Replace <PackageLicenseFile> with <PackageLicenseExpression> #6645
Labels
Milestone
Comments
ghost
added
the
|
@szimmer-dap Thanks for pointing this out. We will make sure to get this fixed by the next full release. |
|
Looks like this was resolved with PR #6674. I think this issue can be closed. Thanks for resolving this! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi there!
Is your feature request related to a problem? Please describe.
We are currently adapting a package approval workflow, where packages are approved or blocked based on certain criteria. One very important criterion is the package's license. There is a list of approved licenses (like MIT, Apache, BSD, ...) and a list of licenses that can not be used (like GPL).
Although the Microsoft.ML Nuget packages are under MIT license, it's hard to auto-approve them, because they use an embedded license file instead of an SPDX tag (https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-list/). As a result, the license does not show up in the package's metadata (compare e.g. the "About" page of https://www.nuget.org/packages/Microsoft.ML with https://www.nuget.org/packages/Microsoft.Data.SqlClient, where the latter clearly states the package's license, while Microsoft.ML does not).
Describe the solution you'd like
Would you consider using an SPDX license expression? Basically, all that is needed is replacing the line
<PackageLicenseFile>LICENSE.txt</PackageLicenseFile>with
<PackageLicenseExpression>MIT</PackageLicenseExpression>in all *.csproj or *.props files (or whatever mechanism generates the corresponding *.nuspec file). The LICENSE file can still remain in the package, just the metadata would change. The corresponding .nuspec file should then change the line
<license type="file">LICENSE.txt</license>to
<license type="expression">MIT</license>This would be a huge help for us, because with embedded license files we have to manually check and approve every single version of every package.
Describe alternatives you've considered
The alternative would be for us to download every package, manually check the context of each embedded LICENSE file, make sure that it is in fact an approved license, and then manually allow the package. This would have to be done for every release of every package without an SPDX license tags.
Additional context
The dotnet / runtime repo seems to use already use license expressions (and apparently use a an additional
<LicenseFile>).The microsoft / MSBuildSdks repo switched to license expressions about two years ago, following the recommendations provided in Microsoft's .nuspec reference.
The text was updated successfully, but these errors were encountered: