Skip to content

fix(license): restore canonical Apache 2.0 LICENSE + add NOTICE#88

Merged
KaluJo merged 1 commit into
mainfrom
fix/license-apache-2-canonical
May 18, 2026
Merged

fix(license): restore canonical Apache 2.0 LICENSE + add NOTICE#88
KaluJo merged 1 commit into
mainfrom
fix/license-apache-2-canonical

Conversation

@KaluJo
Copy link
Copy Markdown
Collaborator

@KaluJo KaluJo commented May 18, 2026

Summary

GitHub shows the cli repo's license as "Other" instead of
Apache-2.0 because LICENSE contains dozens of substantive wording
deviations from the canonical text — the kind of drift you get from
running an Apache 2.0 file through a reformatter at some point. This
PR replaces it with the verbatim upstream text and moves the
project's actual copyright assertion into a dedicated NOTICE file.

Root cause

diff of the previous LICENSE against
apache.org/licenses/LICENSE-2.0.txt
surfaces wording changes like:

Canonical Apache 2.0 Previous cli/LICENSE
\"Contribution\" shall mean any work \"Contribution\" shall mean, as defined in Section 5, any work
consequential damages exemplary damages
Accepting Warranty or Additional Liability Accepting Warranty or Liability
you may act only on Your own behalf you may offer such obligations only on Your own behalf
APPENDIX: How to apply the Apache License... (full section) (entirely missing)

GitHub's license detector (Licensee)
needs a high-similarity match against canonical SPDX text and
correctly fell back to NOASSERTION ("Other") for this file:

$ gh api repos/pcr-developers/cli --jq '.license'
{\"key\":\"other\",\"name\":\"Other\",\"spdx_id\":\"NOASSERTION\",\"url\":null}

Beyond the detection issue, the deviations are a real legal-hygiene
problem: a reformatted Apache 2.0 is not Apache 2.0, it's a license
that looks like it. Anyone reading LICENSE was getting a slightly
different agreement than the one declared by Cargo.toml's
license = \"Apache-2.0\" SPDX identifier.

What this PR does

  1. Replaces LICENSE with the verbatim
    https://www.apache.org/licenses/LICENSE-2.0.txt (11,358 bytes,
    202 lines, byte-identical to upstream).

  2. Adds a NOTICE file that carries the project's copyright
    assertion (Copyright 2026 PCR.dev). This is the location
    defined by Apache 2.0 §4(d):

    If the Work includes a "NOTICE" text file as part of its
    distribution, then any Derivative Works that You distribute must
    include a readable copy of the attribution notices contained
    within such NOTICE file...

    The NOTICE pattern keeps the LICENSE file detectable AND
    preserves attribution properly. Most major Apache-licensed
    projects use this split (kubernetes, terraform, hashicorp tools,
    ASF projects).

Verification

$ diff <(curl -s https://www.apache.org/licenses/LICENSE-2.0.txt) LICENSE
# (no output — byte-identical)

$ wc -lc LICENSE
     202   11358 LICENSE

After this lands on main, GitHub re-scans within a few minutes and
the repo sidebar should flip from "Other" to "Apache-2.0". I'll
verify post-merge.

Out of scope

  • homebrew-pcr/LICENSE currently detects as MIT on GitHub
    despite obviously containing Apache 2.0 text — that's a separate
    detection quirk (probably due to a stray pattern Licensee
    fingerprints). Tracking that for a follow-up; this PR focuses on
    the cli repo since that's the user-facing one with Cargo.toml
    and package.json declaring Apache-2.0.
  • Cargo.toml already has license = \"Apache-2.0\" (valid SPDX),
    same for crates/pcr-napi/package.json — no changes needed.

Test plan

  • diff against upstream returns empty
  • LICENSE size matches upstream exactly (11358 bytes)
  • NOTICE reads as a proper attribution file (not a license)
  • Post-merge: GitHub re-detects as Apache-2.0 (will verify
    via gh api repos/pcr-developers/cli --jq '.license')

Made with Cursor

@KaluJo @cursoragent
fix(license): restore canonical Apache 2.0 LICENSE + add NOTICE
eb6631e 
The previous `LICENSE` had dozens of substantive wording deviations
from the canonical Apache 2.0 text — the kind of drift you get from
running the license through a reformatter at some point. Examples
caught by `diff` against `https://www.apache.org/licenses/LICENSE-2.0.txt`:

  - `"Contribution" shall mean any work` → `"Contribution" shall
    mean, as defined in Section 5, any work`  (invalid cross-ref)
  - `consequential damages` → `exemplary damages`  (changed term)
  - `Accepting Warranty or Additional Liability` → `Accepting
    Warranty or Liability`  (dropped "Additional" — different
    clause name)
  - `you may act only on Your own behalf` → `you may offer such
    obligations only on Your own behalf`  (restructured clause)
  - The entire `APPENDIX: How to apply the Apache License to your
    work` section was missing.

GitHub's license detector (Licensee) requires high-similarity match
against the canonical text and correctly fell back to `NOASSERTION`
("Other") for this file. From a legal-hygiene standpoint the
deviations are also a real problem: a reformatted Apache 2.0 is
*not* Apache 2.0, just a license that looks like it.

Fix: replace `LICENSE` with the verbatim
`https://www.apache.org/licenses/LICENSE-2.0.txt` (11,358 bytes,
202 lines, byte-identical to upstream).

The project's actual copyright assertion ("Copyright 2026 PCR.dev")
moves into a new `NOTICE` file, which is the Apache 2.0-defined
location for it (Section 4(d): "If the Work includes a 'NOTICE' text
file as part of its distribution…"). This keeps the LICENSE
detectable AND preserves the copyright attribution.

`Cargo.toml` (`license = "Apache-2.0"`) and `crates/pcr-napi/package.json`
(`"license": "Apache-2.0"`) already use the SPDX identifier
correctly — no changes there.

Verification:

  $ diff <(curl -s https://www.apache.org/licenses/LICENSE-2.0.txt) LICENSE
  (no output)

After merge GitHub should re-scan the default branch and show
"Apache-2.0" instead of "Other" in the repo sidebar.

Made with [Cursor](https://cursor.com)

Co-authored-by: Cursor <cursoragent@cursor.com>
@KaluJo KaluJo merged commit afd9c04 into main May 18, 2026
2 checks passed
@KaluJo KaluJo deleted the fix/license-apache-2-canonical branch May 18, 2026 14:49
@KaluJo KaluJo mentioned this pull request May 18, 2026
Merged
KaluJo added a commit that referenced this pull request May 18, 2026
@KaluJo @cursoragent
release v0.3.0 (#89)
9bef1e6 
Bumps the workspace to 0.3.0 — the 0.x minor (rather than 0.2.10
patch) is motivated by the breaking signature change to
`pcr_core::config::pcr_dir()` from #86 (returns `Result<PathBuf>`
instead of `PathBuf`). The CLI surface (`pcr <cmd>` flags / exit
codes / output format) is unchanged.

Version touchpoints:

  * `Cargo.toml` workspace.package.version → 0.3.0
  * `crates/pcr-napi/package.json` version + all 4 optionalDependencies
  * `crates/pcr-napi/npm/{darwin-arm64,darwin-x64,linux-x64-gnu,
    win32-x64-msvc}/package.json` versions
  * `README.md` TUI mock version stamp
  * `CHANGELOG.md` `[Unreleased]` promoted to `[0.3.0] — 2026-05-18`
    with full release notes catalogued by PR (#85, #86, #87, #88)
    and grouped Added / Changed / Fixed / Tests.

Workspace verification:

  * `cargo fmt --all --check` clean
  * `cargo clippy --workspace --all-targets -- -D warnings` clean
  * `cargo test --workspace` — 153 passing, 0 failing (was 128 on
    the v0.2.9 baseline; +25 across the 4 merged PRs)
  * `cargo build -p pcr-cli --release` → `pcr 0.3.0 (rust)`

After this lands on `main`, the release commit is tagged `v0.3.0`
locally and pushed; that triggers the release workflow which
publishes npm + builds binaries + dispatches the homebrew formula
update.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KaluJo