Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find "real" license with copyright information in github.com #157

Open
mywyb2 opened this issue Feb 19, 2025 · 3 comments
Open

Find "real" license with copyright information in github.com #157

mywyb2 opened this issue Feb 19, 2025 · 3 comments

Comments

@mywyb2
Copy link

mywyb2 commented Feb 19, 2025

In many cases, the license referenced from NuGet is a generic license that contains placeholders and no copyright information, e.g.:

    {
        "Authors": [
            "Stephen Cleary"
        ],
        "Copyright": "",
        "Description": "IDisposable and IAsyncDisposable helper types.",
        "LicenseType": "MIT",
        "LicenseUrl": "https://licenses.nuget.org/MIT",
        "PackageName": "Nito.Disposables",
        "PackageUrl": "https://github.com/StephenCleary/Disposables",
        "PackageVersion": "2.2.1"
    }

Would it be feasible to follow the package URL to try to heuristically find and download the real license file from there? It would be sufficient to look in the root directory for "LICENSE.*".
@sensslen
Copy link
Owner

sensslen commented Feb 19, 2025
edited
Loading

Hmm, honestly I'm not too fond of adding special casing for github (I know we already do something like this). Unfortunately it's not a valid assumption that all nuget packages are developed on github. Others may not provide the packageurl field. What's wrong with the generic license? The generic license should be sufficient to validate that it's safe to use the dependency. If you want to attribute the author, why not use the other nuget information?

Can you provide a detailed description of your use case?

Also if there is something missing in the app, feel free to work on Pull Requests to add to it.

@mywyb2
Copy link
Author

mywyb2 commented Feb 19, 2025

Thanks for your quick reply. I believe including the generic license does not fulfil the legal requirements of the license itself, because the generic license is actually just a template. For example, the MIT license very often referenced from NuGet literally says:

MIT License

Copyright (c) <year> <copyright holders>
[...]
The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.

Clearly, this is not a valid license, and including this template would not satisfy the actual requirement. The actual license looks something like this:

MIT License

Copyright (c) 2016 Stephen Cleary
[...]
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

Even though not all packages are developed on github and not all packages include a package URL, I believe a best-effort approach (enabled by an optional flag) would already improve the situation.

@sensslen
Copy link
Owner

I'm not a lawyer and thus cannot judge whether the template is a valid license. There are a few factors that make me believe it is though. NuGet has moved away of including licenses in the package but rather using SPDX identifiers. Those are then used to query https://licenses.nuget.org. If the templates were not proper licenses that approach would not be a good one.... The main reason I hate best effort attempts is that this adds a lot of unpredictability. So you may or may not be able to find the license even though a pakcage does properly specify a license....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sensslen @mywyb2