Make license/licenses field mandatory

Jay Feldblum y_feldblum at yahoo.com
Thu Oct 13 17:20:44 EDT 2011


Jon,

That's a good question. It catches me out on making a blanket statement
where I should have been more careful. Let me start off with the rationale
and then give my answer.

The thing that needs enforcement is rubygems.org, the public gems
repository. The thing that needs to guide users in the right direction is
the rubygems library.

The rubygems.org whitelist should be the key enforcer that new gems and new
gem versions pushed to the public rubygems.org repository have known
open-source licenses. Anything outside of rubygems.org and its whitelist
should be there only to help and to guide, and should easily be overridden.

Therefore, gem push --host HOST *should warn* but *should not refuse* (i.e.,
should allow the operation only if the --host HOST option is passed, and
only if the HOST is other than rubygems.org). The warning should be there
because all gems *should* have licenses, even if the license is
"Proprietary: Authorized Use Only." This is my strong opinion and I think
the rubygems tooling should take that opinion as well. The rationale that
tooling *should* have a way to find out about all gem licenses still applies
here. I quite understand that it may be annoying for a new gem author to see
this warning message, but the five minutes it takes him to add a license is
five minutes less time that every one of his gem's users, potentially
thousands of people, have to spend researching the gem. But in the case of a
private gem at a private repository, if the gem author sees the warning and
ignores it, then his tooling missing that license information is his fault -
but it doesn't affect anyone else, or at least anyone else outside his
organization.

Overall, what I'd like to see is a tool that can tell me:

    $ bundle licenses list
    activesupport (3.1.1)  => MIT
    multi_json (1.0.3)     => MIT
    my-private-gem (3.2.6) => Proprietary
    old-public-gem (2.6.7) => <unknown>

all from metadata, so I can remain sure every time I update my gems of what
the licenses are. And I'd like the rubygems tooling to guide everyone to
make that possible, and the public rubygems.org ecosystem to enforce it.

Cheers,
Jay Feldblum

On Thu, Oct 13, 2011 at 4:19 PM, Jon <jon.forums at gmail.com> wrote:

> > To help prevent user errors, `gem build` and `gem push` should warn, and
> > refuse if called without a `--force` or `--skip-license-check` flag, when
> > building and pushing gems without a license listed.
>
>
> Should `gem push` if used with the `--host` option also warn and refuse to
> work without a flag, and if yes, why do you think so?
>
> Jon
> _______________________________________________
> RubyGems-Developers mailing list
> http://rubyforge.org/projects/rubygems
> RubyGems-Developers at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rubygems-developers
>


More information about the RubyGems-Developers mailing list