Our group of license verifiers is not large enough to verify any of the
repositories of major third-party package managers in a relevant time
frame. I think we have to take the uploader's tag at face value unless
we have additional information that refutes the provided information.
The crowd-sourced system of reporting packages that violate policy like
the GNU bucks system [1] should suffice.
[1] https://www.gnu.org/help/gnu-bucks.html
Best,
Michael McMahon | Web Developer, Free Software Foundation
GPG Key: 4337 2794 C8AD D5CA 8FCF FA6C D037 59DA B600 E3C0
https://fsf.org
On 8/2/23 17:02, bill-auger wrote:
that is because those repos allow anyone to publish to them anonymously; so the
readily available licensing information (if any) is supplied by the uploader,
and is not verified by anyone else - i am only asking to consider whether that
information is reliable enough, without scrutinizing the code-bases, as the FSD
does
can we rely on the terse 'GPL3', 'MIT', 'BSD3' labels declared by anonymous
uploaders, without looking at the code-base? - it is a simple question, and
will be relevant to nearly all of these package managers - let is answer it now
