Use BSD-2-Clause license identifier #16
Conversation
|
The license field is actually free text, there is an ongoing PEP to use SPDX identifiers. |
|
True. PEP 639 will improve the current situation. The disadvantage of only classifiers is that in the case of BSD it is ambiguous since it maps to multiple possible licenses. |
|
Thanks for the PR. Does this actually matter if the full and correct license is in the repo? I'm happy to merge this if it's the right thing to do, but I'm not familiar with the situation regarding PyPI and licenses at all. |
|
It matters in that PyPI artifacts are independent from this github repo! This doesn’t change anything functionally: when you upload to PyPI, you are granting it a license to distribute your files. The impact is on people reviewing their dependencies’ metadata, possibly not by manual inspection but using scanning tools, so there is value in having consistent and correct information. These could be individual developers or OS packagers (downstream in Debian, Fedora, Conda, etc). |
|
That's basically where this occurred for us. We run dependency scanning in the pipeline (the one from GitLab on GitLab). Besides checking for vulnerable packages/package versions it can also detect the license. I was told by GitLab's support that they rely on the At the same time, that field gets shown on PyPI on the left-hand side under Meta -> License. I noticed that if it is a valid identifier PyPI shows the name with the identifier in parentheses. (compare Django and django-forms-dynamic). |
BSDis ambiguous. Since the license is BSD 2 Clause, the SPDX identifier for this license can be used here.