Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses for both #6045

Merged
merged 1 commit into from
Jan 30, 2024
Merged

Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses for both #6045

merged 1 commit into from
Jan 30, 2024

Conversation

droideck
Copy link
Member

Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py' to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.

Fixes: #6043
Fixes: #6044

Reviewed by: ?

@droideck droideck force-pushed the spdx_license branch 2 times, most recently from 8f9d39c to 5483c77 Compare January 23, 2024 01:45
vashirov
vashirov requested changes Jan 24, 2024
View reviewed changes
Copy link
Member

@vashirov vashirov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have Apache2 and Python-2.0 strings in the License field, which are not recognized by Fedora's license-validate tool. I think the first one should be converted to Apache-2.0, but the second one I couldn't find in https://gitlab.com/fedora/legal/fedora-license-data (is it PSF-2.0?). Is this the one from argparse?

rpm/bundle-rust-npm.py Show resolved Hide resolved
rpm/bundle-rust-npm.py Outdated Show resolved Hide resolved
rpm/bundle-rust-npm.py Outdated Show resolved Hide resolved
@droideck
Copy link
Member Author

I have Apache2 and Python-2.0 strings in the License field, which are not recognized by Fedora's license-validate tool. I think the first one should be converted to Apache-2.0, but the second one I couldn't find in https://gitlab.com/fedora/legal/fedora-license-data (is it PSF-2.0?). Is this the one from argparse?

For Apache2, yep, it's Apache-2.0. They updated the value here - dominictarr/pause-stream@de6cb68 - 7 years ago, but I'm not sure when/if it will be released in npm. I've added a workaround.

And for argparse, I created an issue here https://gitlab.com/fedora/legal/fedora-license-data/-/issues/470 and I contacted the maintainer... For now, I think we would need to wait for the certainty that it's PSF-2.0.

P.S. a bit of interesting history shared by Richard Fontana:

"For background, CPython is notionally released under a "stack" of licenses consisting basically of the license corresponding to SPDX PSF-2.0 plus some legacy licenses associated with several past employers of Guido van Rossum. Such a stack of licenses was submitted years ago for approval by the Open Source Initiative, but it was apparently the wrong license (it's not clear it was ever used in precisely that form). Fedora discovered this problem shortly after the switch to SPDX identifiers in August 2022. So now SPDX has 'Python-2.0' (the OSI version of the CPython stack) and 'Python-2.0.1' (the real CPython license stack)."

@vashirov
Copy link
Member

For Apache2, yep, it's Apache-2.0. They updated the value here - dominictarr/pause-stream@de6cb68 - 7 years ago, but I'm not sure when/if it will be released in npm. I've added a workaround.

Likely never :) The repo is archived, and the whole package was replaced with a re-export of through dominictarr/pause-stream@4a6fe3d

pause-stream is required by event-stream, but it's also archived. It comes in our dependency tree from audit-ci and they have an open ticket to replace event-stream with something else IBM/audit-ci#315

audit-ci is used only at the build time, we don't ship it itself or any of the dependencies that it pulls. It doesn't modify any code, just stops the build pipeline. Do we still need to publish licenses for it and all of its dependencies in our spec file?

And for argparse, I created an issue here https://gitlab.com/fedora/legal/fedora-license-data/-/issues/470 and I contacted the maintainer... For now, I think we would need to wait for the certainty that it's PSF-2.0.

Thanks, I added myself to the watchers list.

@droideck
Copy link
Member Author

For Apache2, yep, it's Apache-2.0. They updated the value here - dominictarr/pause-stream@de6cb68 - 7 years ago, but I'm not sure when/if it will be released in npm. I've added a workaround.

Likely never :) The repo is archived, and the whole package was replaced with a re-export of through dominictarr/pause-stream@4a6fe3d

pause-stream is required by event-stream, but it's also archived. It comes in our dependency tree from audit-ci and they have an open ticket to replace event-stream with something else IBM/audit-ci#315

audit-ci is used only at the build time, we don't ship it itself or any of the dependencies that it pulls. It doesn't modify any code, just stops the build pipeline. Do we still need to publish licenses for it and all of its dependencies in our spec file?

Actually, yes, we don't need it at all, as we run the audit-ci command using npx. I've created a separate PR for that - #6056

And I also checked how the Cockpit project does its bundles, and they actually run it only for production packages, so I've added the --production flag to my script.

Please review.

vashirov
vashirov approved these changes Jan 29, 2024
View reviewed changes
Copy link
Member

@vashirov vashirov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@droideck
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses…
da99d51 
… for both

Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.

Fixes: 389ds#6043
Fixes: 389ds#6044

Reviewed by: @vashirov (Thanks!)
@droideck droideck merged commit f26ac01 into 389ds:main Jan 30, 2024
9 checks passed
droideck added a commit that referenced this pull request Jan 30, 2024
@droideck
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses…
93ebf3c 
… for both (#6045)

Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.

Fixes: #6043
Fixes: #6044

Reviewed by: @vashirov (Thanks!)
droideck added a commit that referenced this pull request Jan 30, 2024
@droideck
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses…
dec3183 
… for both (#6045)

Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.

Fixes: #6043
Fixes: #6044

Reviewed by: @vashirov (Thanks!)
droideck added a commit that referenced this pull request Jan 30, 2024
@droideck
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses…
d1135cc 
… for both (#6045)

Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.

Fixes: #6043
Fixes: #6044

Reviewed by: @vashirov (Thanks!)
droideck added a commit that referenced this pull request Jan 30, 2024
@droideck
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses…
2f5029e 
… for both (#6045)

Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.

Fixes: #6043
Fixes: #6044

Reviewed by: @vashirov (Thanks!)
droideck added a commit that referenced this pull request Jan 30, 2024
@droideck
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses…
47eccfb 
… for both (#6045)

Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.

Fixes: #6043
Fixes: #6044

Reviewed by: @vashirov (Thanks!)
droideck added a commit that referenced this pull request Jan 30, 2024
@droideck
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses…
f1cfa74 
… for both (#6045)

Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.

Fixes: #6043
Fixes: #6044

Reviewed by: @vashirov (Thanks!)
droideck added a commit that referenced this pull request Jan 30, 2024
@droideck
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses…
d5345e7 
… for both (#6045)

Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.

Fixes: #6043
Fixes: #6044

Reviewed by: @vashirov (Thanks!)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vashirov vashirov vashirov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generate Combined JS and Cargo Dependencies SPDX License Add the bundled JS libraries in the spec file
2 participants
@droideck @vashirov