Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow skipping license check for crates from a certain registry #344

Closed
jbg opened this issue May 9, 2021 · 3 comments · Fixed by #391
Closed

Allow skipping license check for crates from a certain registry #344

jbg opened this issue May 9, 2021 · 3 comments · Fixed by #391
Labels
enhancement New feature or request

Comments

@jbg
Copy link
Contributor

jbg commented May 9, 2021

Is your feature request related to a problem? Please describe.

We have a bunch of crates in a private registry that are used by many internal projects. They all have license = "UNLICENSED" since they are copyright and for internal use only. In the past we've been using cargo-lichking to check that no incompatible-with-copyrighted-software dependencies creep in, but we're interested in using cargo-deny to combine this with other checks.

However, we can't find a way to skip the license check for these dependencies. The [licenses.private] key in deny.toml seems to check which registry that workspace members are published to, but these dependencies are not workspace members, they're stored in a central private registry and depended on from there by the crate which cargo deny is being run against.

Describe the solution you'd like

A way to skip the license check based on the registry that a crate was pulled from, in order to facilitate storing internal, unlicensed software in private registries.

Describe alternatives you've considered

We tried to use exceptions, but it doesn't seem to work because they require the license string to parse as a valid license, and UNLICENSED does not. (Is there another string we should be using rather than UNLICENSED?)

@jbg jbg added the enhancement New feature or request label May 9, 2021
@repi
Copy link
Contributor

repi commented May 9, 2021

We tried to use exceptions, but it doesn't seem to work because they require the license string to parse as a valid license, and UNLICENSED does not. (Is there another string we should be using rather than UNLICENSED?)

One approach you could use here is to have a valid SPDX license identifier for your proprietary crates, for example we use LicenseRef-Embark-Proprietary

@jbg
Copy link
Contributor Author

jbg commented May 10, 2021

Thanks, I didn't know about LicenseRef! This solves my problem, but the general mechanism I proposed could maybe still be useful.

@Veetaha
Copy link
Contributor

Veetaha commented Oct 7, 2021

Also stumbled with this problem. I though that if I publish the crates with no license field to our private registry it will be okay to use them in other places, but turns out I need to put LicenseRef-* into their license and re-publish them =(

I suggest we add this caveat to the docs somewhere such that people don't repeat this mistake...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants