src/doc/manifest: Pin 'license' to SPDX 2.1 expressions and the 2.4 list #4898
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Before this commit, the license-list URL was floating, which lead to issues when manifest authors used IDs from the list that had not yet made it into crate.io's whitelist [1]. This commit pins both the SPDX-spec version (to avoid floating the license-expresion syntax) and the license-list version (to avoid floating the license/exception identifiers). I've also deprecated the / syntax, since it was not clear whether that was conjunctive (like AND) or disjunctive (like OR). crates.io is using license-exprs 1.3^ [2], and that version supports WITH, AND, OR, and the + suffix [3], so as far as crates.io-validation is concerned, the value can use vanilla license expressions. It's unfortunate that there's not an easily-browsable version of the 2.4 license list up anywhere canonical (as far as I know). Starting with the 3.0 license list, there's a Markdown page in the authoritative list-data repository [4]. I can also see about getting earlier versions of the HTML (e.g. [5]) up on spdx.org somewhere. I'm expecting the version-bump procedure will look something like: 1. SPDX cuts a new spec and/or license list release. 2. license-exprs updates to cover the change. 3. crates.io updates to depend on the new license-exprs version. 4. cargo updates the documentation to allow the new version. 5. authors read the new cargo docs and start using the new expression syntax and/or identifiers. There's a window there where crates.io will be validating to a different version than the cargo docs recommend, so it would be good to have 4 follow 3 as closely as possible. But the SPDX maintainers have been good about providing long deprecation windows, so a bit of a gap is acceptable. It's possible that crates.io will want to warn authors about their use of deprecated identifiers or syntax (e.g. the '/' I've deprecated here) so they can upgrade before the deprecated element is dropped (probably years after the initial deprecation). That would help limit the gap between 3 and 5 (although warnings sent before 4 might be confusing). The parallel edits to the two manifest files are based on Carol Nichols' recommendation. She points out on IRC that the goal is to drop the src/doc/manifest.md reference soon with the book up on doc.rust-lang.org/cargo today [6]. [1]: rust-lang#4888 [2]: rust-lang/crates.io#385 [3]: https://github.com/withoutboats/license-exprs/blob/5bdb5355540792234e10011b9bbe4766cd08ff26/src/lib.rs#L53-L56 [4]: https://github.com/spdx/license-list-data/blob/v3.0/licenses.md [5]: https://github.com/spdx/license-list-data/tree/v2.4/website [6]: https://botbot.me/mozilla/cargo/2018-01-04/?msg=95358280&page=2
wking
force-pushed
the
license-pin-spdx
branch
from
b4582d0
to
7dee65f
Compare
|
Deprecating |
Document [1] where authors can find it. [1]: ehuss/license-exprs#3
|
@bors: r+ Thanks! |
|
📌 Commit c89dd64 has been approved by |
bors
added a commit
that referenced
this pull request
Jan 4, 2018
src/doc/manifest: Pin 'license' to SPDX 2.1 expressions and the 2.4 list Before this commit, the license-list URL was floating, which lead to issues when manifest authors used IDs from the list that had not yet made it into crate.io's whitelist (#4888). This commit pins both the SPDX-spec version (to avoid floating the license-expresion syntax) and the license-list version (to avoid floating the license/exception identifiers). I've also deprecated the `/` syntax, since it was not clear whether that was conjunctive (like `AND`) or disjunctive (like `OR`). crates.io is [using license-exprs 1.3^][2], and [that version supports `WITH`, `AND`, `OR`, and the `+` suffix][3], so as far as crates.io-validation is concerned, the value can use vanilla license expressions. It's unfortunate that there's not an easily-browsable version of the 2.4 license list up anywhere canonical (as far as I know). Starting with the 3.0 license list, there's [a Markdown page in the authoritative list-data repository][4]. I can also see about getting [earlier versions of the HTML][5] up on spdx.org somewhere. I'm expecting the version-bump procedure will look something like: 1. SPDX cuts a new spec and/or license list release. 2. license-exprs updates to cover the change. 3. crates.io updates to depend on the new license-exprs version. 4. cargo updates the documentation to allow the new version. 5. authors read the new cargo docs and start using the new expression syntax and/or identifiers. There's a window there where crates.io will be validating to a different version than the cargo docs recommend, so it would be good to have 4 follow 3 as closely as possible. But the SPDX maintainers have been good about providing long deprecation windows, so a bit of a gap is acceptable. It's possible that crates.io will want to warn authors about their use of deprecated identifiers or syntax (e.g. the `/` I've deprecated here) so they can upgrade before the deprecated element is dropped (probably years after the initial deprecation). That would help limit the gap between 3 and 5 (although warnings sent before 4 might be confusing). The parallel edits to the two manifest files are based on @carols10cents' recommendation. She [points out on IRC][6] that the goal is to drop the `src/doc/manifest.md` reference soon with the book up on `doc.rust-lang.org/cargo` today. Fixes #4888, although it would be good to start the upgrade cycle to pull in the [newly-released SPDX license list 3.0][7] so folks can start using the new identifiers. [2]: rust-lang/crates.io#385 [3]: https://github.com/withoutboats/license-exprs/blob/5bdb5355540792234e10011b9bbe4766cd08ff26/src/lib.rs#L53-L56 [4]: https://github.com/spdx/license-list-data/blob/v3.0/licenses.md [5]: https://github.com/spdx/license-list-data/tree/v2.4/website [6]: https://botbot.me/mozilla/cargo/2018-01-04/?msg=95358280&page=2 [7]: https://lists.spdx.org/pipermail/spdx/2017-December/001159.html
|
☀️ Test successful - status-appveyor, status-travis |
This was referenced Jan 5, 2018
wking
added a commit
to wking/cargo
that referenced
this pull request
Jan 8, 2018
Catch up with our recommendations from 7dee65f (src/doc/manifest: Pin 'license' to SPDX 2.1 expressions and the 2.4 list, 2018-01-04, rust-lang#4898), which deprecated '/' in favor of vanilla SPDX license expressions. I've gone with the disjunctive OR, because the README has: > Cargo is primarily distributed under the terms of both the MIT > license and the Apache License (Version 2.0).
bors
added a commit
that referenced
this pull request
Jan 8, 2018
Cargo.toml: Replace '/' with 'OR' in 'license' Catch up with our recommendations from 7dee65f (#4898), which deprecated `/` in favor of vanilla SPDX license expressions. I've gone with the disjunctive `OR`, because the README has: > Cargo is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0).
This was referenced Jan 11, 2018
wking
added a commit
to wking/license-exprs
that referenced
this pull request
Jan 11, 2018
Catch up with the recommendations from rust-lang/cargo@7dee65fe (src/doc/manifest: Pin 'license' to SPDX 2.1 expressions and the 2.4 list, 2018-01-04, rust-lang/cargo#4898), which deprecated '/' in favor of vanilla SPDX license expressions. I've gone with the disjunctive OR, and most contributors have signed off on that change: * Without Boats wanted to match the crates.io licensing [1], and they meant OR [2]. * Rodolphe Breard [3] and Laurence Tratt [4] intended OR. We haven't heard back from Kai NODA, but ed9fe0b (README.md: update the reference to SPDX, 2017-07-14, ehuss#8) is probably too small to be copyrightable. [1]: ehuss#14 (comment) [2]: rust-lang/crates.io#1226 [3]: ehuss#14 (comment) [4]: ehuss#14 (comment)
wking
added a commit
to wking/license-exprs
that referenced
this pull request
Jan 11, 2018
Catch up with the recommendations from rust-lang/cargo@7dee65fe (src/doc/manifest: Pin 'license' to SPDX 2.1 expressions and the 2.4 list, 2018-01-04, rust-lang/cargo#4898), which deprecated '/' in favor of vanilla SPDX license expressions. I've gone with the disjunctive OR, and most contributors have signed off on that change: * Without Boats wanted to match the crates.io licensing [1], and they meant OR [2]. * Rodolphe Breard [3], Laurence Tratt [4], and Kai NODA [5] intended OR. [1]: ehuss#14 (comment) [2]: rust-lang/crates.io#1226 [3]: ehuss#14 (comment) [4]: ehuss#14 (comment) [5]: ehuss#14 (comment)
wking
added a commit
to wking/rust-api-guidelines
that referenced
this pull request
Apr 17, 2018
Catch up with rust-lang/cargo@7dee65fe (src/doc/manifest: Pin 'license' to SPDX 2.1 expressions and the 2.4 list, 2018-01-04, rust-lang/cargo#4898), which deprecated '/' in favor of vanilla SPDX license expressions.
4 tasks
bors bot
added a commit
to uuid-rs/uuid
that referenced
this pull request
May 5, 2018
219: change the license format r=Dylan-DPC a=kinggoesgaming **I'm submitting a ...** - [ ] bug fix - [ ] feature enhancement - [ ] deprecation or removal - [ ] refactor # Description Changed license field from `MIT/Apache-2.0` to `Apache-2.0 OR MIT` # Motivation rust-lang/cargo#4898 deprecated the `/` syntax for licenses, instead opting for `AND` and `OR` keywords. # Tests N/A # Related Issue(s) rust-lang/cargo#4898 Co-authored-by: Hunar Roop Kahlon <[email protected]> Co-authored-by: Dylan DPC <[email protected]>
bors bot
added a commit
to uuid-rs/uuid
that referenced
this pull request
May 5, 2018
219: change the license format r=kinggoesgaming a=kinggoesgaming **I'm submitting a ...** - [ ] bug fix - [ ] feature enhancement - [ ] deprecation or removal - [ ] refactor # Description Changed license field from `MIT/Apache-2.0` to `Apache-2.0 OR MIT` # Motivation rust-lang/cargo#4898 deprecated the `/` syntax for licenses, instead opting for `AND` and `OR` keywords. # Tests N/A # Related Issue(s) rust-lang/cargo#4898 Co-authored-by: Hunar Roop Kahlon <[email protected]> Co-authored-by: Dylan DPC <[email protected]>
wking
added a commit
to wking/crates.io
that referenced
this pull request
Jul 10, 2018
And then update Cargo.lock with: $ cargo build This bumps us from the SPDX License List 2.4 to 3.1. Some 2.4 identifiers have since been deprecated by SPDX, but none of them have been removed, so it should be safe to deploy this before bumping Cargo and its docs (which mention 2.4 since [1]). [1]: rust-lang/cargo#4898
bors-voyager bot
added a commit
to rust-lang/crates.io
that referenced
this pull request
Jul 11, 2018
1457: Cargo.toml: Bump license-exprs to 1.4.0 r=carols10cents And then update `Cargo.lock` with: ```console $ cargo build ``` This bumps us from the SPDX License List 2.4 to 3.1. Some 2.4 identifiers have since been deprecated by SPDX, but none of them have been removed, so it should be safe to deploy this before bumping Cargo and its docs (which mention 2.4 since rust-lang/cargo#4898). Fixes #1278.
matklad
added a commit
to matklad/regex
that referenced
this pull request
Sep 5, 2019
Historically, the `/` was used throughout the ecosystem, but the actual SPDX standard requires this to be an OR. The said standard also has AND, and for this reason `/` is ambiguous. rust-lang/cargo#4898 contains some more details about this.
BurntSushi
pushed a commit
to rust-lang/regex
that referenced
this pull request
Sep 5, 2019
Historically, the `/` was used throughout the ecosystem, but the actual SPDX standard requires this to be an OR. The said standard also has AND, and for this reason `/` is ambiguous. rust-lang/cargo#4898 contains some more details about this. PR #615
bors bot
added a commit
to taiki-e/pin-project
that referenced
this pull request
Oct 23, 2019
165: Separate licenses with `OR` instead of `/` r=taiki-e a=taiki-e Refs: rust-lang/cargo#4898 Co-authored-by: Taiki Endo <[email protected]>
bors bot
added a commit
to crossbeam-rs/crossbeam
that referenced
this pull request
May 23, 2020
512: Separate licenses with `OR` instead of `/` r=jeehoonkang a=taiki-e `/` is deprecated. Refs: rust-lang/cargo#4898 Closes #419 Co-authored-by: Taiki Endo <[email protected]>
bors bot
added a commit
to crossbeam-rs/crossbeam
that referenced
this pull request
May 23, 2020
512: Separate licenses with `OR` instead of `/` r=jeehoonkang a=taiki-e `/` is deprecated. Refs: rust-lang/cargo#4898 Closes #419 Co-authored-by: Taiki Endo <[email protected]>
This was referenced Nov 28, 2023
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before this commit, the license-list URL was floating, which lead to issues when manifest authors used IDs from the list that had not yet made it into crate.io's whitelist (#4888). This commit pins both the SPDX-spec version (to avoid floating the license-expresion syntax) and the license-list version (to avoid floating the license/exception identifiers).
I've also deprecated the
/syntax, since it was not clear whether that was conjunctive (likeAND) or disjunctive (likeOR). crates.io is using license-exprs 1.3^, and that version supportsWITH,AND,OR, and the+suffix, so as far as crates.io-validation is concerned, the value can use vanilla license expressions.It's unfortunate that there's not an easily-browsable version of the 2.4 license list up anywhere canonical (as far as I know). Starting with the 3.0 license list, there's a Markdown page in the authoritative list-data repository. I can also see about getting earlier versions of the HTML up on spdx.org somewhere.
I'm expecting the version-bump procedure will look something like:
There's a window there where crates.io will be validating to a different version than the cargo docs recommend, so it would be good to have 4 follow 3 as closely as possible. But the SPDX maintainers have been good about providing long deprecation windows, so a bit of a gap is acceptable.
It's possible that crates.io will want to warn authors about their use of deprecated identifiers or syntax (e.g. the
/I've deprecated here) so they can upgrade before the deprecated element is dropped (probably years after the initial deprecation). That would help limit the gap between 3 and 5 (although warnings sent before 4 might be confusing).The parallel edits to the two manifest files are based on @carols10cents' recommendation. She points out on IRC that the goal is to drop the
src/doc/manifest.mdreference soon with the book up ondoc.rust-lang.org/cargotoday.Fixes #4888, although it would be good to start the upgrade cycle to pull in the newly-released SPDX license list 3.0 so folks can start using the new identifiers.