-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace <PackageLicenseFile> with <PackageLicenseExpression> #988
Comments
@szimmer-dap -- thanks for the suggestion! We'll look into doing that for the next release. |
@tarekgh, @michaelgsharp -- your thoughts? |
@richlander may advise better here. |
@NiklasGustafsson we decided to do this on the ML.NET side. License stays the same, same file is still added to the nuget package, it just adds metadata that its an MIT license instead of just that we include a license file. |
|
Fantastic, then that's what we'll do! Thanks for the suggestion, @szimmer-dap. We'll get this into the next release. |
This was addressed by PR #990 |
However, the libtorch-* packages will not have this configuration until we upgrade to the next version of the backend. |
@szimmer-dap -- TorchSharp/Audio/Vision v0.100.0 and libtorch-* v2.0.1.1 now has this functionality, with the license in an expression rather than a file. |
Hi there!
Is your feature request related to a problem? Please describe.
We are currently adapting a package approval workflow, where packages are approved or blocked based on certain criteria. One very important criterion is the package's license. There is a list of approved licenses (like MIT, Apache, BSD, ...) and a list of licenses that can not be used (like GPL).
Although the TorchSharp Nuget packages are under MIT license, it's hard to auto-approve them, because they use an embedded license file instead of an SPDX tag (https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-list/). As a result, the license does not show up in the package's metadata (compare e.g. the "About" page of https://www.nuget.org/packages/TorchSharp with https://www.nuget.org/packages/Microsoft.Data.SqlClient, where the latter clearly states the package's license, while TorchSharp does not).
Describe the solution you'd like
Would you consider using an SPDX license expression? Basically, all that is needed is replacing the line
<PackageLicenseFile>LICENSE-LIBTORCH.txt</PackageLicenseFile>
with
<PackageLicenseExpression>MIT</PackageLicenseExpression>
in all *.csproj or *.props files (or whatever mechanism generates the corresponding *.nuspec file). The LICENSE-LIBTORCH.txt file can still remain in the package, just the metadata would change. The corresponding .nuspec file should then change the line
<license type="file">LICENSE-LIBTORCH.txt</license>
to
<license type="expression">MIT</license>
This would be a huge help for us, because with embedded license files we have to manually check and approve every single version of every package.
Describe alternatives you've considered
The alternative would be for us to download every package, manually check the context of each embedded LICENSE file, make sure that it is in fact an approved license, and then manually allow the package. This would have to be done for every release of every package without an SPDX license tags.
Additional context
The dotnet / runtime repo seems to use already use license expressions (and apparently use a an additional ).
The microsoft / MSBuildSdks repo switched to license expressions about two years ago, following the recommendations provided in Microsoft's .nuspec reference.
The text was updated successfully, but these errors were encountered: