On 07-04-2024 13:10, Jan Alexander Steffens (heftig) wrote:
Hi Arvid,
Thanks for bringing this issue to my attention and your detailed email
about it. I'm CCïng our public development mailing list in this
response so our other maintainers get informed, too.
I agree that Arch needs a solution for this eventually. Unlike Fedora
we do not package Rust libraries so I think we need some help from
Cargo for this. Preferably from upstream, but a third-party tool would
work as well.
Ideally, I think there we would create a SPDX license expression from
the entire crate tree and then simplify it, e.g. to turn `(MIT) AND
(MPL-2.0 OR MIT) AND (MIT AND BSD-2-Clause) AND (MPL-2.0 OR
BSD-3-Clause)` into `MIT AND BSD-2-Clause AND (MPL-2.0 OR
BSD-3-Clause)`. Or perhaps even simpler if the tool had knowledge
about which licenses are covered by others.
We could call such a tool in the `package()` function to set the
`license` for the package.
I'm not sure how feasible this would be. Are crates required to use
SPDX expressions?
Greetings,
Jan
Hey,
Replying on the general mailing list since the dev list is staff only.
The license field of the pacman package is actually only secondary
concern. Many libraries have a license that requires shipping the
copyright information along with binary distributions (such as MIT and
BSD licenses). This is more than just the name or SPDX identifier of the
license.
Usually, it is included at the top of a license file and it would look
like this:
> Copyright (c) 2024, Maarten de Vries
There are tools to help with this:
https://crates.io/crates/cargo-bundle-licenses
https://crates.io/crates/cargo-lichking
Personally I think having incomplete SPDX identifier in the pacman
package is not in itself a license violation as long as the individual
license files are shipped with the package. Although it would certainly
be nice for tooling if the package information is complete too.
Kind regards,
Maarten de Vries
