On 07-04-2024 13:10, Jan Alexander Steffens (heftig) wrote:
Hi Arvid,
Thanks for bringing this issue to my attention and your detailed email about it. I'm CCïng our public development mailing list in this response so our other maintainers get informed, too.
I agree that Arch needs a solution for this eventually. Unlike Fedora we do not package Rust libraries so I think we need some help from Cargo for this. Preferably from upstream, but a third-party tool would work as well.
Ideally, I think there we would create a SPDX license expression from the entire crate tree and then simplify it, e.g. to turn `(MIT) AND (MPL-2.0 OR MIT) AND (MIT AND BSD-2-Clause) AND (MPL-2.0 OR BSD-3-Clause)` into `MIT AND BSD-2-Clause AND (MPL-2.0 OR BSD-3-Clause)`. Or perhaps even simpler if the tool had knowledge about which licenses are covered by others.
We could call such a tool in the `package()` function to set the `license` for the package.
I'm not sure how feasible this would be. Are crates required to use SPDX expressions?
Greetings, Jan
Hey, Replying on the general mailing list since the dev list is staff only. The license field of the pacman package is actually only secondary concern. Many libraries have a license that requires shipping the copyright information along with binary distributions (such as MIT and BSD licenses). This is more than just the name or SPDX identifier of the license. Usually, it is included at the top of a license file and it would look like this:
Copyright (c) 2024, Maarten de Vries
There are tools to help with this: https://crates.io/crates/cargo-bundle-licenses https://crates.io/crates/cargo-lichking Personally I think having incomplete SPDX identifier in the pacman package is not in itself a license violation as long as the individual license files are shipped with the package. Although it would certainly be nice for tooling if the package information is complete too. Kind regards, Maarten de Vries