rpms/llhttp
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Better audit (and document auditing of) dev dependency licenses

Browse Source
This commit is contained in:
Benjamin A. Beasley 2024-02-08 08:53:11 -05:00
parent 3642665f8b
commit 612f9b80c0
1 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
llhttp.spec
View File

@ -71,6 +71,9 @@ BuildRequires: gcc-c++
# For check-null-licenses # For check-null-licenses
BuildRequires: python3-devel BuildRequires: python3-devel
# For additional license auditing:
BuildRequires: askalono-cli
BuildRequires: licensecheck
%description %description
This project is a port of http_parser to TypeScript. llparse is used to This project is a port of http_parser to TypeScript. llparse is used to
@ -146,6 +149,70 @@ popd
# code with license problems in the source RPM. # code with license problems in the source RPM.
%{python3} '%{SOURCE3}' --exceptions '%{SOURCE4}' --with dev node_modules_dev %{python3} '%{SOURCE3}' --exceptions '%{SOURCE4}' --with dev node_modules_dev
# Ensure we have checked all of the licenses in the dev dependency bundle for
# allowability.
pattern="${pattern-}${pattern+|}UNKNOWN|(Apache|Python) License 2\\.0"
pattern="${pattern-}${pattern+|}(MIT|ISC|BSD [023]-Clause) License"
pattern="${pattern-}${pattern+|}MIT License and/or X11 License"
pattern="${pattern-}${pattern+|}GNU General Public License"
# The CC0-1.0 license is *not allowed* in Fedora for code, but the
# binary-search dev dependency falls under the following blanket exception:
#
# Existing uses of CC0-1.0 on code files in Fedora packages prior to
# 2022-08-01, and subsequent upstream versions of those files in those
# packages, continue to be allowed. We encourage Fedora package maintainers
# to ask upstreams to relicense such files.
#
# https://gitlab.com/fedora/legal/fedora-license-data/-/issues/91#note_1151947383
#
# This can be verified by checking out commit
# f460573ec4dc41968e600a96aaaf03a167b236bf (2021-12-16) from dist-git for this
# package, obtaining the source llhttp-6.0.6-nm-dev.tgz, and observing that
# llhttp-6.0.6/node_modules_dev/binary-search/package.json shows the CC0-1.0
# license.
pattern="${pattern-}${pattern+|}binary-search/package.json: (\*No copyright\* )?Creative Commons CC0 1\.0"
# The license BSD-3-Clause-Clear appears in sprintf-js/bower.json. This license
# is on the not-allowed list, but it is not real: sprintf-js/package.json and
# sprintf-js/LICENSE have the correct (and allowed) BSD-3-Clause license, and
# upstream confirmed in “Licensing Question”
# https://github.com/alexei/sprintf.js/issues/211 that the appearance of
# BSD-3-Clause-Clear in this file was a mere typo.
pattern="${pattern-}${pattern+|}sprintf-js/bower.json: (\*No copyright\* )?BSD 3-Clause Clear License"
if licensecheck -r node_modules_dev |
grep -vE "(${pattern})( \\[generated file\\])?\$" ||
! askalono crawl node_modules_dev | awk '
$1 == "License:" { license = $0; next }
$1 == "Score:" {
if ( \
license ~ /: (MIT|ISC|0BSD|BSD-[23]-Clause) \(/ || \
license ~ /: (Apache-2\.0|Python-2\.0\.1) \(/ \
) {
next # license is OK
}
# license needs auditing
problem = 1
print file; print license; print $0
next
}
{ file = $0 }
END { exit problem }'
then
cat 1>&2 <<'EOF'
=================================================================
Possible new license(s) found in dev dependency bundle!
While these do not contribute to License, they must appear in:
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
Please audit them and modify the patterns representing expected
licenses in the spec file!
=================================================================
EOF
exit 1
fi
# http-loose-request.c:7205:20: error: invalid conversion from 'void*' to # http-loose-request.c:7205:20: error: invalid conversion from 'void*' to
# 'const unsigned char*' [-fpermissive] # 'const unsigned char*' [-fpermissive]
# 7205 | start = state->_span_pos0; # 7205 | start = state->_span_pos0;