cargo-license fails to normalize the license of libm 0.2.9 and 0.2.10`

[sosthene-nitrokey]

The license of libm is now: MIT AND (MIT OR Apache-2.0).

After being normalized, it shows up as Apache-2.0) OR MIT AND (MIT, which does not make sense.

It looks like it's caused only by the sort_unstable call. Why is that required?

[ijackson]

It looks like it's caused only by the sort_unstable call.

The underlying bug is the splitting on OR, which is fundamentally wrong since SPDX licence strings can contain parens. So a SPDX string must either be taken verbatim, or parsed properly.

Why is that required?

I presume that this is an attempt to normalise the licence string. If the SPDX strings are normalised, they can be deduplicated, so that a minimum number of different licences are reported.

But, if normalisation is desirable, the right way to implement it would be to properly parse the SPDX string. This is nontrivial (and would come with its own subtleties).

IMO this normalisation ought not to have been attempted with this fundamentally incorrect algorithm. But simply abolishing it would probably be too disruptive.

In the meantime I suggest the following bodge: if the string contains any ( or ), completely skip the normalisation (including the splitting and the sort_unstable). That would fix this particular case by outputting the original string, without mangling it.

(Also, sort_unstable ought to be sort. sort_unstable isn't appropriate here, because we want the output to remain the same across different builds of cargo license.)

[ijackson]

FTAOD my proposed bodge leaves the algorithm correct (in the sense that it would never corrupt a licence string); it's just not optimal and rather unprincipled. Currently the algorithm is broken.,