• Bug#1102924: licenserecon: MIT detected as Expat

    From =?UTF-8?B?T3R0byBLZWvDpGzDpGluZW4=?@21:1/5 to All on Sun Apr 13 11:20:01 2025
    Package: licenserecon
    Version: 4.2

    When running lrc on new package usql (https://salsa.debian.org/go-team/packages/usql/-/merge_requests/1) I
    got:

    # lrc
    : Versions: licenserecon '4.2' licensecheck '3.3.9-1'

    Parsing Source Tree ....
    Reading d/copyright ....
    Running licensecheck ....

    d/copyright | licensecheck

    MIT | Expat LICENSE
    MIT | Expat
    debian/vendor/github.com/gohxs/readline/LICENSE
    MIT | Expat
    debian/vendor/github.com/jeandeaual/go-locale/LICENSE
    MIT | Expat
    debian/vendor/github.com/kenshaw/colors/LICENSE
    MIT | Expat
    debian/vendor/github.com/kenshaw/rasterm/LICENSE
    MIT | Expat
    debian/vendor/github.com/mattn/go-sixel/LICENSE
    MIT | Expat debian/vendor/github.com/nathan-fiscaletti/consolesize-go/LICENSE
    MIT | Expat debian/vendor/github.com/soniakeys/quant/internal/internal.go
    MIT | Expat
    debian/vendor/github.com/soniakeys/quant/license
    MIT | Expat debian/vendor/github.com/soniakeys/quant/median/median.go
    MIT | Expat
    debian/vendor/github.com/soniakeys/quant/palette.go
    MIT | Expat
    debian/vendor/github.com/soniakeys/quant/quant.go
    MIT | Expat
    debian/vendor/github.com/soniakeys/quant/sierra.go
    MIT | Expat debian/vendor/github.com/xo/dburl/LICENSE MIT | Expat debian/vendor/github.com/xo/tblfmt/LICENSE MIT | Expat
    debian/vendor/github.com/yookoala/realpath/LICENSE
    MIT | Expat
    debian/vendor/github.com/yookoala/realpath/realpath.go
    MIT | Expat gen.go
    MIT | Expat text/license.go

    This licenses themselves clearly state "MIT". Why is the tool
    detecting them as Expat?

    Seems like a false positive to me.

    The workaround suggested in https://manpages.debian.org/unstable/licenserecon/lrc.1.en.html is to
    skip these files using debian/lrc.config but if they ever change, the
    tool wouldn't detect anything. I'd rather just "override" this
    MIT->Expat detection as a false finding without skipping those files permanently.

    What do you think about this situation?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Peter B@21:1/5 to All on Sun Apr 13 13:00:01 2025
    On 13/04/2025 10:09, Otto Kekäläinen wrote:
    This licenses themselves clearly state "MIT". Why is the tool
    detecting them as Expat?

    Seems like a false positive to me.

    The workaround suggested in https://manpages.debian.org/unstable/licenserecon/lrc.1.en.html is to
    skip these files using debian/lrc.config but if they ever change, the
    tool wouldn't detect anything. I'd rather just "override" this
    MIT->Expat detection as a false finding without skipping those files permanently.

    What do you think about this situation?

    Hi Otto,

    please see
    https://dep-team.pages.debian.net/deps/dep5/

    towards the bottom it says
     "There are many versions of the MIT license. Please use Expat instead,
    when it matches."

    Licensecheck is correctly reporting the license as Expat according to Dep5.

    The solution is to use Expat in the copyright file. Changes would then
    be detected.
    Or, if you use --spdx mode, licensecheck would report the license as MIT.


    Regards,
    Peter

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?B?T3R0byBLZWvDpGzDpGluZW4=?@21:1/5 to All on Sun Apr 13 17:10:02 2025
    Thanks for the clarification.

    Indeed https://en.m.wikipedia.org/wiki/MIT_License#Ambiguity_and_variants explains that FSF didn't like the name MIT and recommends Expat instead. However, MIT is currently the most popular open source license in the world
    and everyone else uses it by that name, including 'usql' itself, so I will
    also use that name.

    Would it be possible to activate the 'spdx' mode via the config file so it doesn't need to be passed manually?

    <div dir="auto">Thanks for the clarification.<div dir="auto"><br></div><div dir="auto">Indeed <a href="https://en.m.wikipedia.org/wiki/MIT_License#Ambiguity_and_variants">https://en.m.wikipedia.org/wiki/MIT_License#Ambiguity_and_variants</a> explains
    that FSF didn&#39;t like the name MIT and recommends Expat instead. However, MIT is currently the most popular open source license in the world and everyone else uses it by that name, including &#39;usql&#39; itself, so I will also use that name.<div dir=
    "auto"><br></div><div dir="auto">Would it be possible to activate the &#39;spdx&#39; mode via the config file so it doesn&#39;t need to be passed manually?</div></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Peter Blackman@21:1/5 to All on Sun Apr 13 22:50:01 2025
    On 13/04/2025 16:00, Otto Kekäläinen wrote:
    Thanks for the clarification.

    Indeed https://en.m.wikipedia.org/wiki/
    MIT_License#Ambiguity_and_variants <https://en.m.wikipedia.org/wiki/ MIT_License#Ambiguity_and_variants> explains that FSF didn't like the
    name MIT and recommends Expat instead. However, MIT is currently the
    most popular open source license in the world and everyone else uses it
    by that name, including 'usql' itself, so I will also use that name.

    Would it be possible to activate the 'spdx' mode via the config file so
    it doesn't need to be passed manually?

    Yes,

    just put the option (with the hyphens) on its own line in the config file.

    This is described in the readme (but not currently in the man page).

    "Command line options to be used on every run (maybe --spdx etc with
    Salsa CI) can be included in debian/lrc.config"


    Peter B

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)