encountered any dependency where this was supposed to mean AND.

Other options

• Introduce a global option that specifies whether AND/OR should should be chosen
• Add a DSL to specify per module whether AND or OR was the semantic intended by the author

[vlsi]

While this obviously does not make any error it seems too strict to me.

I just wanted to play on the safe side: AND is stricter, so if your validation passes both, you are likely to be fine. On the other hand, if the plugin assumes OR while the author meant AND, you might have licensing troubles.

---

How about the following?

https://github.com/apache/jmeter/blob/af7fc4d56bffab352843cc87514ab9ed19bdad32/src/licenses/build.gradle.kts#L138-L142

AFAIK the intended license in com.sun.mail:all was AND:

    overrideLicense("com.sun.mail:all:1.5.0-b01") {
        // Multiple licenses, specify explicitly
        expectedLicense = SimpleLicense("CDDL", uri("http://www.sun.com/cddl")) and SimpleLicense("GPLv2+CE", uri("https://glassfish.java.net/public/CDDL+GPL_1_1.html"))
        effectiveLicense = SpdxLicense.CDDL_1_0 and (SpdxLicense.GPL_2_0_or_later with SpdxLicenseException.Classpath_exception_2_0)
    }

there's one more as well:

    overrideLicense("xpp3:xpp3_min:1.1.4c") {
        // pom.xml contains multiple licenses
        expectedLicense = SpdxLicense.CC0_1_0 and
            SimpleLicense(
                "Indiana University Extreme! Lab Software License, vesion 1.1.1",
                uri("http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt")
            )
        effectiveLicense = SpdxLicense.CC0_1_0 and ExtraLicense.Indiana_University_1_1_1
    }

---

But just overriding is also not very safe as it needs to be re-checked whether licenses have been removed for example after an update

That is why you can have: a) version-specific overrides, so the next time you update the override won't apply b) expectedLicense=... so the override would fail if the detected license changes

---

The Maven POM specification states:

Frankly speaking, the POM spec leaves no way for AND/OR, it leaves no way for SPDX (or other ids), so I would rather ignore "the specification" since it just can't work: there always be and vs or errors.

---

Introduce a global option that specifies whether AND/OR should be chosen Add a DSL to specify per module whether AND or OR was the semantic intended by the author

It might work

[DreierF]

Fair enough. I can live with that 🙂

Thanks for the example though. I did not now about the and operator notation yet. That makes writing the expressions indeed easier.