go.dev: known licenses are not recognised #36758
Comments
ALTree
added
pkgsite
NeedsInvestigation
|
Here's an example of a license that's not recognised and probably should be: https://github.com/gogo/protobuf/blob/master/LICENSE Also, because this seems to be a decent place to record this, many of the Canonical open source contributions are under an "LGPL with static linking exception" license, which isn't recognised. For example, the popular juju/ratelimit package (license here), which is imported by ~600 other packages, is unavailable on |
|
We're aware of issues with github.com/juju/ratelimit and github.com/gogo/protobuf - license issues for both of these packages should be fixed soon. /cc @jba |
|
As of today, gonum.org/v1/gonum, github.com/gogo/protobuf, github.com/juju/ratelimit all are correctly identified, as should all modules using the Canonical variation of LGPL 3.0. Closing this, but reopen for other licenses you think should be detected. We also think we are doing the right thing for vendoring, at least for https://pkg.go.dev/k8s.io/kubernetes/third_party/forked/gonum/graph, but I'd like to discuss that in a separate issue. |
jba
changed the title
|
This is still not working correctly: see https://pkg.go.dev/modernc.org/cc which is a BSD 3 clause. Before the action of redirecting currently working online documentation for package to pkg.go.dev, go.dev should be very sure that package providers are not harmed by reducing their visibility. I don't think go.dev can guarantee that given this failure and the broader issue of the more restrictive licensing regime that is in place on go.dev. |
|
I also strongly disagree that you are doing the correct thing with vendored code. You are displaying host license on the vendored code package, which is irrelevant and not displaying vendored code licenses on the host module. This is facing exactly the wrong direction. If you want to discuss this in another issue, please open that and cc me there (or return the text of the issue title to the correct form). |
I didn't mention that package because it's not listed in this issue. However, the CL for it has been merged and will be in the next release. |
|
It is explciitly noted in the issue linked in the OP. |
This is a refiling of an issue that was opened before go.dev issues were handled in the open (#35595).
The underlying cause appears to be google/licensecheck#6 and possibly in some cases google/licensecheck#4.
The text was updated successfully, but these errors were encountered: