Replace <PackageLicenseFile> with <PackageLicenseExpression>
szimmer-dap opened this issue · 0 comments
Hi there!
We are currently adapting a package approval workflow, where packages are approved or blocked based on certain criteria. One very important criterion is the package's license. There is a list of approved licenses (like MIT, Apache, BSD, ...) and a list of licenses that cannot be used.
Although your package seems to be under MIT license, it's hard to auto-approve this package, because it uses an embedded license file instead of an SPDX tag (https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-list/). As a result, the license does not show up in the package's metadata and cannot be automatically processed.
Reproduction steps
Compare e.g. the "About" page of https://www.nuget.org/packages/LibGit2Sharp with https://www.nuget.org/packages/Microsoft.Data.SqlClient, where the latter clearly states the package's license, while your package does not.
Expected behavior
I would expect the package's license to be clearly shown in its metadata.
Actual behavior
This package's metadata refers to an embedded license file instead.
Version of LibGit2Sharp (release number or SHA1)
All versions up to 0.30.0
Operating system(s) tested; .NET runtime tested
Not specific to OS or .NET runtime
Solution
Would you consider using an SPDX license expression? Basically, all that is needed is replacing the line
<PackageLicenseFile>App_Readme/LICENSE.md</PackageLicenseFile>
with
<PackageLicenseExpression>MIT</PackageLicenseExpression>
in all *.csproj or *.props files (or whatever mechanism generates the corresponding *.nuspec file). The LICENSE file can still remain in the package, just the metadata would change. The corresponding .nuspec file should then change the line
<license type="file">App_Readme/LICENSE.md</license>
to
<license type="expression">MIT</license>
This would be a huge help for us, because with embedded license files we have to manually check and approve every single version of every package.