Why no license file? #1
Comments
|
I acknowledge that there might be some subtle legal ramifications with not having the license text with the source code. I'll happily revisit this issue at such a point that legal disputes become a real issue. |
|
The technique employed herein allows the license to be simply declared as a reference to a known license that is reflected in the metadata and available in PyPI and at run time. For example: |
|
@jaraco So when you do not include such license text in your packages (including down to the wheels and not only the sdist) your are in a bizantyne way making every user non-licensed? unless --like I do-- you recheck and add back a license text to your packages, e.g. https://github.com/nexB/scancode-toolkit/blob/develop/thirdparty/prod/yg.lockfile.LICENSE . I end up having to go through the hoops of crafting one by guessing your intent.... Yeah! I am licensed! but millions of your users may not be properly licensed to use your wares. |
|
As I understand it, to be in compliance, a license must be included with each and every file. Most people accept that such an approach is generally unsustainable, so they cheat by including the license near the files and possibly (though rarely) referencing the license from each of the files. I maintain enough packages that the same sustainability problem applies to each project as well. It's for this reason that I've created a separate repository just to maintain the skeleton of the projects. To that end, I could lean on this skeleton to copy the license and ensure that it's included in wheels and installs, but even then, I'd probably still not be technically in compliance with the legal standards. The attribution and copyright would probably still need to be individually maintained. So perhaps you're right, that technically these packages appear unlicensed, but I still assert that no legal challenge to the licensing of these projects will ever come under legal scrutiny. The intention is clear and unambiguous. Even with wheel installs, the license is indicated in the package metadata, so every file affiliated with the installed package is linked explicitly to the license. I forget in which package someone mentioned it, but I pointed out that if Python Packaging or the larger Open Source community were to come up with a way to either embed or (preferably) declare a license and tooling to manage the cascading of that license through the packaging and distribution chains, I'd be all for adopting that, but I'm not interested in doing the tedious busy work required to comply manually still to only be somewhat compliant. |
|
Is there anyone who seriously believes that if I (as copyright owner) were to challenge another's incorporation or use of the code in court that they couldn't use that metadata to defend their right to use the code according to the terms of the MIT license? If someone can show precedent of such a case, I'll concede and include the license text. |
|
@jaraco
There is no such precedent. It is just that dealing with exceptions (as in this project is MIT-licensed, but does-not-have-a-license-text) is a tad harder. And since one or more of your packages are eventually used in every python app and installation, you are at the bottom of the stack which has some consequences:
You wrote:
FWIW the MIT does not require you to copy anything in each file. A single copy of the text is enough.
And if you want a concise mention in every file, you could use this blessed approach: See https://spdx.org/sites/cpstandard/files/pages/files/using_spdx_license_list_short_identifiers.pdf
I guess this was me here: pombredanne/spdx-pypi-pep#1 So for now, I guess you can do as you like and leave your ways as they are. You are correct that we should best come with a common way that can work for everyone first. Thank you ++ for your code and for taking the time to reply here! |
|
What if the MIT license changes its text to something you don't agree with? As far as I know, many licenses don't version themselves. Having the actual license text guarantees that no matter what the source license changes to, you're sticking to the license in your code. |
Then I will correct the situation, and update the license to reference another resource with the intended license or maybe I'll consider bundling the license then. |
This package is licensed MIT but the original author doesn't seem to understand how to use MIT, so there is no provided license file. Since this quite prolific author is opposed to following the standard license management practices (and indeed those likely mandated by the text of the license itself) I leave here in this commit message a pointer to where numerous people have tried to convince the author to just use the license in the manner in which it was designed. No one has thus far been successful... jaraco/skeleton#1
|
I'm trying to use cherrypy in an embedded linux distribution for a controller board in an industrial application and that distribution will be built using the yocto/openembedded build platform. CherryPy indirectly depends on portend So I have to write a bitbake recipe to pull portend from pypi In order to write a bitbake recipe and have it run without fatal QA errors I need to provide it with a license file URL in the unpacked source tree and an md5sum of that file. Please consider reopening this issue and provide a license file. Thank you. |
