Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix URLs that were redirecting to another license #1662

Merged
merged 1 commit into from
Sep 18, 2023

Conversation

EliahKagan
Copy link
Contributor

@EliahKagan EliahKagan commented Sep 17, 2023

All the opensource.org BSD license URLs at the top of source code files in this project had originally pointed to a page on the 3-clause BSD license that this project used and continues to use.

But over time the site was apparently reorganized and the link became a redirect to the page about the 2-clause BSD license. Because it is identified only as the "BSD license" in the comments in this project that contain the links, this unfortunately makes it so those top-of-file comments all wrongly claim that the project is 2-clause BSD licensed.

To be more specific, bisecting archivals reveals that the change apparently occurred sometime between 29 April 2011 and 5 June 2011.

This fixes the links by replacing them with the current URL of the opensource.org page on the 3-clause BSD license. The current URL contains "bsd-3-clause" in it, so this specific problem is unlikely to recur with that URL (and even if it did, the text "bsd-3-clause is information that may clue readers in to what is going on).

There may be other changes that could be made in the future to further clarify the license. For example, in setup.py, the license name is passed as BSD. There may be a more specific name that can be used and that PyPI and/or common tools will recognize for the 3-clause BSD license name. (If any SPDX name can be used, which I think it can, then this is definitely so. However, a more specific classifier does not appear available.) But that's not actually a bug--it's not referring to a specific different license--and this PR does not make any such changes. Other than how I permitted my editor to remove trailing whitespace in the files it was saving, this pull request is strictly limited to updating those URLs.

This also affects numerous URLs in gitdb, for which I have opened gitpython-developers/gitdb#96. It does not affect smmap.

All the opensource.org BSD license URLs at the top of source code
files in this project had originally pointed to a page on the
3-clause BSD license that this project used and continues to use.

But over time the site was apparently reorganized and the link
became a redirect to the page about the 2-clause BSD license.
Because it is identified only as the "BSD license" in the comments
in this project that contain the links, this unfortunately makes it
so those top-of-file comments all wrongly claim that the project is
2-clause BSD licensed.

This fixes the links by replacing them with the current URL of the
opensource.org page on the 3-clause BSD license. The current URL
contains "bsd-3-clause" in it, so this specific problem is unlikely
to recur with that URL (and even if it did, the text "bsd-3-clause
is information that may clue readers in to what is going on).
EliahKagan added a commit to EliahKagan/gitdb that referenced this pull request Sep 17, 2023
This is the gitdb part of the fix for the top-of-file license URLs
that have come to point to a page about a related but different
license from the one GitPython and gitdb are (intended to be)
offered under.

See gitpython-developers/GitPython#1662
for details about the problem and how it came about.
EliahKagan added a commit to EliahKagan/gitdb that referenced this pull request Sep 17, 2023
This is the gitdb part of the fix for the top-of-file license URLs
that have come to point to a page about a related but different
license from the one GitPython and gitdb are (intended to be)
offered under.

See gitpython-developers/GitPython#1662
for details about the problem and how it came about.
@Byron Byron added this to the v3.1.37 - Bugfixes milestone Sep 18, 2023
@Byron
Copy link
Member

Byron commented Sep 18, 2023

Thanks a million! It's quite amazing for how long some of these bugs can hide, but also, that a site that hosts licenses is willing to change a 3-clause BSD into a 2-clause BSD license, which seems like a breaking change.

@Byron Byron merged commit 7d88c89 into gitpython-developers:main Sep 18, 2023
@EliahKagan
Copy link
Contributor Author

I would consider that a bug rather than a breaking change, whether or not it was intentional. I suspect it was not intentional, or at least that the effect was not intended. Looking at archive.org saves of the page, it looks like it had at one time been the only "BSD license" listed on opensource.org, back when the OSI had formally approved the 3-clause license but not yet the 2-clause license, or something like that. The page was updated to mention prominently that, in choosing a license, the third clause can be removed and the result is still an open source license. Then it later became a page for the 2-clause license. So the page may have appeared, to people maintaining the site, to be a general page not specific to any one version of the BSD license.

My guess is that, in addition, the mindset at the time was oriented toward informing people of what OSI-approved licenses they might choose for their software, rather than identifying a specific license to communicate that it has been used. I don't think this diminishes the bug, but it may help explain it, because that view would explain the idea that noting that there is a 3-clause version and linking to it (which the page does) would be sufficient. That is enough to inform people of what licenses exist, but not enough to inform people of what license someone is trying to tell them about.

Anyway, I think this could still be fixed in opensource.org. The old URL is a redirect, and it could be made to go to a disambiguation page, or to go to its current target but with some ?name=value query string added that causes the server to include a note at the top, and so forth. I might at some point manage to look into whether anyone has reported this as a bug and how to do so.

@EliahKagan EliahKagan deleted the license-ambiguity branch September 18, 2023 06:58
renovate bot referenced this pull request in allenporter/flux-local Sep 23, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [GitPython](https://togithub.com/gitpython-developers/GitPython) |
`==3.1.36` -> `==3.1.37` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/GitPython/3.1.37?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/GitPython/3.1.37?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/GitPython/3.1.36/3.1.37?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/GitPython/3.1.36/3.1.37?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>gitpython-developers/GitPython (GitPython)</summary>

###
[`v3.1.37`](https://togithub.com/gitpython-developers/GitPython/releases/tag/3.1.37):
- a proper fix CVE-2023-41040

[Compare
Source](https://togithub.com/gitpython-developers/GitPython/compare/3.1.36...3.1.37)

#### What's Changed

- Improve Python version and OS compatibility, fixing deprecations by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1654](https://togithub.com/gitpython-developers/GitPython/pull/1654)
- Better document env_case test/fixture and cwd by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1657](https://togithub.com/gitpython-developers/GitPython/pull/1657)
- Remove spurious executable permissions by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1658](https://togithub.com/gitpython-developers/GitPython/pull/1658)
- Fix up checks in Makefile and make them portable by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1661](https://togithub.com/gitpython-developers/GitPython/pull/1661)
- Fix URLs that were redirecting to another license by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1662](https://togithub.com/gitpython-developers/GitPython/pull/1662)
- Assorted small fixes/improvements to root dir docs by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1663](https://togithub.com/gitpython-developers/GitPython/pull/1663)
- Use venv instead of virtualenv in test_installation by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1664](https://togithub.com/gitpython-developers/GitPython/pull/1664)
- Omit py_modules in setup by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1665](https://togithub.com/gitpython-developers/GitPython/pull/1665)
- Don't track code coverage temporary files by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1666](https://togithub.com/gitpython-developers/GitPython/pull/1666)
- Configure tox by [@&#8203;EliahKagan](https://togithub.com/EliahKagan)
in
[https://github.com/gitpython-developers/GitPython/pull/1667](https://togithub.com/gitpython-developers/GitPython/pull/1667)
- Format tests with black and auto-exclude untracked paths by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1668](https://togithub.com/gitpython-developers/GitPython/pull/1668)
- Upgrade and broaden flake8, fixing style problems and bugs by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1673](https://togithub.com/gitpython-developers/GitPython/pull/1673)
- Fix rollback bug in SymbolicReference.set_reference by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1675](https://togithub.com/gitpython-developers/GitPython/pull/1675)
- Remove `@NoEffect` annotations by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1677](https://togithub.com/gitpython-developers/GitPython/pull/1677)
- Add more checks for the validity of refnames by
[@&#8203;facutuesca](https://togithub.com/facutuesca) in
[https://github.com/gitpython-developers/GitPython/pull/1672](https://togithub.com/gitpython-developers/GitPython/pull/1672)

**Full Changelog**:
gitpython-developers/GitPython@3.1.36...3.1.37

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/allenporter/flux-local).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi45Ny4xIiwidXBkYXRlZEluVmVyIjoiMzYuOTcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request Oct 11, 2023
…opers#1659

When gitpython-developers#1659 was updated to pick up linting configuration changes, it
inadvertently undid one of the URL changes made in gitpython-developers#1662, putting
the URL in the git.exe module back to the one that redirects to a
different BSD license from the one this project uses.

Since only that one module was affected, the fix is simple. This
only changes the URL back; it doesn't undo any other gitpython-developers#1659 changes.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request Oct 11, 2023
…opers#1659

When gitpython-developers#1659 was updated to pick up linting configuration changes, it
inadvertently undid one of the URL changes made in gitpython-developers#1662, putting
the URL in the git.exc module back to the one that redirects to a
different BSD license from the one this project uses.

Since only that one module was affected, the fix is simple. This
only changes the URL back; it doesn't undo any other gitpython-developers#1659 changes.
Byron added a commit that referenced this pull request Oct 12, 2023
otc-zuul bot pushed a commit to opentelekomcloud-infra/eyes_on_docs that referenced this pull request Oct 25, 2023
Bump gitpython from 3.1.35 to 3.1.37

Bumps gitpython from 3.1.35 to 3.1.37.

Release notes
Sourced from gitpython's releases.

3.1.37 - a proper fix CVE-2023-41040
What's Changed

Improve Python version and OS compatibility, fixing deprecations by @​EliahKagan in gitpython-developers/GitPython#1654
Better document env_case test/fixture and cwd by @​EliahKagan in gitpython-developers/GitPython#1657
Remove spurious executable permissions by @​EliahKagan in gitpython-developers/GitPython#1658
Fix up checks in Makefile and make them portable by @​EliahKagan in gitpython-developers/GitPython#1661
Fix URLs that were redirecting to another license by @​EliahKagan in gitpython-developers/GitPython#1662
Assorted small fixes/improvements to root dir docs by @​EliahKagan in gitpython-developers/GitPython#1663
Use venv instead of virtualenv in test_installation by @​EliahKagan in gitpython-developers/GitPython#1664
Omit py_modules in setup by @​EliahKagan in gitpython-developers/GitPython#1665
Don't track code coverage temporary files by @​EliahKagan in gitpython-developers/GitPython#1666
Configure tox by @​EliahKagan in gitpython-developers/GitPython#1667
Format tests with black and auto-exclude untracked paths by @​EliahKagan in gitpython-developers/GitPython#1668
Upgrade and broaden flake8, fixing style problems and bugs by @​EliahKagan in gitpython-developers/GitPython#1673
Fix rollback bug in SymbolicReference.set_reference by @​EliahKagan in gitpython-developers/GitPython#1675
Remove @NoEffect annotations by @​EliahKagan in gitpython-developers/GitPython#1677
Add more checks for the validity of refnames by @​facutuesca in gitpython-developers/GitPython#1672

Full Changelog: gitpython-developers/[email protected]



Commits

b27a89f fix makefile to compare commit hashes only
0bd2890 prepare next release
832b6ee remove unnecessary list comprehension to fix CI
e98f57b Merge pull request #1672 from trail-of-forks/robust-refname-checks
1774f1e Merge pull request #1677 from EliahKagan/no-noeffect
a4701a0 Remove @NoEffect annotations
d40320b Merge pull request #1675 from EliahKagan/rollback
d1c1f31 Merge pull request #1673 from EliahKagan/flake8
e480985 Tweak rollback logic in log.to_file
ff84b26 Refactor try-finally cleanup in git/
Additional commits viewable in compare view




Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Reviewed-by: Vladimir Vshivkov
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request Nov 3, 2023
This improves the consistency of top-of-module comments as follows:

- All names of the current file are removed. Some included these
  while others didn't. In general, this can be useful information,
  which can remind readers and developers of what the file is and
  may even reduce mistakes. However, in GitPython, many modules
  inside git/ have the same name as other modules in other
  subdirectories of git/. So the presence of filenames would
  often be the same for multiple files, a condition that would be
  intensified if consistency were achieved by adding them
  everywhere. This instead removes them, which should (albeit
  slightly) decrease the risk of confusing modules that have the
  same name as each other.

- All modules (.py files) inside git/ and test/, except for .py
  files that are entirely empty (without even comments) or are
  inside test/fixtures/, now have comments indicating the license
  and linking to it on opensource.org. Previously, some modules
  had this, while others did not.

The comment about the license is short, and does not contain an
explicit copyright statement. No new explicit copyright statements
are added, but some top-of-modules already contained them, and this
does not remove (nor update or otherwise modify) them.

Although explicit copyright statements are not touched, all the
license comments are modified, including where they had previously
appeared, to say "the 3-Clause BSD License" instead of
"the BSD License", since there is no specific license known as the
"BSD License" (and both the 2-clause and 3-clause BSD licenses are
very popular).

This change should not be confused with gitpython-developers#1662, which fixed an
originally correct hyperlink that had come to redirect to a page
about a different license. The change here does not change the link
again. It makes the commented wording more specific, so that it is
clear, even without looking at the link, which BSD license is being
referred to.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request Nov 3, 2023
This improves the consistency of top-of-module comments as follows:

- All names of the current file are removed. Some included these
  while others didn't. In general, this can be useful information,
  which can remind readers and developers of what the file is and
  may even reduce mistakes. However, in GitPython, many modules
  inside git/ have the same name as other modules in other
  subdirectories of git/. So the presence of filenames would
  often be the same for multiple files, a condition that would be
  intensified if consistency were achieved by adding them
  everywhere. This instead removes them, which should (albeit
  slightly) decrease the risk of confusing modules that have the
  same name as each other.

- All modules (.py files) inside git/ and test/, except for .py
  files that are entirely empty (without even comments) or are
  inside test/fixtures/, now have comments indicating the license
  and linking to it on opensource.org. Previously, some modules
  had this, while others did not.

The comment about the license is short, and does not contain an
explicit copyright statement. No new explicit copyright statements
are added, but some top-of-modules already contained them, and this
does not remove (nor update or otherwise modify) them.

Although explicit copyright statements are not touched, all the
license comments are modified, including where they had previously
appeared, to say "the 3-Clause BSD License" instead of
"the BSD License", since there is no specific license known as the
"BSD License" (and both the 2-clause and 3-clause BSD licenses are
very popular).

This change should not be confused with gitpython-developers#1662, which fixed an
originally correct hyperlink that had come to redirect to a page
about a different license. The change here does not change the link
again. It makes the commented wording more specific, so that it is
clear, even without looking at the link, which BSD license is being
referred to.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants