Purposely fail to detect the license if multiple license files exist

[benbalter]

E.g., I have license.cc0.txt and license.cc-by.txt both in the root of the repo.

We should bail due to the ambiguity.

[TheLastProject]

As an example of how messy it can get, I have an AGPLv3+ project that's currently detected as CC0: https://github.com/TheLastProject/mkblog.sh/.

[rmccue]

As another example of this, I have a LICENSE file with multiple licenses, which is currently detected as the latter (BSD 3-clause) rather than the primary (ISC): https://github.com/rmccue/Requests/blob/master/LICENSE

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[TheLastProject]

Seriously? That's a horrible way to manage issues. In that case: bump (because you're forcing me to)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[TheLastProject]

Bump...

[ofek]

@benbalter Are there plans to detect dual licenses? Many large projects are dual licensed for compatibility. Also, https://github.com/rust-lang/rust and almost everything written in it is MIT/Apache-2.0 but GitHub (licensee) can't detect it.

[mlinksva]

@ofek licensee isn't detecting a license in rust-lang/rust due to its COPYRIGHT file which is higher priority than its LICENSE- files and doesn't match any license, not its multiple licenses.

If this (#114) issue were fixed, licensee wouldn't detect a license in rust-lang/rust even if the COPYRIGHT file weren't present.

I don't know if there are plans to detect dual licenses. It'd be nice to have. I wonder what false positives would be caused/would need to be mitigated as a result?

[ofek]

@mlinksva Oh, I see.

What kind of false positives?

[mlinksva]

@ofek one kind would be where a project's multiple license files aren't intended for offering the whole project under multiple licenses, but different parts of a project (eg code and content, project contributions and vendored material). If licensee detected multiple licenses for such a project, some or all of the reported licenses may be false for the project as a whole. I don't know how common this is, probably needs more investigation.

[ofek]

@mlinksva Good point, thanks! Do you think detecting everything is worse than detecting none?

[mlinksva]

@ofek probably. People seem to be more bothered by false positives than false negatives, and I'm pretty sympathetic to that. Detecting multiple licenses would be a significant change for licensee anyway, so I suppose that one approach might be to detect and report the existence of multiple license files, but not report that a repo is under any of those licenses.

[benbalter]

WIP fix over in #203.

[ofek]

@benbalter Fantastic!

[daira]

Example of licensee (via Github) misdetecting an Apache 2.0/MIT dual license as just Apache 2.0: zkcrypto/pairing#14

The project contains no LICENSE file, only LICENSE-APACHE and LICENSE-MIT. The README.md references both. So it seems to me that it is doing everything right to avoid being detected as Apache 2.0-only already.