inconsistent license usage

[dch]

Currently there is no alignment on license names within hexpm. For example, the templates in hex docs refer to "the Apache license" which doesn't exist -- there's the Apache 1.0, 1.1, and far more common 2.0 version. Imprecision in licenses is not a feature, especially if the full license text is not embedded in the package.

1. Would it make sense to refer users to a published list of licenses?
2. Perhaps even teach hex to warn if the chosen license cannot be found in e.g. the spdx list?

I'm happy to PR suitable changes.

The SPDX License List is a list of commonly found licenses and exceptions used in free and open source and other collaborative software or documentation. The purpose of the SPDX License List is to enable easy and efficient identification of such licenses and exceptions in an SPDX document, in source files or elsewhere. The SPDX License List includes a standardized short identifier, full name, vetted license text including matching guidelines markup as appropriate, and a canonical permanent URL for each license and exception.

SPDX is rapidly gaining acceptance to provide machine-readable interfaces to license metadata:

.o0O ideally we could use a Mix task in future to list the licenses of dependent packages...

[dch]

BTW most of the relevant policy today lives here

[ericmj]

Would it make sense to refer users to a published list of licenses?

We can refer to the SPDX list and recommend using an OSI approved license.

Perhaps even teach hex to warn if the chosen license cannot be found in e.g. the spdx list?

We can validate this on the server side. We can enforce using the shorthand identifier that spdx lists.

ideally we could use a Mix task in future to list the licenses of dependent packages...

I think there are already tools for this in the wild.

BTW most of the relevant policy today lives here

Good find, I don't think the policy needs to change, at least initially.

[garthk]

Existing Mix task by @hauleth: https://github.com/hauleth/licensir

While it’s possible to check server side, I’d appreciate also checking client side to provide clear license metadata for projects that, for whatever reason, the author has chosen not to publish on Hex.

Please also ensure there’s a clear way to express “not open source” and warn if it doesn’t match other properties e.g. lack of organisation to make it private on Hex.

If you’re worried about confusion between whatever someone typed into the license field and an explicit SPDX assignment, the SPDXID: prefix is ugly, but would unambiguously mark the identifier. I’m not a fan, but calling it out in case it’s useful or necessary.

[hauleth]

@garthk while I appreciate mentioning me, it is the project of @unnawut, I just wanted to write license linter that will reject unknown licenses (for example for legal reasons you want to disallow some licenses like GPL).