That sounds to me like a defect in bitbake. Is there an option for bitbake to indicate "project doesn't bundle a license file because it more consisely links to its license" or even better for bitbake to automatically detect that the license is declared in the metadata for the package? I presume the answer is no, in part because there's no endorsed standard. And there's little motivation for someone to create a standard because the status quo is to bully every project into copying the license file into their project. So fine. I'm sufficiently bullied. I'll put the license file in the skeleton and copy it across all the projects. If it falls out of sync with the declared license, I'll leave it to the lawyers to figure it out. |
…uptools-scm#212. Jason R. Coombs (65): Set the origin date once and forget it. Add python_requires directive. Don't bother with copyright year(s). Let the repository history track the changes and copyright years. YAGNI. Include the project (for docstrings). Include Sphinx (for environments where it's not an implied provision). Include pytest-sugar for nicer test output. Rely on jaraco.packaging for loading the package metadata from the package for Sphinx. Use single-quotes to satisfy the style nazis. The requirement is no longer needed for tests. Add readthedocs yml file Move requirements for docs and testing into extras Add appveyor script for CI testing on Windows. Require tox 2.4 or later; fixes #2. Remove namespace_packages declaration, no longer needed. Use a simple build number rather than prefixing with '1.0.' Restore support for namespace package declaration, selected on a 'nspkg_technique' setting Inspired by pypa/setuptools#1059, use the preferred bdist_wheel heading. Check the docs during tests Use stages in travis to have deployment depend on success in all Python versions. Remove 'bootstrap', artifact from setuptools --add doesn't work in a list Add a license file. Fixes jaraco/skeleton#1. Remove downloads shield, no longer available. Add documentation badge. Normalize indentation in docs/conf.py Declare 'python' factor at top level Correct travis syntax reference the license file in metadata Use https Add build-docs env in tox. Run only default environment by default. To support namespace packages, Setuptools must be 31.0.1. This change is necessary with the adoption of tox-venv, which uses Python's venv, which does not install the latest setuptools by default. Need to avoid .eggs in recursing dirs. Ref pypa/setuptools-scm#212. Use tox-venv for future compatibility. Disable pytest-sugar until Teemu/pytest-sugar#133 is addressed. Bring back pytest-sugar with a minimum version to support Pytest 3.4. Save the pip cache across builds. Ref pypa/setuptools#1279. Add workaround for build failures on Python 3.7 (yaml/pyyaml#126). Run flake8 with tests. Add flake8 config to ignore common exclusions. Add comments to testing and docs extras to aid with merges. Add appveyor badge (commented). Disable RTD by default. Limit workaround to affected Python Bump minimum pytest version Add pyproject.toml declaring build dependencies. When ignoring linter warnings, document the reason. Merge https://github.com/jaraco/skeleton Drop support for Python 2.6 Feed the hobgoblins (delint). dos2unix Fix test failures by restoring working directory in fixtures. Fix test failures in checkdocs Remove setuptools plugin Use behavior from other packages dos2unix Use relative import Use packaging for version parsing Drop support for Python 2.7 and 3.4 Revert "Remove setuptools plugin" Revert "Drop support for Python 2.7 and 3.4" Update changelog Use new style classes through the lib. Revert "Use packaging for version parsing" Revert "Use behavior from other packages" Rename util to _vendor Update iter_subclasses to latest version from jaraco.classes Update one from more_itertools Update changelog
…1.4.1
David Aguilar (56):
tests: add tests for pandas Series with multi indexes
pandas: improve serialization for Series objects
pandas: improve serialization for Series objects
pandas: add more tests for pandas.Series multi-indexes
tests: add enum tests demonstrating more supported use cases
jsonpickle: improve serialization for non-string keys
pickler: simplify _flatten_key_value_pair()
jsonpickle: preserve dict order on Python3
travis: disable python3.5 for now
compat: support python3.4 + 3.5
docs: update author details
conf: wrap filter() in list()
unpickler: use only add or append, but not both
handlers: add a custom handler for array.array
bson: add tests demonstrating incremental restoration
datetime: use ISO format for string representation
tests: add a unit test demonstrating Exceptions that take arguments
pickler: document the numeric_keys keyword argument
jsonpickle: add `indent` and `separators` to `encode()`
tests: make sure we can skip the bson tests
tests: add the Wizard tests from #92
tests: flake8 tweaks for the wizard tests
tests: add a test to ensure numpy.random.random() is supported
Makefile: pass flags as late as possible
Makefile: fix "make tox V=1"
Makefile: mention "tox" in "make help"
Makefile: run tox in parallel
tox: sort env-specific sections
jsonpickle: python3.8 support
travis: python3.8
travis: run tests serially
docs: Python3.8 support
requirements-dev.txt: add pytest-black and pytest-flake8
.gitignore: cleanup and ignore .eggs + docs/build
Makefile: clean __pycache__ cruft
.gitignore: ignore .coverage
travis: set latest_py to 3.8
Revert "Finish dropping support for Python 2 (I hope)."
Python 2.7 compatibility
coverage: customize for jsonpickle
Makefile: update for skeleton semantics
requirements+setup: prepare for davvid/skeleton
README.rst: document the multi-version "make tox multi=1" feature
Makefile: pair down "make tox multi=1" versions to sensible versions per davvid/skeleton
Makefile: improve cpu detection on macOS
Makefile: document make tox mulit=1
Makefile: update tox --parallel comment
tox: guard against parallel pytest coverage execution
coverage: lock down to coverage 4
Revert "Prefer pytest-black to pytest-black-multipy"
Makefile: clean coverage during "make tox multi=1"
requirements-dev: pytest-cov requires coverage<5
Makefile: remove obsolete "check" target
jsonpickle: allow importing from the source tree
Makefile: update tox --parallel comment
version: catch OSError for Python 3.8 importlib_metadata support
Hugo (1):
Fix AppVeyor typo
Hugo van Kemenade (2):
Spelling and capitalisation (#8)
Link badge to PyPI rather than static image
Jason R. Coombs (188):
Generate project skeleton
Remove the package from the skeleton. It has no value.
Add gitignore. Make .hgignore empty - there's nothing here that's project specific.
Upon further reading, hg-git supports .gitignore, so omit .hgignore.
Update copyright
Learning from lessons in the keyring 8.4 release (jaraco/keyring#210), always clean the build artifacts before cutting a release.
Derive description, url, and namespace_packages from name
Add PyPI deployment
Remove duplicate provider line
Add support for linking to issues and adding datestamps to changelog entries.
Move Python 3.5 condition to 'on' section
Update comment to reflect the Github-backed skeleton model (preferred to the generation library-backed model).
Exclude the skeleton branch from testing
Add badges for PyPI, downloads, and Travis-CI.
Change indentation to match that which the travis tool generates when adding the password.
Use shields.io, as some of these other providers seem to have gone out of business.
Also add pyversions
Path is now .org
Update release process to use warehouse rather than legacy PyPI. Ref pypi/warehouse#1422.
The name of the project need not be in the README
No need for a .gitignore file; projects may want to add one, but I recommend not having one unless the project has project-specific files to ignore.
Remove support for building docs, now that docs support for pypi is deprecated. I hope at some point RTD comes up with an API that once again allows automatic building of docs.
Use tox instead of pytest-runner
Use pkg_resources to resolve the version. Requires that the necessary package metadata have been built before building docs.
Each requirement line is passed as a single parameter to pip, so you can't have a space separating the option and its value.
Python Packaging -- never do with one command what you can do with two.
Provide a reference to the license declaration in the readme. Fixes jaraco/skeleton#1.
Use usedevelop to workaround tox-dev/tox#373
Incorporate pre-release of setuptools to cause releases to include the PEP-420 deferral.
Just upgrade to released setuptools now.
Exclude versions of setuptools_scm due to pypa/setuptools-scm#109.
Allow passing posargs
Need a later version of setuptools_scm until it's released.
Update to setuptools_scm 1.15.0rc1
Gotta get an sdist - so use one jaraco built
Bump to setuptools_scm 1.15.0.
Update config to support building on ReadTheDocs
Add note about the broken docs problem.
Skip upload docs as it's deprecated anyway
Remove rant about docs. If there's no link to the docs, then this is the docs.
Prefer get_distribution
No longer rely on the package being installed to retrieve the version. Instead, load the project name and version by invoking the setup script.
Also get the URL from the project metadata
Also grab the author from the package metadata
Strip the trailing newline and then split on newline.
Default upload URL is now in Python 3.6. Use that.
setup is already present in the module name. Just call them params.
Use Python 3.6 by default
No longer rely on setup_requires for wheel.
Add PEP substitution in changelog.
Add support for Python 2.6 in docs conf
Set the origin date once and forget it.
Add python_requires directive.
Don't bother with copyright year(s). Let the repository history track the changes and copyright years. YAGNI.
Include the project (for docstrings). Include Sphinx (for environments where it's not an implied provision).
Include pytest-sugar for nicer test output.
Rely on jaraco.packaging for loading the package metadata from the package for Sphinx.
Use single-quotes to satisfy the style nazis.
The requirement is no longer needed for tests.
Add readthedocs yml file
Move requirements for docs and testing into extras
Add appveyor script for CI testing on Windows.
Require tox 2.4 or later; fixes #2.
Remove namespace_packages declaration, no longer needed.
Use a simple build number rather than prefixing with '1.0.'
Restore support for namespace package declaration, selected on a 'nspkg_technique' setting
Inspired by pypa/setuptools#1059, use the preferred bdist_wheel heading.
Check the docs during tests
Use stages in travis to have deployment depend on success in all Python versions.
Remove 'bootstrap', artifact from setuptools
--add doesn't work in a list
Add a license file. Fixes jaraco/skeleton#1.
Remove downloads shield, no longer available.
Add documentation badge.
Normalize indentation in docs/conf.py
Declare 'python' factor at top level
Correct travis syntax
reference the license file in metadata
Use https
Add build-docs env in tox.
Run only default environment by default.
To support namespace packages, Setuptools must be 31.0.1. This change is necessary with the adoption of tox-venv, which uses Python's venv, which does not install the latest setuptools by default.
Need to avoid .eggs in recursing dirs. Ref pypa/setuptools-scm#212.
Use tox-venv for future compatibility.
Disable pytest-sugar until Teemu/pytest-sugar#133 is addressed.
Bring back pytest-sugar with a minimum version to support Pytest 3.4.
Save the pip cache across builds. Ref pypa/setuptools#1279.
Add workaround for build failures on Python 3.7 (yaml/pyyaml#126).
Run flake8 with tests. Add flake8 config to ignore common exclusions. Add comments to testing and docs extras to aid with merges.
Add appveyor badge (commented). Disable RTD by default.
Limit workaround to affected Python
Bump minimum pytest version
Add pyproject.toml declaring build dependencies.
When ignoring linter warnings, document the reason.
Disable the (broken) IPv6 in Travis. Ref travis-ci/travis-ci#8361.
Don't match issues if preceeded by some other indicator.
skip_upload_docs is default
Drop the dot; http://blog.pytest.org/2016/whats-new-in-pytest-30/
Rely on declarative config to create long_description.
Remove workaround for pyyaml 126.
Revert "Remove workaround for pyyaml 126."
We're getting close, but Python 3.7 still requires a workaround
Use xenial to include support for Python 3.7.
Remove release, no longer needed. Use twine instead.
Also ignore W504 in flake8, following the indication in OCA/maintainer-quality-tools that neither W503 nor W504 are worthwhile in general.
Release of pyyaml 3.13 seems to have fixed install issues on Python 3.7.
Block pytest 3.7.3 due to pytest-dev/pytest#3888.
Move most package config to declarative config
Ignore pycodestyle warning. Seems it's not going to be fixed anytime soon.
Also ignore flake8 error
Require setuptools 34.4 to support python_requires in declarative config.
Add workaround for Teemu/pytest-sugar#159.
Add black config, pre-commit including black, check code with black.
Remove workaround for pytest-sugar 159, now fixed.
Remove pytest-sugar plugin from standard pipelines as recommended in Teemu/pytest-sugar#159.
Prefer pytest-checkdocs to collective.checkdocs
Suppress deprecation warning in docutils
Remove use of setup_requires. Builders now require pip 10 or later to build/install from sdist. Older installers will still install the packages from wheels. Ref tox-dev/tox#809.
Revert "Remove use of setup_requires. Builders now require pip 10 or later to build/install from sdist. Older installers will still install the packages from wheels. Ref tox-dev/tox#809."
Indicate build backend of setuptools
Add support for cutting releases without DPL and using pep517.
Rely on pep517 0.5
Add documentation on the skeleton. Fixes #5.
Add workaround for DeprecationWarning in flake8
Use consistent encoding quoting in pyproject.toml
Clarify purpose of local/upstream extras
Suppress E117 as workaround for PyCQA/pycodestyle#836
Amend skeleton documentation to expand on the value of the approach.
Remove sudo declaration in Travis config.
Enable tox-pip-extensions ext_venv_update if available. Fixes jaraco/skeleton#6
Rely on tox 3.2 and pip 10 or later for all builds
It adds no value to add a pip requirement for the tox install
Pin to pip 19.0 for now for pypa/pip#6434.
Revert "Pin to pip 19.0 for now for pypa/pip#6434."
Only install and invoke pytest-black on Python 3
Use pytest-black-multipy to enable simple support for pytest-black where available. Ref pytest-dev/pytest#5272.
Update skeleton documentation to reflect black adoption.
Rely on twine 1.13 or later
Upgrade tox and virtualenv to ensure that environments get recent pips
Define passenv in tox release section. Rely on __token__ for default username.
Update docs to reflect changes to deployment.
Python 3 only
Enable coverage reporting on project
Report the lines missing coverage
Ensure that a late version of pip is installed without special versions of tox-venv.
Disable tox-pip-version as it interacts badly with tox-venv causing tox to use the wrong Python version to install packages and run tests. Ref pglass/tox-pip-version#20 and tox-dev/tox-venv#40.
Bring back tox-pip-version now that pglass/tox-pip-version#20 is fixed.
Test/release on Python 3.8
Apply black to docs/conf.py
Update black version and links
Expect flake8 3.6 or later and remove suppression of warnings from Flake8 prior to 3.6.
Rely on pytest-checkdocs 1.2.3, eliminating workaround for docutils warning.
Remove workaround for gitlab.com/PyCQA/flake8/issues/275, apparently no longer necessary.
Normalize indentation
Include keyring support from twine
Rename 'build-docs' to simply 'docs' (matching more popular convention).
Prefer 'path' to 'path.py'
Cover Python 3.8 in Windows tests
Update black in pre-commit and add blacken-docs.
Test and release using Azure Pipelines
Correct guidance on project creation.
Rely on setuptools_scm 3.4 and setuptools 42. Now setup.py is optional. Remove setuptools from test environment.
Finish dropping support for Python 2 (I hope).
Normalize whitespace
Revert "setup.cfg: let python-tag mirror python_requires"
Declare pep518 build requirements. Fixes #290
Also declare the file in manifest to include it in the source dist.
👹 Feed the hobgoblins (delint).
Fade to black
Normalize whitespace
In jsonpickle.version, reflect the version from metadata.
Remove sphinxtogithub.
Replace changelog headings to match tagged releases. Now release dates are injected automatically during docs builds.
Replace references to jsonpickle.github.io to reference readthedocs.
Remove submodules and thirdparty.
Update to bionic for Travis. Correct comment about IPv6 workaround.
Run on the same python as tox by default.
Restore test execution on older Pythons.
By default, just run tests once. Only in CI run the matrix of envs.
Simplify test and development workflow based on tox.
Move sqlalchemy deps back to tox.
Update the bands so they're not overlapping, but key correctly into specific minor version.
Add 'sqlalchemy' as a standard test and defer to 'saNN' for older versions.
Don't bother testing on Python 3.4 as master doesn't and pandas tests fail.
Mark tests as xfail for now. Ref #281.
Suppress warnings in pytest-flake8, pytest-black, and pytest-checkdocs.
Prefer pytest-black to pytest-black-multipy
Test against Windows and Mac
Sebastian Kriems (1):
spaces, style and formatters (#4)
Sebastian Pipping (2):
readme: Fix syntax issue "Title underline too short"
readme: Inform about security implications
Vincent Fazio (1):
setup.cfg: let python-tag mirror python_requires
johnthagen (1):
Line wrap LICENSE file
layday (1):
Require toml extra for setuptools_scm (#12)
In many of the projects I maintain, I'm asked to create and maintain a license file separate from the license declaration in the metadata. I'd rather not paste a license file into the source, maintain the license declaration separately, and ensure that those stay in sync. In fact many times I've seen them fall out of sync. I'd like instead to have a single point where the license is referenced and let that serve as the authoritative indication of the license under which the project is released.
To communicate this, I'm filing this ticket with the project skeleton from which many of the projects I maintain is derived.
The text was updated successfully, but these errors were encountered: