Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cargo deny gives an error on "Apache-2.0 OR GPL-2.0+" in a crate's cargo.toml #498

Closed
cbeck88 opened this issue Mar 25, 2023 · 3 comments · Fixed by #503
Closed

cargo deny gives an error on "Apache-2.0 OR GPL-2.0+" in a crate's cargo.toml #498

cbeck88 opened this issue Mar 25, 2023 · 3 comments · Fixed by #503
Labels
enhancement New feature or request

Comments

@cbeck88
Copy link

cbeck88 commented Mar 25, 2023

Is your feature request related to a problem? Please describe.

I depend on a rust library called mbedtls, and I get the following error:

error[unlicensed]: mbedtls = 0.8.1 is unlicensed
  ┌─ mbedtls 0.8.1 (git+https://github.com/mobilecoinfoundation/rust-mbedtls.git?rev=98d3af413c1e23ea89cc5f41ab4dddb1944405af#98d3af413c1e23ea89cc5f41ab4dddb1944405af):2:9
  │
2 │ name = "mbedtls"
  │         ^^^^^^^ a valid license expression could not be retrieved for the crate
3 │ version = "0.8.1"
4 │ license = "Apache-2.0 OR GPL-2.0+"
  │                                 - a GNU license was followed by a `+`
  │

Describe the solution you'd like

It would be cool if one of the following two things would happen:

  • GPL-2.0+ were interpreted as GPL-2.0-or-later by cargo deny
  • When an OR expression occurs in the license, if the one side is known and valid, it doesn't matter if the other side is. This would help me because Apache-2.0 is in my allowed list. (I realize it might be complicated to implement though)

Now that I read more about this, maybe this isn't compatible with SPDX spec? I am not sure

Describe alternatives you've considered

Adding a clarify field or some kind of exception for the mbedtls crate in my case

AFAIK I can't clarify the license when the string can't be parsed like this. (This feature proposal would allow me to add an exception for mbedtls being "unlicensed": #451)

Possibly, filing an issue upstream with mbedtls to see if they will change how they spell this.

Additional context

None, thanks for making cargo-deny

@cbeck88 cbeck88 added the enhancement New feature or request label Mar 25, 2023
cbeck88 added a commit to mobilecoinfoundation/rust-mbedtls that referenced this issue Mar 25, 2023
cargo deny doesn't seem to understand `GPL-2.0+` right now,
see EmbarkStudios/cargo-deny#498
@cbeck88
Copy link
Author

cbeck88 commented Mar 26, 2023

I opened an issue with them here:

fortanix/rust-mbedtls#240

@cbeck88
Copy link
Author

cbeck88 commented Mar 27, 2023

The only way I could see to appease cargo-deny here, without upstream changes, was to do the following:

unlicensed = "warn"

But that feels a bit dirty. It would be really nice if #451 were implemented so that I could continue denying unlicensed crates besides mbedtls.

@cbeck88
Copy link
Author

cbeck88 commented Apr 6, 2023

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant