Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check-license requires all instead of only one when license is an array #18

Open
SunMar opened this issue Sep 14, 2021 · 0 comments
Open

check-license requires all instead of only one when license is an array #18

SunMar opened this issue Sep 14, 2021 · 0 comments

Comments

@SunMar
Copy link

SunMar commented Sep 14, 2021

Hi,

Today I ran into an issue when the license of a package is an array. In the composer.json documentation the following is said about using an array for the license:

For a package, when there is a choice between licenses ("disjunctive license"), multiple can be specified as array.

So you can choose which license you want to use. Based on that my expectation would be that the check-license guard will consider the license of a package valid if at least one of its licenses is allowed via accept-license:. However it seems right now that the check-license guard is instead requiring that all the licenses in the array are allowed via accept-license:.

This creates a problem with for example the nette/utils package which allows you to use either a BSD 3-Clause, GPL 2.0 or GPL 3.0 license. If you don't want to allow GPL, but are fine with BSD 3-Clause, the guard (incorrectly) blocks the package from installing. This also prevents you from installing Laravel because nette/utils is an indirect dependency for Laravel.

A quick way to reproduce is to start a docker container using docker run -it --rm php:8.0-cli bash -l and then running:

apt-get update -qq
apt-get install -qq -y git unzip jq moreutils > /dev/null
curl -s -o /usr/local/bin/composer https://getcomposer.org/download/latest-stable/composer.phar
chmod +x /usr/local/bin/composer
mkdir -p /app
cd /app
composer require --quiet --dev kalessil/production-dependencies-guard:dev-master

echo -e "\n==========> nette/utils is rejected even though BSD-3-Clause is an accepted license\n"
jq '. * {"extra":{"production-dependencies-guard":["check-license","accept-license:BSD-3-Clause"]}}' composer.json | sponge composer.json
jq '.' composer.json
composer require --quiet nette/utils

echo -e "\n==========> nette/utils is allowed because we're accepting all three licenses BSD-3-Clause, GPL-2.0-only and GPL-3.0-only\n"
jq '. * {"extra":{"production-dependencies-guard":["check-license","accept-license:BSD-3-Clause","accept-license:GPL-2.0-only","accept-license:GPL-3.0-only"]}}' composer.json | sponge composer.json
jq '.' composer.json
composer require --quiet nette/utils

echo -e "\n==========> laravel/framework is not allowed with check-lock-file because it depends on nette/utils even though we are allowing the minimum licenses needed\n"
jq '. * {"extra":{"production-dependencies-guard":["check-lock-file","check-license","accept-license:MIT","accept-license:BSD-3-Clause","accept-license:Apache-2.0"]}}' composer.json | sponge composer.json
jq '.' composer.json
composer require --quiet laravel/framework
@SunMar SunMar mentioned this issue Jul 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SunMar