License badge colour corresponding to license type

[platan]

Implementation of #1093.

Listing of all licenses (https://developer.github.com/v3/licenses/#list-all-licenses) returns 12 licenses:

curl "https://api.github.com/licenses" -s -H "Accept:  application/vnd.github.drax-preview+json" | jq ".[].spdx_id" -r
BSD-3-Clause
EPL-1.0
Apache-2.0
LGPL-2.1
LGPL-3.0
Unlicense
AGPL-3.0
MIT
BSD-2-Clause
MPL-2.0
GPL-2.0
GPL-3.0

but when we use advances search https://github.com/search/advanced there is more of them

API returns info about this extra license:

curl "https://api.github.com/repos/glfw/glfw/license" -s -H "Accept:  application/vnd.github.drax-preview+json" | jq ".license.spdx_id"
"Zlib"

I do not have service tests for colours, cause json resource does not return colour :-( Should we add colour to json resource in order to test them?

TODO:

• add support for all licenses recognised by GitHub
• rename viral to copyleft
• decide if we want do separate copyleft and viral licenses
• decide what to with long license names (use SPDX or key is instead of name or create separate license with short name)
• apply colors to NPM license badge
• use unknown label for GitHub Other license
• decide how to test colors (currently separate JSON style, compatible with default)
• make permissive a duller version of public domain

[platan]

List of all licenses (spdx_id, name). I have to categorize them and put in config file.
AFL-3.0 - Academic Free License v3.0
AGPL-3.0 - GNU Affero General Public License v3.0
Apache-2.0 - Apache License 2.0
Artistic-2.0 - Artistic License 2.0
BSD-2-Clause - BSD 2-clause "Simplified" License
BSD-3-Clause - BSD 3-clause "New" or "Revised" License
BSD-3-Clause-Clear - BSD 3-clause Clear License
BSL-1.0 - Boost Software License 1.0
CC-BY-4.0 - Creative Commons Attribution 4.0
CC-BY-SA-4.0 - Creative Commons Attribution Share Alike 4.0
CC0-1.0 - Creative Commons Zero v1.0 Universal
ECL-2.0 - Educational Community License v2.0
EPL-1.0 - Eclipse Public License 1.0
EUPL-1.1 - European Union Public License 1.1
GPL-2.0 - GNU General Public License v2.0
GPL-3.0 - GNU General Public License v3.0
ISC - ISC License
LGPL-2.1 - GNU Lesser General Public License v2.1
LGPL-3.0 - GNU Lesser General Public License v3.0
LPPL-1.3c - LaTeX Project Public License v1.3c
MIT - MIT License
MPL-2.0 - Mozilla Public License 2.0
MS-PL - Microsoft Public License
MS-RL - Microsoft Reciprocal License
NCSA - University of Illinois/NCSA Open Source License
OFL-1.1 - SIL Open Font License 1.1
OSL-3.0 - Open Software License 3.0
PostgreSQL - PostgreSQL License
Unlicense - The Unlicense
WTFPL - Do What The F*ck You Want To Public License
Zlib - zlib License

[paulmelnikow]

Looks great!

[paulmelnikow]

Could you export a function instead? It makes it a bit easier to handle errors, and you could also use it to handle default values, as in some of the functions in lib/badge-data.js.

[platan]

I've exported licenseToColor as a function.

[paulmelnikow]

Would this be clearer?

Object.keys(licenseTypes).forEach(licenseType => {
  const { licenses, color } = licenseTypes[licenseType];
  licenses.forEach(license => {
    licenseToColor[license] = color;
  });
});

[platan]

It would be :-) I've change the code.

[paulmelnikow]

👍

[paulmelnikow]

Are these SPDX IDs or are they github-specific?

[platan]

These are SPDX ids. Rename licenses to spxdLicenseIds?

[paulmelnikow]

I noticed this is only change one of the many license badges. Any thoughts about whether any of the others should be updated?

[KOLANICH]

I guess you can use tldrlegal API and check must for Disclose Source.
https://tldrlegal.com/api/license/ here is the api root
https://tldrlegal.com/api/license/52c863569f62d5643500000c here is gplv3
52c863569f62d5643500000c is the identifier, you can see it in api root
it's not hard to write a library interacting with the api

[platan]

I've added all licenses supported by GitHub to lib/licenses.js. Could someone please review assignment to specific groups? https://choosealicense.com/appendix/ can be helpful.

[platan]

@KOLANICH so you want to get license details from tldrlegal API in order to categorize them into one of the three groups (permissive, viral and public domain)? I thought config like lib/license.js will be sufficient.

[KOLANICH]

@KOLANICH so you want to get license details from tldrlegal API in order to categorize them into one of the three groups (permissive, viral and public domain)? I thought config like lib/license.js will be sufficient.

You will have to update the config manually when new licences appear. I think it's better to have a script rebuilding the "config" (in fact it is used as a database) automatically on schedule.

[platan]

@paulmelnikow I haven't thought about other license badges (we were talking in issue about licenses recognized by GitHub). But there is a lot of other license badges and they should be updates as well.
List of license badges found in code:
Crates.io https://img.shields.io/crates/l/rustc-serialize.svg
Packagist https://img.shields.io/packagist/l/symfony/symfony.svg
NPM https://img.shields.io/npm/l/express.svg
PyPI https://img.shields.io/pypi/l/Django.svg
Hex.pm https://img.shields.io/hexpm/l/plug.svg
CocoaPods https://img.shields.io/cocoapods/l/AFNetworking.svg
Bower https://img.shields.io/bower/l/bootstrap.svg
APM https://img.shields.io/apm/l/vim-mode.svg
CPAN https://img.shields.io/cpan/l/Config-Augeas.svg
CRAN https://img.shields.io/cran/l/devtools.svg
CTAN https://img.shields.io/ctan/l/novel.svg
DUB https://img.shields.io/dub/l/vibe-d.svg
AUR https://img.shields.io/aur/license/yaourt.svg

[platan]

On the one hand it is a good idea to load licenses details from. On the other hand this 31 licenses from Github could cover most of the licenses (compare with some licenses distribution stats https://www.whitesourcesoftware.com/whitesource-blog/open-source-software-licenses-trends/, https://www.blackducksoftware.com/top-open-source-licenses).
Unfortunately haven't found SPDX identifiers in https://tldrlegal.com API (sometimes SPDX full name or SPDX id is a part of the title value).
GitHub API seems to be a good alternative as a source of license details (we can pass SPDX id as a license id):

curl "https://api.github.com/licenses/Apache-2.0" -H "Accept: application/vnd.github.drax-preview+json" -s | jq 'del(.body)'        
{
  "key": "apache-2.0",
  "name": "Apache License 2.0",
  "spdx_id": "Apache-2.0",
  "url": "https://api.github.com/licenses/apache-2.0",
  "featured": true,
  "html_url": "http://choosealicense.com/licenses/apache-2.0/",
  "description": "A permissive license whose main conditions require preservation of copyright and license notices. Contributors provide an express grant of patent rights. Licensed works, modifications, and larger works may be distributed under different terms and without source code.",
  "implementation": "Create a text file (typically named LICENSE or LICENSE.txt) in the root of your source code and copy the text of the license into the file.",
  "permissions": [
    "commercial-use",
    "modifications",
    "distribution",
    "patent-use",
    "private-use"
  ],
  "conditions": [
    "include-copyright",
    "document-changes"
  ],
  "limitations": [
    "trademark-use",
    "liability",
    "warranty"
  ]
}

[platan]

I prepared more examples with badges.

Crates.io
Packagist
NPM
PyPI
Hex.pm
CocoaPods
Bower
APM
CPAN
CRAN
CTAN
DUB
AUR

Almost all of them have license name, which does not match SPDX identifier. To handle all this services maybe we will need to prepare some mapping of names or license recognition.

[KOLANICH]

Unfortunately haven't found SPDX identifiers in https://tldrlegal.com API

shorthand in a license summary?

[paulmelnikow]

@KOLANICH if you're passionate about automatically generating the license data, how about publishing an npm package with that data in it? Then we could rework this to use that data.

I'm not sure tldrlegal is the best source of data to use. That API is "temporary", and you may need their permission to publish their data. I found this folder of data from Github's choosealicense.com project, which I think is under CC-BY. Maybe that would be a good source.

[platan]

@KOLANICH Open Software License 3.0 (OSL-3.0) in tldrlegal.com does not have shorthand (https://tldrlegal.com/api/license/539a8b2fb8c2c0604500013e) or shorthand is different than SPDX id (boost for Boost Software License 1.0 instead of BSL-1.0 https://tldrlegal.com/api/license/52e58a3281519e003b000094)

[paulmelnikow]

Thanks for collecting those license badges. The only one of those registries that I know uses SPDX IDs is npm. It's worth enabling this code for that badge. They do support SPDX expressions which I just used for the first time. I don't encounter them very often though. You could write some code to handle them, or just display in gray as unrecognized.

License string parsing is a can of worms! I'm game to attempt it but would probably want to take that seriously, collecting lots of example strings from each repository and making sure we're doing a good job detecting them + labeling them correctly. I'm not sure it feels worth it for just the color, though do think a "convert license to SPDX" could be generally useful. Maybe we could even convince some of these repositories – or projects – to publish the SPDX id! Well, that's a grand vision… if you want to work on that I'd be game to help, though probably we should make a separate repo.

[paulmelnikow]

Could you explain how these were derived from https://choosealicense.com/appendix/, and give attribution? I think that content is licensed CC-BY. It would also make it easier to check your work, as you requested!

[platan]

'public-domain' licenses are those that do not require 'license and copyright notice', 'viral' - requires 'disclose source' or 'same license', rest is 'permissive'. Does it answer your question?

