Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Copyleft licenses are exempted from deny by default #602

Closed
JonathanWoollett-Light opened this issue Feb 7, 2024 · 0 comments · Fixed by #611
Closed

Bug: Copyleft licenses are exempted from deny by default #602

JonathanWoollett-Light opened this issue Feb 7, 2024 · 0 comments · Fixed by #611
Labels
bug Something isn't working

Comments

@JonathanWoollett-Light
Copy link

Describe the bug

When an allow list of licenses is specified e.g.

[licenses]
allow = [
    "MIT",
    "Apache-2.0",
    "BSD-3-Clause",
    "ISC",
    "Unicode-DFS-2016"
]

it should deny all licenses not in the list.

Current behavior denies all licenses outside the list, except copyleft licenses.

Thus to also deny copyleft licenses requires:

copyleft = "deny"

This is misleading behavior and a trap by which crates might accidentally introduce copyleft dependencies.

To reproduce

Run cargo deny check licenses with a licenses allow list with a dependency with a licenses that is GPL-2.0 but not in the allow list and see it passes.

cargo-deny version

cargo-deny 0.14.11

What OS were you running cargo-deny on?

Linux

Additional context

A similar concern #354 (comment)
@JonathanWoollett-Light JonathanWoollett-Light added the bug Something isn't working label Feb 7, 2024
@Jake-Shadle Jake-Shadle mentioned this issue Feb 21, 2024
Merged
Jake-Shadle added a commit that referenced this issue Feb 21, 2024
@Jake-Shadle
Deprecate several fields (#606)
800c768 
This PR deprecates several fields which will be removed in a future
update. I'll explain in detail why below, but the TLDR is that
cargo-deny surfaces several configuration options that were added
because we _could_, but not necessarily because they are useful in
practice.

## Licenses

###
[`deny`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-allow-and-deny-fields-optional)

This field was only added for consistency with `[bans]` but makes no
sense for `[licenses]`, if a license you don't explicitly allow is used
it is implicitly denied.

###
[`copyleft`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-copyleft-field-optional)

There is no reason to treat these differently from any other license, if
it's not explicitly allowed it should be denied, and it just adds
confusion due to the terrible default.

See: #602
See: #354

###
[`allow-osi-fsf-free`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-allow-osi-fsf-free-field-optional)

Similarly to copyleft, this field just makes no sense and was only added
because the SPDX metadata allowed us to query this information.

###
[`default`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-default-field-optional)

This was added so that users could just ignore/warn all their
dependencies not following the set of allowed licenses, but just isn't
much value. Even in large projects with literally hundreds of external
dependencies the set of licenses that need to be allowed are relatively
small compared to the total set of licenses in SPDX due to the Rust
ecosystem generally using only a handful of licenses, with rare
exceptions.

###
[`unlicensed`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-unlicensed-field-optional)

Crates that don't specify a license via `[package.license/license-file]`
or have a license file in their package source are incredibly rare, and
there is already a
[mechanism](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-clarify-field-optional)
to provide/override license information for those rare crates.

## Advisories

### Blanket

-
[`vulnerability`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-vulnerability-field-optional)
-
[`unmaintained`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unmaintained-field-optional)
-
[`unsound`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unsound-field-optional)
-
[`notice`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-notice-field-optional)

There's no need to blanket handle any of these specific advisory types,
there just aren't enough advisories (currently, this could change in the
future) that a typical workspace will encounter that they can't be
handled explicitly via `ignore`.

See: #449

###
[`severity-threshold`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-severity-threshold-field-optional)

This optional field is available in rustsec advisories, but provides no
real value as it's just flavor on top of a reported vulnerability, but
doesn't fundamentally change that it is a vulnerability, and can either
be ignored or better yet, updated to a version without the
vulnerability.
@Jake-Shadle Jake-Shadle mentioned this issue Feb 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add version = 2 EmbarkStudios/cargo-deny
1 participant
@JonathanWoollett-Light