Querying a package's license (and from its dependencies) ?

[cesss]

I don't know if this is planned for a future release, or if it's totally discarded, or if it was never discussed (in this later case, please considering adding it to possible future features).

I'm searching for a multi-OS source code package manager, but I need to have a command that lists all the licenses from a given package and its dependencies.

[citibeth]

We had this discussion recently. It's easy to come up with technical solutions. The problem is, nobody wants to be (legally) responsible for maintaining it.

The only sure way to determine the license of a package is from the tarball. There is no standard; but I'm sure a heuristic could be invented that works in many cases (i.e. look for files like LICENSE, LICENSE.txt, etc). If the Spack Install proceudre were updated to look for licenses and archive them in the install directory, then the command you want would be easy.

The corollary of this is, it would be harder to know license information BEFORE a package is installed --- because the only reliable license information comes from the tarball being installed.

[scheibelp]

Support for this is not currently available but likely to be easy with Spack: you can concretize a spec and then stage all of the packages in the DAG (which just unpacks the source); at that point the Stage provides the path which you can search for files like LICENSE.

I don't think anyone would be legally responsible if they offered a solution, and it could probably be pretty easy for the system to report when it's not sure about the license. If it's important to quickly identify them (e.g. BSD 2-clause) you could also "grep" for content (or do the license files have a consistent hash?) but those are details outside of Spack.

Collecting the license file from the stage may be more reliable than from the install directory - do packages generally install the license file? #7760 was added recently which could also potentially be used to save a license file in the Spack installation directory.

[citibeth]

Here is a recent discussion on licenses:

https://groups.google.com/forum/#!searchin/spack/license%7Csort:date/spack/Fu0Y2JhJ_nQ/epzVRGGQCAAJ

My point is... if Spack is going to report on the license of a particular package, then we should make sure it's correct. If Spack is not correct, then people who care about the licenses will have to manually check them anyway.

I like @scheibelp's idea. Maybe packages need a new phase for license extraction?

[cesss]

Given that it's not implemented yet, you have the chance of doing it right, so I think it's a good idea that you discuss it so that you arrive to a good conclusion (even if that conclusion would be not implementing it).

If you want my opinion, I don't think an automatic approach is possible: Note that the new trend in town is dual-licensing schemes (search GitHub and you'll find quite a few projects that let the user decide whether to choose GPL or MIT at their choice... I don't think you can support dual licensing automatically by just unpacking the code and searching for copyright messages). This is just an example, but anyway my mind says that an automatic approach is not possible.