Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cargo deny unknown license warnings #1487

Closed
ghost opened this issue Apr 17, 2022 · 7 comments
Closed

cargo deny unknown license warnings #1487

ghost opened this issue Apr 17, 2022 · 7 comments

Comments

@ghost
Copy link

ghost commented Apr 17, 2022
edited by ghost
Loading

cargo-deny is unable to figure out the license for ring and generating warnings. the exit code is still 0 so ci should be fine for those using this, but would be nice to clean up.

any suggestions for resolving this?

$ cargo deny check
warning[L003]: ring = 0.16.20 is unlicensed
  ┌─ ring 0.16.20 (registry+https://github.com/rust-lang/crates.io-index):2:9
  │
2 │ name = "ring"
  │         ^^^^ a valid license expression could not be retrieved for the crate
3 │ version = "0.16.20"
4 │ license = ""
  │            - license expression was not specified
5 │ license-files = [
6 │     { path = "LICENSE", hash = 0xbd0eed23, score = 0.67, license = "OpenSSL" },
  │                                                    ---- low confidence in the license text
  │
  = ring v0.16.20
    ├── rustls v0.20.4
    │   └── ureq v2.4.0
    │       └── mycrate v0.1.0
    ├── sct v0.7.0
    │   └── rustls v0.20.4 (*)
    └── webpki v0.22.0
        ├── rustls v0.20.4 (*)
        ├── ureq v2.4.0 (*)
        └── webpki-roots v0.22.3
            └── ureq v2.4.0 (*)

advisories ok, bans ok, licenses ok, sources ok
@jakswa
Copy link

jakswa commented Apr 19, 2022

Ran into this today as well. I am not a license guru so I'll just pile on here and hope it helps others. I'm going to figure out how to make an exception for this crate, since it seems like it's in ISC/MIT license territory. The license file seems large and complex though, so who knows?

ring/LICENSE

Lines 5 to 9 in 0f3bf00

*ring* is derived from BoringSSL, so the licensing situation in *ring* is
similar to BoringSSL.
*ring* uses an ISC-style license like BoringSSL for code in new files,
including in particular all the Rust code:

@jakswa
Copy link

jakswa commented Apr 19, 2022
edited
Loading

Ah the generated deny.toml has "ring" as the example :D

My exception ended up being:

[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [
    { path = "LICENSE", hash = 0xbd0eed23 }
]

and I followed the helpful boilerplate in deny.toml to get there:

# Some crates don't have (easily) machine readable licensing information,
# adding a clarification entry for it allows you to manually specify the
# licensing information
#[[licenses.clarify]]
# The name of the crate the clarification applies to
#name = "ring"
# The optional version constraint for the crate
#version = "*"
# The SPDX expression for the license requirements of the crate
#expression = "MIT AND ISC AND OpenSSL"
# One or more files in the crate's source used as the "source of truth" for
# the license expression. If the contents match, the clarification will be used
# when running the license check, otherwise the clarification will be ignored
# and the crate will be checked normally, which may produce warnings or errors
# depending on the rest of your configuration
#license-files = [
    # Each entry is a crate relative path, and the (opaque) hash of its contents
    #{ path = "LICENSE", hash = 0xbd0eed23 }
#]

@ghost
Copy link
Author

ghost commented Apr 19, 2022

@jakswa if not something that can be fixed here would this be worth reporting to cargo-deny project to solve more "officially" ?

@jakswa
Copy link

jakswa commented Apr 19, 2022

@jakswa if not something that can be fixed here would this be worth reporting to cargo-deny project to solve more "officially" ?

If that question was directed at me, I would have to bow out 🙇. I'm not a contributor to either of these repos/tools. If things don't improve organically, it seems like cargo-deny has built a documented path to get around it, which I followed above.

@joshtriplett
Copy link

Adding license = "ISC AND MIT AND OpenSSL" to Cargo.toml would solve this problem.

@andrewtj
Copy link
Contributor

This is a dupe of #902.

@kpcyrd kpcyrd mentioned this issue Jan 5, 2023
Closed
@briansmith
Copy link
Owner

OK, closing this as a duplicate of #902.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@briansmith @andrewtj @jakswa @joshtriplett