Hi,

After talking to people on Arch Linux IRC channels (mpan in particular)
about this, they recommended I contact you directly about this, since it
affects many packages (so filing a bug on any specific package wasn't really
appropriate).

Arch only packages the final binary crates for Rust (as opposed to separate
packages for every single Rust dependency, which would rightfully drive
people crazy). As a result, you only get one single package that contains
many libraries.

Lets take an example: ripgrep, which links to ~53 dependencies (maybe less,
not all dependencies are used on all platforms, etc). Many of these
dependencies use MIT license or similar that requires:

> The above copyright notice and this permission notice shall be included in
> all copies or substantial portions of the Software.

Looking in /usr/share/licenses/ripgrep I only see the copyright notice
for ripgrep itself. This is a bit of a problem.

Similarly, one of it's dependencies is unicode-ident which uses
"Unicode-DFS-2016" as it's license. That is missing. encoding_rs is
"(Apache-2.0 OR MIT) AND BSD-3-Clause" (which may collapse down to MIT, not
sure, I am not a lawyer).

So I can see two problems here:

1. Copyright notices that need to be included for dependencies, aren't.
2. The SPDX expression may be incorrect (missing some things from
   dependencies that should be included).

Looking at some other packages (not just ripgrep) I see similar issues
across all of those packages.

Now, for something like rust it would be impossible to require the
maintainers to handle this by hand. So lets talk solutions.

* There is cargo-about (already packaged in Arch, also has suspect
  license/copyright info). It doesn't do quite what you want: Given a
  config and a handlebar template it will generate an HTML page with all
  the licenses you use. It will collapse "OR" in the license info based on
  a priority list of which licenses you prefer.

  You could perhaps wrangle the handlebar template to generate a text
  file instead of a HTML file, not sure. It can also output a JSON file
  instead though (I have used that at my dayjob for license compliance).

  While it is a good solution, it is not a drop-in solution without
  additional scripting on top (and you need to specify accepted licenses
  for your project).

* I believe Fedora has some automated tooling based on this comment by a
  Fedora packager: https://users.rust-lang.org/t/psa-check-if-your-cargo-crates-are-clean-and-tagged/109264/25

  That is for the SPDX expression. I have not looked into the details of
  their tooling.

* Debian probably have thought about this too, they tend to be rather
  careful (some may say up-tight even) about this sort of issues. It might
  be worth checking out what they did.

I'd like some automated tooling that works for AUR too, I maintain some
Rust packages there (some of which I'm also the upstream for). For that
reason, I'd be happy to stay "in the loop" on this issue as well as
possibly help (time and energy permitting, due to recently recovering from
burnout, energy tends to vary on a day to day basis), rather than treating
it as a one-off issue report.

Is it a high priority issue? No.
Should it be solved eventually? Yes, for legal reasons.

Best regards,
Arvid Norlander
(Arch Linux user and Rust / C++ software developer)