About the issue of uploading open source license files

[qian-o]

Regarding open source licenses, can I upload the license file to the repository? Because GitHub's workflow has processes responsible for packaging and checking, if I don't upload the license file, it may cause some issues.

I think the prohibition of uploading license files is to prevent license leakage and abuse, but even if I don't upload it, some way is needed to obtain the content of the license file in the workflow for checking, which also leads to license leakage and abuse.

So, what should I do?

[JimBobSquarePants]

There’s documentation for this. Use GitHub secrets.

https://docs.sixlabors.com/articles/imagesharp/index.html?tabs=tabid-1#how-to-use-the-license-file

[Piedone]

The inconvenience here is that this breaks the F5 experience, raising the barrier for contribution. Wouldn't it be possible to find a solution for this?

I'm just spitballing here, but perhaps the license checking logic could match the consuming project's name and other details, also about the solution if possible, as some kind of fingerprinting. So, there could be a license for IS libraries to be consumed e.g. only by the OrchardCore.Media project. That would allow us to add the license file to the repo, thus removing the friction for contributors while making the license invalid for any other uses.

Obviously this opens up vectors for abuse, but as a malicious user you'd need to make your consumer project, depending on the fingerprinting techniques used, so close to OrchardCore.Media that it would make your project a mess. And at that point you can abuse the license by depending rather on OrchardCore.Media and thus use IS transitively anyway.

[JimBobSquarePants]

We couldn’t possibly introduce fingerprinting. Any PII is an absolutely unacceptable to users. We also would not want to open channels for abuse. The key has come about as a result of years of licensing abuse.

[Piedone]

There's no need for PII to leave the user's computer: all the fingerprinting can happen locally, with the license being issued to a hash. This is a technique used by various desktop software (with hardware fingerprinting for node-locked licenses) already.

Thinking of it, the current licensing approach is actually less secure, because you can use a given license in any project, allowing simply sharing the file with third-parties. If there's no online license validity check, then such shared licenses can't even be revoked.