Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: adding 'version=2' makes license checks start failing. #628

Closed
eric-seppanen opened this issue Mar 6, 2024 · 6 comments
Closed

Bug: adding 'version=2' makes license checks start failing. #628

eric-seppanen opened this issue Mar 6, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@eric-seppanen
Copy link

Describe the bug

I upgraded my deny.toml to use version = 2 in the [licenses] section.

After making that change, a new failure appears, due to the license string "LGPL-2.1-or-later WITH GCC-exception-2.0" in the systemd crate:

error[rejected]: failed to satisfy license requirements
  ┌─ systemd 0.10.0 (registry+https://github.com/rust-lang/crates.io-index):4:12
  │
4 │ license = "LGPL-2.1-or-later WITH GCC-exception-2.0"
  │            ^^^^^^^^^^^^^^^^^-----------------------
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license was not explicitly allowed
  │
  = LGPL-2.1 - GNU Lesser General Public License v2.1 only:
  =   - **DEPRECATED**
  =   - OSI approved
  =   - FSF Free/Libre
  =   - Copyleft
  = systemd v0.10.0
    └── license-test v0.1.0

I have tried allowing LGPL-2.1, and that fails with the same message. I also tried LGPL-2.1-or-later WITH GCC-exception-2.0, LGPL-2.1-or-later, LGPL-2.1+, but those appear to be the wrong syntax.

I have read through #606 and #611, and I wasn't able to figure out why this behavior changed.

To reproduce

A small project that shows the problem:

deny.toml

[licenses]
# Uncomment to see the problem
#version = 2

# List of explicitly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
allow = [
    "MIT",
    "Unicode-DFS-2016",
    "Unlicense",
]

Cargo.toml

[package]
name = "license-test"
version = "0.1.0"
edition = "2021"
license = "MIT"

[dependencies]
systemd = "0.10.0"

cargo-deny version

cargo-deny 0.14.16

What OS were you running cargo-deny on?

Linux

Additional context

No response

@eric-seppanen eric-seppanen added the bug Something isn't working label Mar 6, 2024
@eric-seppanen
Copy link
Author

I found a string that works: LGPL-2.1-or-later WITH GCC-exception-2.0 -> LGPL-2.1 WITH GCC-exception-2.0, though I'm not sure if I was supposed to add + to reflect the -or-later part.

I'm still puzzled why the behavior changed when I added version = 2.

@Jake-Shadle
Copy link
Member

This is documented. As are the annoyances with GPLish licenses.

@eric-seppanen
Copy link
Author

I have read that documentation, and I'm afraid I don't understand which part of the version = 2 changes trigger different behavior with this license. Can you clarify?

@Jake-Shadle
Copy link
Member

Copyleft licenses are warn by default before setting version = 2

@eric-seppanen
Copy link
Author

Thanks for the clarification. I was going back through my output when I figured out part of my problem: I was confused because license warnings don't look the same as license deny errors.

My naive expectation is that a license warning and a license error would look similar, but one would fail the check and the other wouldn't.

A license warning says warning[accepted]: license requirements satisfied which I found (and still find) kind of misleading. It seems to be asserting something that's not true! The license requirements were not satisfied.

@Jake-Shadle
Copy link
Member

That was one of the issues that this deprecation is addressing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants