Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NuGet package license URL has changed the meaning #9658

Open
lg2de opened this issue Dec 13, 2024 · 5 comments
Open

NuGet package license URL has changed the meaning #9658

lg2de opened this issue Dec 13, 2024 · 5 comments

Comments

@lg2de
Copy link

lg2de commented Dec 13, 2024

There are several NuGet packages (e.g. System.Buffers 4.3.0) on nuget.org that use the URL http://go.microsoft.com/fwlink/?LinkId=329770 as license information.
At the time these packages were released, the URL was redirected to https://dotnet.microsoft.com/dotnet_library_license.htm.
This means that these packages are licensed under the "MICROSOFT SOFTWARE LICENSE TERMS" "MICROSOFT .NET LIBRARY".

According to archive.org, the redirect was changed to https://github.com/dotnet/core/blob/main/license-information.md on September 12, 2024. (This document was created and updated with #9069 and #9440.)
The new documentation states: "This document is provided for informative purposes only and is not itself a license."

So, old packages no longer have valid license information.

@CarnaViire
Copy link
Member

cc @richlander @jkotas @leecow

@richlander
Copy link
Member

richlander commented Dec 17, 2024

I don't know why that change was made. I don't have access to that link (via our internal link database). We could change it to point to MIT but I don't know what the scope of usage is for that link.

I see that new System.Buffers packages are correctly stating their license, with the latest version.

https://github.com/dotnet/maintenance-packages/blob/51e098d3161fcc48e9f3cee414df9df3e8b0fcac/Directory.Build.props#L7

We want all license statements/references to be correct, however, if the latest supported is correct, we consider that good enough. We only support the latest version.

We wrote a document that describes which license each asset should be using: https://github.com/dotnet/runtime/blob/main/docs/project/licensing-assets.md

Related: dotnet/runtime#108905

@lg2de
Copy link
Author

lg2de commented Dec 17, 2024

Older version of packages are in the world. If you want to ensure that the packages are used under the correct license, the linked license information shall be correct.
So far I understood that these old packages are licensed under .NET Library License. So, the redirect shall point to this document.

We already have an automated process of license analysis. Please advice, how to interpret the link http://go.microsoft.com/fwlink/?LinkId=329770

@richlander
Copy link
Member

So far I understood that these old packages are licensed under .NET Library License.

It's possible that some of the old packages were intended to use that license, but most of them were not. We made a variety of licensing mistakes like this over time. We didn't have a clear document written on what we were supposed to do so were using a more ad hoc approach. That's the part that was recently fixed.

Please advice, how to interpret the link http://go.microsoft.com/fwlink/?LinkId=329770

It is describing the license burden of using the various assets we provide. We just updated that text to make it easier to consume/understand. The update doesn't change the terms, but (hopefully) increases clarity.

@lg2de
Copy link
Author

lg2de commented Jan 6, 2025

So far, the information are less clear to me.
Once you stated:

It's possible that some of the old packages were intended to use that license, but most of them were not.

That means that some packages (which?) are licensed under NET Library License.
But, the current document states:

Library packages use the MIT license, for example System.Text.Json.

How to know which packages is released under which license?
In the past it seems to be clear, now: total confusion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants