Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package has classifier "License :: Other/Proprietary License" - raising licensing flags for Sonatype #353

Closed
snydergd opened this issue Jul 12, 2023 · 3 comments
Closed

Package has classifier "License :: Other/Proprietary License" - raising licensing flags for Sonatype #353

snydergd opened this issue Jul 12, 2023 · 3 comments

Comments

@snydergd
Copy link

We run all our components through Sonatype's quality checking tools automatically. It checks for known vulnerabilities, quality issues, and license issues. It is set up to block licenses that are not free, and it blocked this component for that reason, saying that it is proprietary (also lists Apache 2.0, which is confusing). Any time there is a license problem like this, we spend time to investigate before letting the component through - in this case using up a decent amount of time and delaying progress for us. I would imagine others probably have a similar setup. We can decide to move forward (probably will currently), but it is not ideal.

After some digging, it seems that it is because of the classifier on the PyPi package "License :: Other/Proprietary License".
This was strange to see (even downloaded the whl and looked at it and it also showed the classifier), since pyproject.toml doesn't have that classifier, and has the license as Apache 2.0. Further digging revealed that maybe poetry adds that classifier if it doesn't recognize the value in the "License" field: https://github.com/python-poetry/poetry-core/blob/5d3abc51bb765d825f3162f34595d853b249a8eb/tests/spdx/test_license.py#L47

Based on poetry documentation, it looks like the way they expect this license to come through is "Apache-2.0" (with a dash).

TLDR; I think if the license value in pyproject.toml were updated in this way and the classifier didn't show up any more, it would clear the air so that organizations such as mine can use it more easily.
@Bachmann1234
Copy link
Owner

Thanks for the detailed report. I'll give updating this a shot. Hopefully tonight.

@snydergd snydergd mentioned this issue Jul 12, 2023
Closed
@Bachmann1234
Copy link
Owner

Screen Shot 2023-07-12 at 10 45 53 PM

Take a look at https://pypi.org/project/diff-cover/7.6.1/ and let me know

@snydergd
Copy link
Author

@Bachmann1234 That took care of it! Sonatype tooling now recognizes it as having the accepted Apache license. Thank you so much for getting this fixed so quickly and really glad to see that it worked!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@snydergd @Bachmann1234