sry then - i should have kept that more focused - all of them will raise the same fundamental questions, whether investigated one by one or in tandem
they all have a client which fetches metadata from their repo, and offers downloads to the user - some repos may expose license declarations to the client, and some may not - the ones that do not, will not allow the simpler option of patching the client - the ones that do, will present dubious licensing information that is because those repos allow anyone to publish to them anonymously; so the readily available licensing information (if any) is supplied by the uploader, and is not verified by anyone else - i am only asking to consider whether that information is reliable enough, without scrutinizing the code-bases, as the FSD does the ones i looked at, declare licenses for only about 50% of the packages - that is because very few require the uploader to specify any license - some suggest it in the documentation, and some do not even suggest it - some may not even allow it this is definitely worth considering now as a general concern - i think that the success of any one of the examples will hinge primarily on that factor alone can we rely on the terse 'GPL3', 'MIT', 'BSD3' labels declared by anonymous uploaders, without looking at the code-base? - it is a simple question, and will be relevant to nearly all of these package managers - let is answer it now
