Dependency check of the tidy tool should verify the license #62618
Labels
A-testsuite
Area: The testsuite used to check the correctness of rustc
C-enhancement
Category: An issue proposing an enhancement or a PR with one.
T-infra
Relevant to the infrastructure team, which will review and decide on the PR/issue.
Comments
jonas-schievink
added
A-testsuite
Manishearth
added a commit
to Manishearth/rust
that referenced
this issue
Mar 17, 2020
…mulacrum tidy: Better license checks. This implements some improvements to the license checks in tidy: * Use `cargo_metadata` instead of parsing vendored crates. This allows license checks to run without vendoring enabled, and allows the checks to run on PR builds. * Check for stale entries. * Check that the licenses for exceptions are what we think they are. * Verify exceptions do not leak into the runtime. Closes rust-lang#62618 Closes rust-lang#62619 Closes rust-lang#63238 (I think) There are some substantive changes here. The follow licenses have changed from the original comments: * openssl BSD+advertising clause to Apache-2.0 * pest MPL2 to MIT/Apache-2.0 * smallvec MPL2 to MIT/Apache-2.0 * clippy lints MPL2 to MIT OR Apache-2.0
Centril
added a commit
to Centril/rust
that referenced
this issue
Mar 19, 2020
…mulacrum tidy: Better license checks. This implements some improvements to the license checks in tidy: * Use `cargo_metadata` instead of parsing vendored crates. This allows license checks to run without vendoring enabled, and allows the checks to run on PR builds. * Check for stale entries. * Check that the licenses for exceptions are what we think they are. * Verify exceptions do not leak into the runtime. Closes rust-lang#62618 Closes rust-lang#62619 Closes rust-lang#63238 (I think) There are some substantive changes here. The follow licenses have changed from the original comments: * openssl BSD+advertising clause to Apache-2.0 * pest MPL2 to MIT/Apache-2.0 * smallvec MPL2 to MIT/Apache-2.0 * clippy lints MPL2 to MIT OR Apache-2.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, in the dependency-check of the tidy tool, dependencies having an incompatible license are white-listed, and the actual license is documented in a comment.
Instead, the actual license should be documented in code, and the tool should check that the license is actually correct. When updating dependencies, the license might silently change into an incompatible one, and right now we don't detect this.
The text was updated successfully, but these errors were encountered: