-
Notifications
You must be signed in to change notification settings - Fork 199
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hackage rejects valid SPDX license bzip2-1.0.6 #1294
Comments
the bzip license is a valid spdx identifier, and is parsed as such. however, it appears to be neither on https://opensource.org/license or https://www.gnu.org/licenses/license-list.en.html which means it is neither osi nor fsf approved, which is our Source of Truth for what licenses are allowed to be uploaded to hackage. See https://hackage.haskell.org/package/Cabal-syntax-3.10.2.0/docs/Distribution-SPDX-LicenseId.html#v:licenseIsOsiApproved for the implementation of those functions. |
Well, this code is uploaded 3 times to hackage already with an incorrect license:
So should we keep lying about the license? |
hrm i think for these it really should be a joint license -- one for the haskell code, and one for the bzlib code. in all cases the haskell code is intended as bsd-3, but the bundled code is bzip2, but of course we didn't used to be able to express compound licenses, although I think we now can? To do things right we can add a special bzip exception to the hackage license check, if we're comfortable with it. I think that would require understanding why the bzip2 license is not osi/fsf approved -- I think its the patent clause that deviates? Curious what others may think! |
The reason is probably that OSI requires a tedious license review process through a mailing list from the 80s and no one really cares what the OSI thinks. |
@hasufell please edit your comments so that I don't have to report them for harassment. I suggest being more accurate in your assertions and more understanding in your assessment of complex issues. |
OSI and FSF have actual legal professionals working for them, their opinions carry weight. I disagree with straying from authoritative sources. OSI Licence Review process promises a decision in a timely fashion (normally sixty days from submission). Anyone can submit a licence, not only the original author. Have you considered stewarding it yourself? I can help with the process if you are extremely busy. |
No, not unless you can explain what about them is harassment. That is a pretty severe allegation. None of my comments are ad-hominem or discriminate anyone. I do think the OSI is mostly irrelevant when it comes to accepting licenses. That is my opinion.
No interest.
Yeah, I can't work with that in the light of a CVE. |
The immediately available solution is to put |
Yeah that trick seems to work: https://hackage.haskell.org/package/bzip2-clib-1.0.8.0.99/candidate But that won't work with newer cabal formats. |
Relevant code: hackage-server/src/Distribution/Server/Packages/Unpack.hs Lines 506 to 526 in 7ca3dd8
And in Cabal-syntax: |
Now that the pr is up, my thoughts are I'm ok with this, because I don't think osi will approve it (doesn't fall under legacy standards because too specific to one project, and certainly doesn't fall under new standards). I'm open to merging the pr, but would like to see if anyone has further thoughts. I know @phadej worked on some of this in the past as well, and @hvr though not very active may want to weigh in. |
AFAICT, Bzlib (https://spdx.org/licenses/bzip2-1.0.6.html) is essentially the same as BSD-4-Clause (https://spdx.org/licenses/BSD-4-Clause.html), latter is fsf libre license. -The name of the author may not
-be used to endorse or promote products derived from this software without specific prior written permission.
+Neither the name of the copyright holder nor the names the copyright holder nor the names of its contributors may
+be used to endorse or promote products derived from this software without specific prior written permission. See https://en.wikipedia.org/wiki/BSD_licenses#4-clause_license_(original_%22BSD_License%22)
Also https://www.gnu.org/licenses/license-list.html#OriginalBSD I'd emphasize recommends developers not use the license, though it states there is no reason not to use software already using it. I'd say, as BSD-4-Clause is there, than allowing the bzlib license just for At least in the perspective that e.g. ... but nobody cares (I guess I could as a copyright owner of |
I have read this thread and I merged the PR since a couple of months have passed and nobody voiced any additional concerns. |
Error:
License: https://github.com/hasufell/bzip2-clib/blob/bd9965afdf2799943369c6ecd4d9afa8eace8584/bzip2-clib.cabal#L5
SPDX: https://spdx.org/licenses/bzip2-1.0.6.html
The text was updated successfully, but these errors were encountered: