Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Missing license information still not allowed in crates from a private registry #736

Open
kornelski opened this issue Dec 7, 2024 · 3 comments
Open

Bug: Missing license information still not allowed in crates from a private registry #736

kornelski opened this issue Dec 7, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@kornelski
Copy link

Describe the bug

I've tried to configure it to ignore licenses from a private registry:

[licenses.private]
ignore = true
registries = [
 "http://private.example.com/"
#  "sparse+http://private.example.com/" # tried this too
]

but I'm still getting an error about crates not having a license:

error[unlicensed]: internal-only-crate = 1.1.1 is unlicensed
  ┌─ sparse+http://private.example.com/#[email protected]:2:9
  │
2 │ name = "internal-only-crate"
  │         ━━━━━━━━━━━ a valid license expression could not be retrieved for the crate
3 │ version = "1.1.1"
4 │ license = ""
  │            ─ license expression was not specified
  │
  ├ internal-only-crate v1.1.1

There is no license or license-file in Cargo.toml of that crate, on purpose. It's proprietary, and there's no SPDX identifier for that.

To reproduce

Publish a crate to a private registry (I've used freighter), use it in a workspace, and run cargo deny check.

cargo-deny version

cargo-deny 0.16.3

What OS were you running cargo-deny on?

MacOS

Additional context

No response
@kornelski kornelski added the bug Something isn't working label Dec 7, 2024
@kornelski kornelski mentioned this issue Dec 7, 2024
Closed
@jongiddy
Copy link
Contributor

The check for private licenses uses the matches_url method that has a bug fixed by #739

Does cargo-deny built from main fix this problem for you?

@kornelski
Copy link
Author

kornelski commented Dec 23, 2024
edited
Loading

I've tried a build from the latest commit f6e40d8

ignore-sources = [
   "git+ssh://[email protected]/internal_package1.git"
]

worked for me to fix this case:

cargo deny check licenses
error[unlicensed]: internal_package1 = 0.1.0 is unlicensed
  ┌─ git+ssh://[email protected]/internal_package1.git?branch=main#[email protected]:2:9
  │
2 │ name = "internal_package1"
  │         ━━━━━━━━━━━━━ a valid license expression could not be retrieved for the crate
3 │ version = "0.1.0"
4 │ license = ""
  │            ─ license expression was not specified
  │

but I can't figure out how to allow private packages from the current workspace and a private registry. I've tried all the combinations of registry URLs in licenses.private.registries and licenses.private.ignore-sources.

error[unlicensed]: internal_package2 = 2024.12.5 is unlicensed
  ┌─ path+file:///Users/me/internal_package2#2024.12.5:2:9
  │
2 │ name = "internal_package2"
  │         ━━━━━ a valid license expression could not be retrieved for the crate
3 │ version = "2024.12.5"
4 │ license = ""
  │            ─ license expression was not specified
  │

error[unlicensed]: internal_package3 = 3.2.0 is unlicensed
  ┌─ sparse+https://internal.registry/index/#[email protected]:2:9
  │
2 │ name = "internal_package3"
  │         ━━━━━━━━━ a valid license expression could not be retrieved for the crate
3 │ version = "3.2.0"
4 │ license = ""
  │            ─ license expression was not specified
  │

BTW, the error shows license = "", but the license field is completely absent in Cargo.toml of these packages.

@williamareynolds
Copy link

I found that if the private package's manifest doesn't contain the publish key, I couldn't use licenses.private.registries. The package had to have a matching url in publish or publish must be set to false i.e.

# Cargo.toml in my private package
[package]
# ...
publish = [
  "my.private.registry.com"
]
# ...

with "my.private.registry.com" added in licenses.private.registries in deny.

OR

# Cargo.toml in my private package
[package]
# ...
publish = false
# ...

Then in deny you don't have to do anything other than setting licenses.private.ignore = true.

In other words, licenses.private.registries is selecting for packages whose manifest specifies that registry in package.publish. As long as licenses.private.ignore = true, packages whose manifest specifies package.publish = false will have their license ignored as well.

licenses.private.ignore-sources seems to be primarily interested in where the local copy of the package was actually obtained from. Unfortunately, it has a bug that I'll file separately from this one where it seems to strip the ".git" from the end of my configured URL. As a result, having licenses.private.ignore-sources = ["https://my.registry.com/index/package.git"] will only allow packages sourced from "https://my.registry.com/index/package". Without the ".git" on the end it doesn't match, so I can't use it.

If someone can confirm that my understanding of everything here is correct, I'd be happy to make a doc contribution with some clear examples of how each of these is meant to be used and create that other bug (if it is indeed a bug).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kornelski @jongiddy @williamareynolds