[paulmelnikow]

Yea, great! Could you add this in a comment? I feel like that'll be helpful to others in the future.

[platan]

done

[KOLANICH]

@KOLANICH if you're passionate about automatically generating the license data, how about publishing an npm package with that data in it? Then we could rework this to use that data.

I'm not going to do that. I don't use node and npm and I don't understand and strictly against of all this hype of using npm even for projects not involving Node, such as webpages, libraries not specific to node and extensions for browsers.

I'm not sure tldrlegal is the best source of data to use.

Neither do I.

That API is "temporary"

It has been "temporary" for more than 4 years. We in Russia have a proverb "there is nothing more permanent than temporary one".

you may need their permission to publish their data.

It is the main problem here. I guess you should contact them and ask. Since there are links to json from the pages of licenses on tldrlegal (in the bottom), I guess that the chances are high to get the permission.

I found this folder of data from Github's choosealicense.com project, which I think is under CC-BY.

That should be a good source. I guess we need a separate repo with json files.

@KOLANICH Open Software License 3.0 (OSL-3.0) in tldrlegal.com does not have shorthand (https://tldrlegal.com/api/license/539a8b2fb8c2c0604500013e) or shorthand is different than SPDX id (boost for Boost Software License 1.0 instead of BSL-1.0 https://tldrlegal.com/api/license/52e58a3281519e003b000094)

Then tldrlegal doesn't suit our needs well, for now.

[paulmelnikow]

I was thinking a bit more about the meaning behind the colors.

Some people love copyleft licenses and think they are the best. Others see them and think, danger! Ideally, we should choose a color for copyleft that works for both schools of thought, conveying both "awesome!" and "danger!". Since we're asking people to put these badges on their own projects, it's important people can relate to the color. (Otherwise they will probably just override it.)

Also, since many projects have license badges with our blue color, it might be better to choose something else for permissive.

What do you think about these?

[KOLANICH]

Ideally, we should choose a color for copyleft that works for both schools of thought, conveying both "awesome!" and "danger!".

Orange looks nice, but gray for unknown doesn't, because unknown may be proprietary, so unknown is danger, and more danger than viral. And explicitly or implicitly (missing license) proprietary is more dangerous than unknown.

Also, since many projects have license badges with our blue color, it might be better to choose something else for permissive.

In fact most of templates of licence shields are blue. I guess it is because it is one of the colors having no success/failure meaning. In fact I thought about something like #3FF8CC for permissive and something like #00FF00 for public domain.

[paulmelnikow]

@platan I would love to get this merged. When you have a moment, could you take a look at my last round of comments?

[platan]

I will continue work on this next week.

[paulmelnikow]

Could you merge in master? Would love to get this landed! Thanks for your patience.

[paulmelnikow]

Since licenseToColor has its own unit tests, how about doing something like:

const permissiveLicenseColor = licenseToColor('CC0-1.0');

That way if we change the color, this test won't require new maintenance.

[paulmelnikow]

Looks like this is pending.

[platan]

Done. I had to stop work on this suddenly. Thanks!

[paulmelnikow]

❤️

[paulmelnikow]

Looks like this is pending.

[platan]

I think everything is fixed. To sum up, we have such license badges (GitHub):

[paulmelnikow]

I ran the service tests locally. There are a slough of failures, though most of them are unrelated.

There are related failures in the GitHub service tests, which are returning license | missing. Could you take a look?

[platan]

You probably exceeded GitHub API rate limit. In this case you get "missing" as a license value. I've changed this to "inaccessible" (for this and other cases when HTTP status code is not 200). I've added a service test for this case as well.

edit:
test results: https://travis-ci.org/platan/shields/jobs/312080812#L3740

[paulmelnikow]

Huh, I'd be surprised if it were rate limit, since I have a token set up in development (5k/hr). Nevertheless, they are passing now! And thanks for the improved erroring!

[platan]

I was a really long PR :-). @KOLANICH @paulmelnikow and @tooomm thanks for ideas, reviews and your time!

[KOLANICH]

👏 🎉

[tooomm]

It was. Well done @platan! And thanks...

[paulmelnikow]

Yes, I was thinking the same thing. Well done! Looking forward to getting this shipped so we can start hearing feedback about it.

Was thinking we might want to document an explanation of the colors somewhere on the website. Could be in an example, or else at the bottom of the page.

Should be live on staging, at any rate: https://shields-staging.herokuapp.com/

[tooomm]

Indeed, some documentation would be very helpful here!

I would prefer it inside every license badge preview it applies to.
Like for the GitHub rate limits, see #1311 (comment). There has been some talks and a nice approach of some documentation in there for the recent appveyor badge pr (#1321).
I'm not a fan of a badge specific documentation at the bottom.

Edit: Actually there is some more heavy documentation within the badge preview for Visual Studio Team services!