-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
inconsistent license usage #746
Comments
BTW most of the relevant policy today lives here |
We can refer to the SPDX list and recommend using an OSI approved license.
We can validate this on the server side. We can enforce using the shorthand identifier that spdx lists.
I think there are already tools for this in the wild.
Good find, I don't think the policy needs to change, at least initially. |
Existing Mix task by @hauleth: https://github.com/hauleth/licensir While it’s possible to check server side, I’d appreciate also checking client side to provide clear license metadata for projects that, for whatever reason, the author has chosen not to publish on Hex. Please also ensure there’s a clear way to express “not open source” and warn if it doesn’t match other properties e.g. lack of If you’re worried about confusion between whatever someone typed into the |
Currently there is no alignment on license names within hexpm. For example, the templates in hex docs refer to "the Apache license" which doesn't exist -- there's the Apache 1.0, 1.1, and far more common 2.0 version. Imprecision in licenses is not a feature, especially if the full license text is not embedded in the package.
I'm happy to PR suitable changes.
SPDX is rapidly gaining acceptance to provide machine-readable interfaces to license metadata:
.o0O ideally we could use a Mix task in future to list the licenses of dependent packages...
The text was updated successfully, but these errors were encountered: