Manually define dependency license type metadata not automatically specified #841
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ecified Background ---------- The "Licensed" dependency license checker tool uses the "licensee" tool to automatically determine the license type based on data contained in the dependency codebase. "licensee" checks several files for this data. The discovered data is recorded in the `licenses` sequence of the dependency license metadata cache file. It might find multiple sources of licensing data. The way "Licensed" handles this case is described as: https://github.com/github/licensed/blob/v5.0.1/docs/commands/status.md#checking-status-with-metadata-loaded-from-cached-files > If license: other is specified and all of the `licenses` entries match an `allowed` license a failure will not be > logged It is of course correct to treat the dependency as compatible under these conditions. However, the design of "Licensed" around the handling of multiple licensing data sources is not very user friendly: Lack of Transparency Re: Detected License Type ---------------------------------------------- Even though "Licensed" knows exactly which license type each of the sources was detected as, it does not record this data in the dependency license metadata cache file. Ambiguous Special License Type Identifier ----------------------------------------- When multiple license data sources are found, "Licensed" sets the license type for the dependency to `other` in the `license` key of the dependency license metadata cache file. Although it is correct for the tool to use a special identifier, unfortunately "Licensed" uses the same identifier for two significantly different cases: * license type was not identifiable from the data (e.g., modifications were made to standard license text) * multiple license types were identified from the data The better approach would be for "Licensed" to use a separate identifier for each of these situations (e.g., `other`, `multi`). Failure to Set License Type Even when Identified ------------------------------------------------ Even when all of the multiple data sources are identified as the same license type, "Licensed" still unnecessarily sets the `license` key of the dependency license metadata cache file to `other` instead of setting it to the identifier of the identified license. Problem ------- Project maintainers expect that an identified license type of `other` means that the license type could not be identified and that they must manually identify and set the license type in order for the compliance check to pass. They will be extremely concerned to find that the check is passing even though a dependency's license type is defined as `other`, as this appears to be a false negative (meaning that the system is not effectively enforcing compliance). The ambiguous special license type identifier and lack of information about the detected type of individual license data sources will make it impossible for them to understand why the check is passing despite the lack of a defined compatible license type, and so they will waste time troubleshooting what is actually a completely functional system. Resolution ---------- Always define the license type in the metadata cache, even when doing so is not required to get a passing check. In this case, all the dependencies previously assigned the `other` identifier due to having multiple license data sources actually had a single license type. So this was handled just the same as is done when a dependency is assigned an `other` identifier due to the license data not being machine identifiable.
per1234
added
type: enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
The Licensed dependency license checker tool uses the licensee gem to automatically determine the license type based on data contained in the dependency codebase. licensee checks several files for this data. The discovered data is recorded in the
licensessequence of the dependency license metadata cache file. It might find multiple sources of licensing data. The way Licensed handles this case is described as:https://github.com/github/licensed/blob/v5.0.1/docs/commands/status.md#checking-status-with-metadata-loaded-from-cached-files
It is of course correct to treat the dependency as compatible under these conditions. However, the design of Licensed around the handling of multiple licensing data sources is not very user friendly:
Lack of Transparency Re: Detected License Type
Even though Licensed knows exactly which license type each of the sources was detected as, it does not record this data in the dependency license metadata cache file.
Ambiguous Special License Type Identifier
When multiple license data sources are found, Licensed sets the license type for the dependency to
otherin thelicensekey of the dependency license metadata cache file.Although it is correct for the tool to use a special identifier, unfortunately "Licensed" uses the same identifier for two significantly different cases:
The better approach would be for Licensed to use a separate identifier for each of these situations (e.g.,
other,multi).Failure to Set License Type Even when Identified
Even when all of the multiple data sources are identified as the same license type, "Licensed" still unnecessarily sets the
licensekey of the dependency license metadata cache file tootherinstead of setting it to the identifier of the identified license.Problem
Project maintainers expect that an identified license type of
othermeans that the license type could not be identified and that they must manually identify and set the license type in order for the compliance check to pass. They will be extremely concerned to find that the check is passing even though a dependency's license type is defined asother, as this appears to be a false negative (meaning that the system is not effectively enforcing compliance).The ambiguous special license type identifier and lack of information about the detected type of individual license data sources will make it impossible for them to understand why the check is passing despite the lack of a defined compatible license type, and so they will waste time troubleshooting what is actually a completely functional system.
Resolution
Always define the license type in the metadata cache, even when doing so is not required to get a passing check.
In this case, all the dependencies previously assigned the
otheridentifier due to having multiple license data sources actually had a single license type. So this was handled just the same as is done when a dependency is assigned anotheridentifier due to the license data not being machine identifiable.