Bug: adding 'version=2' makes license checks start failing.

Question

Bug: adding 'version=2' makes license checks start failing.

eric-seppanen opened this issue 5 months ago · comments

Describe the bug

I upgraded my deny.toml to use version = 2 in the [licenses] section.

After making that change, a new failure appears, due to the license string "LGPL-2.1-or-later WITH GCC-exception-2.0" in the systemd crate:

error[rejected]: failed to satisfy license requirements
  ┌─ systemd 0.10.0 (registry+https://github.com/rust-lang/crates.io-index):4:12
  │
4 │ license = "LGPL-2.1-or-later WITH GCC-exception-2.0"
  │            ^^^^^^^^^^^^^^^^^-----------------------
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license was not explicitly allowed
  │
  = LGPL-2.1 - GNU Lesser General Public License v2.1 only:
  =   - **DEPRECATED**
  =   - OSI approved
  =   - FSF Free/Libre
  =   - Copyleft
  = systemd v0.10.0
    └── license-test v0.1.0

I have tried allowing LGPL-2.1, and that fails with the same message. I also tried LGPL-2.1-or-later WITH GCC-exception-2.0, LGPL-2.1-or-later, LGPL-2.1+, but those appear to be the wrong syntax.

I have read through #606 and #611, and I wasn't able to figure out why this behavior changed.

To reproduce

A small project that shows the problem:

deny.toml

[licenses]
# Uncomment to see the problem
#version = 2

# List of explicitly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
allow = [
    "MIT",
    "Unicode-DFS-2016",
    "Unlicense",
]

Cargo.toml

[package]
name = "license-test"
version = "0.1.0"
edition = "2021"
license = "MIT"

[dependencies]
systemd = "0.10.0"

cargo-deny version

cargo-deny 0.14.16

What OS were you running cargo-deny on?

Linux

Additional context

No response

Eric Seppanen · Answer 1 · Thu Mar 07 2024 06:18:20 GMT+0800 (China Standard Time)

I found a string that works: LGPL-2.1-or-later WITH GCC-exception-2.0 -> LGPL-2.1 WITH GCC-exception-2.0, though I'm not sure if I was supposed to add + to reflect the -or-later part.

I'm still puzzled why the behavior changed when I added version = 2.

Jake Shadle · Answer 2 · Thu Mar 07 2024 07:20:00 GMT+0800 (China Standard Time)

This is documented. As are the annoyances with GPLish licenses.

Eric Seppanen · Answer 3 · Thu Mar 07 2024 07:22:48 GMT+0800 (China Standard Time)

I have read that documentation, and I'm afraid I don't understand which part of the version = 2 changes trigger different behavior with this license. Can you clarify?

Jake Shadle · Answer 4 · Thu Mar 07 2024 07:56:28 GMT+0800 (China Standard Time)

Copyleft licenses are warn by default before setting version = 2

Eric Seppanen · Answer 5 · Thu Mar 07 2024 07:59:45 GMT+0800 (China Standard Time)

Thanks for the clarification. I was going back through my output when I figured out part of my problem: I was confused because license warnings don't look the same as license deny errors.

My naive expectation is that a license warning and a license error would look similar, but one would fail the check and the other wouldn't.

A license warning says warning[accepted]: license requirements satisfied which I found (and still find) kind of misleading. It seems to be asserting something that's not true! The license requirements were not satisfied.

Jake Shadle · Answer 6 · Thu Mar 07 2024 14:21:32 GMT+0800 (China Standard Time)

That was one of the issues that this deprecation is addressing.