You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
We have a bunch of crates in a private registry that are used by many internal projects. They all have license = "UNLICENSED" since they are copyright and for internal use only. In the past we've been using cargo-lichking to check that no incompatible-with-copyrighted-software dependencies creep in, but we're interested in using cargo-deny to combine this with other checks.
However, we can't find a way to skip the license check for these dependencies. The [licenses.private] key in deny.toml seems to check which registry that workspace members are published to, but these dependencies are not workspace members, they're stored in a central private registry and depended on from there by the crate which cargo deny is being run against.
Describe the solution you'd like
A way to skip the license check based on the registry that a crate was pulled from, in order to facilitate storing internal, unlicensed software in private registries.
Describe alternatives you've considered
We tried to use exceptions, but it doesn't seem to work because they require the license string to parse as a valid license, and UNLICENSED does not. (Is there another string we should be using rather than UNLICENSED?)
The text was updated successfully, but these errors were encountered:
We tried to use exceptions, but it doesn't seem to work because they require the license string to parse as a valid license, and UNLICENSED does not. (Is there another string we should be using rather than UNLICENSED?)
One approach you could use here is to have a valid SPDX license identifier for your proprietary crates, for example we use LicenseRef-Embark-Proprietary
Also stumbled with this problem. I though that if I publish the crates with no license field to our private registry it will be okay to use them in other places, but turns out I need to put LicenseRef-* into their license and re-publish them =(
I suggest we add this caveat to the docs somewhere such that people don't repeat this mistake...
Is your feature request related to a problem? Please describe.
We have a bunch of crates in a private registry that are used by many internal projects. They all have
license = "UNLICENSED"
since they are copyright and for internal use only. In the past we've been usingcargo-lichking
to check that no incompatible-with-copyrighted-software dependencies creep in, but we're interested in usingcargo-deny
to combine this with other checks.However, we can't find a way to skip the license check for these dependencies. The
[licenses.private]
key indeny.toml
seems to check which registry that workspace members are published to, but these dependencies are not workspace members, they're stored in a central private registry and depended on from there by the crate whichcargo deny
is being run against.Describe the solution you'd like
A way to skip the license check based on the registry that a crate was pulled from, in order to facilitate storing internal, unlicensed software in private registries.
Describe alternatives you've considered
We tried to use
exceptions
, but it doesn't seem to work because they require the license string to parse as a valid license, andUNLICENSED
does not. (Is there another string we should be using rather thanUNLICENSED
?)The text was updated successfully, but these errors were encountered: