API endpoint doesn't fetch package license
Closed this issue · 5 comments
Problem:
In current version of exposed API (1.1.0) there's an issue related with fetching package metadata. To be more specific - license info is not present in a response.
Description:
An issue can be seen while sending following request
curl -X 'GET' 'https://packages.ecosyste.ms/api/v1/registries/nuget.org/packages/newtonsoft.json/versions/13.0.3' -H 'accept: application/json'
Expected response should contain 'licenses' field with actual newtonsoft.json package license (MIT), but as of now it is always null
just as for other packages like Microsoft.EntityFrameworkCore
or Autofac
(of which license info can be retrieved by nuget.org registry)
Thanks for reporting, I'll check it out today
If there's no license information on the version, then you'll want to go to the package object itself: https://packages.ecosyste.ms/api/v1/registries/nuget.org/packages/newtonsoft.json/
Eventually I'd like to scan each version to get license information but right now the license field on versions is only populated if it's provided from the package manager at a per-version level of detail, which I don't believe it is with nuget.org
Why should I go there when version's not present at a per-version level? I mean why there's the assumption that all packages have the same license (otherwise I couldn't - and even mustn't - go to the package itself in such case)? Just asking because different versions may have different licenses.
The assumption is that the license field on the package object is the license field of the latest version of the package, it has the potential to change over time and is updated to whatever the registry says is the current license. For most registry apis that's a shared assumption.
In an ideal world I'd do detailed analysis on each package version and record them all but I don't have the compute power at the moment to perform that.
Ok, so as of now if I'd like to know what license specific lib in old version has, I can't assume that this API will return info that's 100% true? (because of that assumption and probable lack of license info in *.nuspec file)