Skip to content

licensing: default to concatenating with AND, add simple mode for license-check --fix#2057

Merged
sil2100 merged 8 commits intochainguard-dev:mainfrom
sil2100:license-adjustments
Jul 7, 2025
Merged

licensing: default to concatenating with AND, add simple mode for license-check --fix#2057
sil2100 merged 8 commits intochainguard-dev:mainfrom
sil2100:license-adjustments

Conversation

@sil2100
Copy link
Member

@sil2100 sil2100 commented Jun 27, 2025

Rationale: even with our current license checking mechanism, listing out all the licenses properly will end up concatenating them in the package with an OR statement. This is bad. Think of GPL software containing some vendored MIT code - its SBOM will end up with a license string of "GPLv3 OR MIT", which is untrue and potentially dangerous as the code cannot be redistributed with a less restrictive license. Defaulting to AND is a safer bet.

There is an ongoing design and implementation effort to add ability to express relations to licensing: #2050 . But this is a big change and needs an actual design doc I'm afraid.

In the meantime, switching to AND seems a good bet, and I added a renovate --simple option for the --fix mode that doesn't list all the licenses individually (with links to files) but simply deals with listing out just the licenses in one string. It's something we'll want to modify and do properly (listing all the files), but before we do, this is the only safe way of ensuring the person working on the licensing bits has power over relationships between the licenses listed out. --fix just gives a guideline, nothing more.

sil2100 and others added 4 commits June 27, 2025 17:46
… mode option for license-check --fix

Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
dannf
dannf previously approved these changes Jul 2, 2025
Copy link
Contributor

@dannf dannf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I've a suggestion inside about the flag name, but it's non-blocking

sil2100 added 2 commits July 7, 2025 17:01
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
@sil2100
Copy link
Member Author

sil2100 commented Jul 7, 2025

@dannf pushed some changes on top. The flag help description could use some expansion, but I'd recommend doing that as part of future changes. It's all very experimental right now!

@sil2100 sil2100 requested a review from dannf July 7, 2025 15:03
sil2100 added 2 commits July 7, 2025 17:09
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
Copy link
Contributor

@dannf dannf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@sil2100 sil2100 merged commit cf2b468 into chainguard-dev:main Jul 7, 2025
62 checks passed
@sil2100 sil2100 deleted the license-adjustments branch July 7, 2025 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments