Dirk, I think a local copy of the license is best. There is some complexity in linking to third party sites. Do they guarantee to serve the content to you and with what service level? This seems to be the problem that you have. Do they undertake to maintain the URL for the length of time that you need it? How long will you need it for? How will they tell you that they are stopping supporting the URL? How do you update the links to the page that are in someone else's installation of your package when the URL changes? As with the time check on package submissions, it is preferable to link, if you link, to something that is under the control of the publishing organisation itself, not a third party, unless there are some undertakings in place, so I'd suggest the R project site if you absolutely must have a remote copy. Picking a site that you have no agreement with, either implicitly or explicitly, does not cover those issues and so does not minimise the risk of that third party dependency to this business process (in this case the package check).
SPDX and the FSF Reuse tool do not appear to use the spdx website for remotely accessed copies of licenses. The license text referenced by those tools live in Github and access is described in https://github.com/spdx/license-list-data/blob/main/accessingLicenses.md and in https://github.com/spdx/license-list-data/blob/main/README.md The SPDX software BOM metadata standard appears to include the text of the licenses that it rerences instead of using external references. Similarly the FSF Reuse tool copies licenses locally. Jeff Newmiller's point about caching is a good one. It is preferable to deliver, as part of the package, the text of the license that you intend people to read, not something under someone else's control, and this is what the SPDX and FSF tools do. By relying on a link you own whatever it is that the third party serves, whether thats a license text, a connection failure, a redirect, a truncated or hacked copy, or an ad. Greg On Fri, 26 Sept 2025 at 00:47, Dirk Eddelbuettel <e...@debian.org> wrote: > > Most of the README.md files for my package list the license I chose, and > most > do so via a 'badge' showing the license and a link to the 'upstream' source > of the license. So far, so good. > > As I happen to prefer GPL licenses, I link to the fsf.org website. And > several recent package uploads of mine were upheld and moved to 'Inspect' > state forcing poor overworked Uwe Ligges to manually look at the log file > to conclude 'yep, spurious, all good here' because of a mere timeout. > > Same this morning: even after fiddling with the URL I use, testing several > times from here and noticing that 'oh dear this is apparently simply > random' > I got one pass (Dortmund, Windows) and one fail (Vienna, Linux) so back to > 'Inspect' and wasting Uwe's time it is. > > I would rather skip that step and take advantage of automation at CRAN and > not create extra work. I am not quite sure what the best way forward is. I > can think of saying 'ok, folks in Boston cannot run a server' and link to > the Wikipedia page of the GPL. Seems wrong though as we like to show the > original text. I notice that the R website does the same by providing GPL-2 > via a lopy copy: https://www.r-project.org/COPYING Now, for the package > I > was working on this morning I actually needed GPL-3 and not GPL-2 so no > luck > there. > > Short of giving up and creating a GitHub Pages hosted copy of the licenses > I > may need, is there another good source ... without the server timing out? > https://choosealicense.com/licenses/ is pretty good but doesn't of course > provide GPL-2 so no luck for me there for most of my 'GPL (>= 2)' packages. > > Anybody have a better fix or idea? Maybe use the R sources (!!) and rely on > GitHub (most likely via a CDN) serving the licenses in > > https://github.com/r-devel/r-svn/tree/main/share/licenses > https://github.com/r-devel/r-svn/blob/main/share/licenses/license.db > > where via the .db (ascii text) file ones sees that all these licenses _are_ > in fact served via > > https://www.r-project.org/Licenses/ > > which even acts as a 'pretty' landing page (which I think I once knew > existed, looked for but could not locate via links from either the > top-level > www.r-project.org or cran.r-project.org). > > So should we all link to that? > > Or not because it puts yet more load on the poor main r-project.org server > (or should we maybe CDN that or parts of it via cloudflare.com ?) > > Cheers, Dirk > > -- > dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org > > ______________________________________________ > R-package-devel@r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-package-devel > [[alternative HTML version deleted]] ______________________________________________ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel
