proposal: cmd/go: add SPDX license list to go.mod file #46917
Comments
|
What happens when the licence annotation in go.mod doesn’t match the contents of the LICENCE file in the repo? What if the LICENCE file is missing? What if the LICENSE file is present but subtley modified? |
|
All good questions. We already have these problems (not just go - any repo) - the text in a source file might not match the LICENSE file, there might be a license in some files, but no LICENSE file, etc.. Ultimately it's incumbent on the repo owner to ensure that everything is done properly w.r.t. licensing. |
|
But your proposing adding a go sub command which uses this non canonical information. |
|
Not sure what you mean by "non-canonical" in this context. What's the canonical information? The LICENSE file? The license text in the source files? License information in a file called "foo license.txt"? I don't see how what I'm proposing is any "less canonical" than any other license information the repo owner adds to their repo. |
|
You proposed
But as we've discussed there is no way to ensure that the data in go.mod matches the LICENSE file. The latter is the canonical source of information for the licence the code is released under, but your proposal suggests using the former, non canonical information from go.mod. If this proposal would be accepted, people would parse go.mod, or expect json style output from |
Is it? Just by convention? What about license information in source files? There's no way to ensure that what's in the LICENSE file (if it exists) matches what's in the source files. It still falls on the repo owner to ensure it's consistent and correct. I don't see how this is any different. |
|
Given it cannot be a required field, this would not obviate the need for something like go-licenses and instead makes its job more complex |
|
Also note that, for example, pkgsite can't use SPDX identifiers alone to verify licenses. See #40586 (comment). cc @jba @julieqiu That pkgsite discussion belongs in a different thread for sure, but it's a clear datapoint that we can't just stop looking at license files. |
ianlancetaylor
changed the title
Is that your opinion as a lawyer? Or are you just using common sense? IANAL, but the way it was explained to me by a lawyer: imagine a file that had "SPDX identifier: MIT" at the top but contained license text that, say, restricted redistribution. Are you sure a court of law would say, "Let's just ignore all this perfectly phrased, legally appropriate, crystal-clear text and only pay attention to that tiny, cryptic notation at the top"? Maybe that's what would happen, maybe it wouldn't. Maybe they would say that the repo owner messed up, so anything goes; or maybe they would hold the other party liable because here are actual words in a file in the repo that clearly say you're not allowed to do what you did. |
|
We have plans to provide a good license detector for Go programs. For example suppose you say only 'SPDX MIT' (or, as you find in some READMEs on GitHub, 'License: MIT'). This is a case where a second claimed source-of-truth that will inevitably become out of sync with the underlying one would be particularly unfortunate. |
|
This proposal has been added to the active column of the proposals project |
|
Based on the discussion above, this proposal seems like a likely decline. |
|
No change in consensus, so declined. |
I would like to propose that an optional list of licenses be added to the go.mod file to allow a simple way to check license dependencies programatically. It also is a great place to see what license a module uses.
SPDX allows us to specify licenses in a concise, standard, machine-readable manner.
So a go.mod file might look something like this:
Probably need a way to specify that the license isn't on the SPDX list as well.
One could even add a command to go mod (
go mod licenses) to output a list of licenses used in the dependencies.I guess this would be a simpler form of go-licenses. This proposal avoids the problem of trying to guess license file names and parsing them to figure out the licenses.
The text was updated successfully, but these errors were encountered: