Bug#1130130: licenserecon: If a packages has multiple licenses and both of them are present licenserecon gets confused
On Fri, 2026-03-13 at 10:23 +0100, Simon Josefsson wrote: > Peter Blackman writes: > > > On 09/03/2026 21:09, Peter Blackman wrote: > > > I don't see a bug here though. While the package source may be > > > dual licensed, > > > the file LICENSE-APACHE is clearly Apache-2.0 licensed, > > > and the file LICENSE-MIT is clearly MIT or Expat licensed. > > > > > > licensecheck and hence licenserecon are correct here. > > > > While there is a genuine license difference being reported, > > on further consideration, I agree its not a significant difference. > > > > Will fix. > > Great! I also see this, but have ignored them via debian/lrc.config. > > License texts are exceptional that warrant special consideration. > > Generally speaking, license texts are NOT licensed under itself. > > Compare the text of GPL-3.0 itself: > > Everyone is permitted to copy and distribute verbatim copies > of this license document, but changing it is not allowed. > > Often license texts doesn't even carry any licensing information > about > itself, which makes the situation unclear at best, and at worst there > is > no rights whatsever to the license text. Presumably a grant to allow > copy and distribute verbatim copies of license texts are implied. > > /Simon While it is true that the license text is not licensed as the code it refers to, in many cases the presence of a license text in a directory implies the licensing of that directory. The problem I am reporting is that the presence of multiple licensing texts in a directory indicates that directory is licensed in multiple ways, and so calling out the individual texts which match each of these licenses is not helpful. In cases where there is a license in a directory and it does not match the license(s) asserted for that directory in debian/copyright is very important. Thanks, Andrew -- -- Porirua, New Zealand +64 (27) 288 6741 Don't engineer in a crisis. -- Vint Cerf speaking on IPv6 -- signature.asc Description: This is a digitally signed message part
Bug#1130130: licenserecon: If a packages has multiple licenses and both of them are present licenserecon gets confused
On 13/03/2026 09:23, Simon Josefsson wrote: Peter Blackman writes: On 09/03/2026 21:09, Peter Blackman wrote: I don't see a bug here though. While the package source may be dual licensed, the file LICENSE-APACHE is clearly Apache-2.0 licensed, and the file LICENSE-MIT is clearly MIT or Expat licensed. licensecheck and hence licenserecon are correct here. While there is a genuine license difference being reported, on further consideration, I agree its not a significant difference. Will fix. Great! I also see this, but have ignored them via debian/lrc.config. License texts are exceptional that warrant special consideration. Generally speaking, license texts are NOT licensed under itself. Compare the text of GPL-3.0 itself: Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Often license texts doesn't even carry any licensing information about itself, which makes the situation unclear at best, and at worst there is no rights whatsever to the license text. Presumably a grant to allow copy and distribute verbatim copies of license texts are implied. /Simon The license of license text is indeed a tricky area. Originally I excluded all files called license etc. because of false positives, but a case was reported on Mentors where source files had no headers, and files with different licenses where in separate sub-directories with a LICENSE file in the parent of each tree. The d/copyright had missed these, but lrc test passed!
Bug#1130130: licenserecon: If a packages has multiple licenses and both of them are present licenserecon gets confused
Peter Blackman writes: > On 09/03/2026 21:09, Peter Blackman wrote: >> I don't see a bug here though. While the package source may be dual licensed, >> the file LICENSE-APACHE is clearly Apache-2.0 licensed, >> and the file LICENSE-MIT is clearly MIT or Expat licensed. >> >> licensecheck and hence licenserecon are correct here. > > While there is a genuine license difference being reported, > on further consideration, I agree its not a significant difference. > > Will fix. Great! I also see this, but have ignored them via debian/lrc.config. License texts are exceptional that warrant special consideration. Generally speaking, license texts are NOT licensed under itself. Compare the text of GPL-3.0 itself: Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Often license texts doesn't even carry any licensing information about itself, which makes the situation unclear at best, and at worst there is no rights whatsever to the license text. Presumably a grant to allow copy and distribute verbatim copies of license texts are implied. /Simon signature.asc Description: PGP signature
Bug#1130130: licenserecon: If a packages has multiple licenses and both of them are present licenserecon gets confused
On 09/03/2026 21:09, Peter Blackman wrote: I don't see a bug here though. While the package source may be dual licensed, the file LICENSE-APACHE is clearly Apache-2.0 licensed, and the file LICENSE-MIT is clearly MIT or Expat licensed. licensecheck and hence licenserecon are correct here. While there is a genuine license difference being reported, on further consideration, I agree its not a significant difference. Will fix.
Bug#1130130: licenserecon: If a packages has multiple licenses and both of them are present licenserecon gets confused
On 09/03/2026 18:57, Andrew McMillan wrote: I'll keep attaching them to this bug when I encounter them going forward, if you like. No need, one example is fine. I don't see a bug here though. While the package source may be dual licensed, the file LICENSE-APACHE is clearly Apache-2.0 licensed, and the file LICENSE-MIT is clearly MIT or Expat licensed. licensecheck and hence licenserecon are correct here. I suggest, if this is happening a lot, you could use a debian/lrc.config file in the packages, that lists these two files as exclusions.
Bug#1130130: licenserecon: If a packages has multiple licenses and both of them are present licenserecon gets confused
On Mon, 2026-03-09 at 10:33 +, Peter Blackman wrote: > On 09/03/2026 04:36, Andrew McMillan wrote: > > I run lrc -s on a package with good licensing hygiene, > > Specific examples please! > What packages? Yesterday's example was in rust-memmap: https://dfsg-new-queue.debian.org/reviews/rust-memmap/0.7.0-2 I'll keep attaching them to this bug when I encounter them going forward, if you like. It seems to happen quite often with the newer rust-* and golang-* packages that are dual licensed like this. Thanks! Andrew McMillan -- -- Porirua, New Zealand +64 (27) 288 6741 Parting is such sweet sorrow. -William Shakespeare -- signature.asc Description: This is a digitally signed message part
Bug#1130130: licenserecon: If a packages has multiple licenses and both of them are present licenserecon gets confused
On 09/03/2026 04:36, Andrew McMillan wrote: I run lrc -s on a package with good licensing hygiene, Specific examples please! What packages?
Bug#1130130: licenserecon: If a packages has multiple licenses and both of them are present licenserecon gets confused
Package: licenserecon Version: 12.0 Severity: minor I run lrc -s on a package with good licensing hygiene, but I get this kind of output when it is dual-licensed and includes a copy of each license. === en: Versions: licenserecon '12.0' licensecheck '3.3.9-1' Parsing Source Tree Reading d/copyright Running licensecheck d/copyright | licensecheck MIT or Apache-2.0| Apache-2.0 LICENSE-APACHE MIT or Apache-2.0| Expat LICENSE-MIT Short option in use. Not all differences shown === This is very common to have dual-licensed source, and to include two LICENSE files in the root folder (or sometimes LICENSE + COPYING) and licenserecon has read the debian/copyright and decided that these files conflict with it. When these files are present individually it absolutely does need deeper review, but when they're together in this way it is almost exactly saying that debian/copyright is correct. Thanks, Andrew McMillan. -- System Information: Debian Release: forky/sid APT prefers unstable APT policy: (499, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.19.6+deb14-amd64 (SMP w/24 CPU threads; PREEMPT) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages licenserecon depends on: ii libc6 2.42-13 ii licensecheck 3.3.9-1 licenserecon recommends no packages. licenserecon suggests no packages. -- no debconf information -- -- Porirua, New Zealand +64 (27) 288 6741 Weinberg's First Law: Progress is only made on alternate Fridays. --
