FRidh
February 4, 2022, 8:59am
12
The way we handle licenses in Nixpkgs is just not correct. The license that is added in meta is typically the license of the source. The license of the built artifact is not necessarily the same.
opened 06:26PM - 09 Dec 20 UTC
0.kind: bug
9.needs: community feedback
6.topic: cuda
**Describe the bug**
In the `meta.license` of a package we typically state the … licenses that apply to the source, not the licenses that apply to the built project.
**Additional context**
The actual licenses that apply to the built package can be different. Exactly which apply is difficult to say as it depends entirely on the licenses of the source, as well as other (native) build inputs. This makes it impossible to reason about at evaluation time and near impossible by inspecting build artifacts.
Even so, it is possible to take a cautious approach by propagating licenses. This allows for example organizations to block software that *may* be GPL-licensed.
In my opinion `meta.licenses` as we have now should be part of the `src` derivation, and `meta.license` of a package should be taken from there by default. Additionally, I think we could have a `config.meta.propagateLicenses` to propagate licenses of all build inputs. I think there could be an additional switch for native build inputs.
I imagine this could need an RFC.
**Notify maintainers**
Note I have no need for this myself and merely wrote this because it again [came up on IRC](https://logs.nix.samueldr.com/nixos/2020-12-09#4344676;).
**Related issues**
- default value for packages that have no license https://github.com/NixOS/nixpkgs/issues/43231
- building of `unfreeRedistributable` packages https://github.com/NixOS/nixpkgs/issues/83884
**Considerations**
- propagating licenses may impact evaluation severely
- not propagating licenses of build tools will encourage the users of this feature to fix separation of native versus non-native inputs which is also good for cross-compilation
Checking what licenses apply to a binary is not easy. With Nix we declare the license that applies to a source, although we declare it in the derivation of the built artifact.
I’m looking for a solution that can yield for me for a derivation what components potentially leave traces, what source those are built from, and what licenses apply. Clearly, recursion plays a role here.
We do not declare in our expressions what parts leave traces. We do know that buildInputs are run-time dependencies a…
8 Likes