-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Faulty license detection #777
Comments
@filiptronicek We're taking a different approach from VS Marketplace. What was the thinking? |
I am unaware of what the initial thinking was, but I think it is a nice way to show license types where we can for users to more easily determine what extensions are FOSS and which are not. I think we should re-visit it and see how much value it adds, and whether it's still worthwhile keeping. |
@filiptronicek The server searches for the license by using a list of well known open source licenses (MIT, GPL, BSD, etc.). The server doesn't take into account dual licensed extensions. Even if we were able to, I don't know how to concisely name this license (MIT & PLUS?) It's probably better to just add the license file to the Resources section and not display the license name in the header anymore. |
@amvanbaren I agree with not showing the license name. If we want to be a bit clever, though, we could use an approach employed by GitHub, which I like: if a license format exactly matches the license file, use it. If it doesn't, just display Footnotes
|
Sounds good. We can call licensee using JRuby. The other thing is that the |
@amvanbaren This could represent a pretty substantial visible change to our users/adopters. Is there an easy way to determine how may extensions would have what shows for their license change? |
@kineticsquid Is there an easy way to determine how may extensions would have what shows for their license change? No, there isn't really an easy way. The quickest way is to get all licenses for each extension using licensee and compare that to the extension license in the database. |
just noticed that rust-analyzer is dual licensed: https://open-vsx.org/extension/rust-lang/rust-analyzer/0.4.1584 |
@amvanbaren I think that comes from the extension manifest |
@amvanbaren @filiptronicek I've just about finished running In general, we can divide the extensions into three classes:
Running
Given the above 3x3 matrix, what's the thinking on how we might use |
@kineticsquid Well, I would compare it to the current situation. I don't think much will change, just that the license detection is more accurate. Licensee is able to detect multiple licenses. If we stick to the 1 license per extension version then we just take the license with the highest confidence score. On the other hand it's quite a fundamental change if we want to provide all found licenses. Not just for the webui, but also for the database and API endpoints. API consumers like VSCode or VSCodium only expect 1 license, so we also have to keep that in mind. |
Worst case we hack around it with |
@filiptronicek It's a link to the license file, not the license names. I guess we can divide an extension's licenses into a main license and other licenses. |
I tried a number of different permutations of license files and
The exception: based my observations, with this extension, https://open-vsx.org/extension/kineticsquid/jk-helloworld-minimal-sample-kineticsquid, I thought that if one specified Attempting to reproduce this, I took the In it seems strange that the |
The above said, I think at a minimum, if an author specifies I'm also wondering if attempting license detection is worth it. E.g. if there is a license file and no entry in |
Thinking about this some more, I think this is what open-vsx should do:
|
@kineticsquid Do you want to apply the same logic for README and CHANGELOG files? |
@amvanbaren No, I think the current behavior is fine. To wit, just a message that indicates either |
As described in EclipseFdn/publish-extensions#689, there is something wrong with how we detect licenses.
If you take GitLens and publish it at its latest version (
14.0.1
), the MIT License gets displayed in the WebUI for it. If you inspect the file itself, you discover that the license is indeed part MIT, but has a header basically stating that it does not apply to all code in the repository. This means that we tell our users the incorrect license.I am trying to figure out how we do these license checks, but it looks like we're being a bit to lax.
We should rather have false negatives than false positives.
The text was updated successfully, but these errors were encountered: