Handle packages with combined LICENSE files

[thomashoneyman]

A number of packages in the PureScript ecosystem have LICENSE files containing multiple licenses. This is for various reasons, but often this happens when a library is ported from another language (ie. Haskell) and needs to retain license contents from that library. For some examples, see:

• https://github.com/slamdata/purescript-markdown/blob/master/LICENSE
• https://github.com/purescript-contrib/purescript-parsing/blob/main/LICENSE

These license files are parsed by licensee as NOASSERTION, meaning it can't figure out what the license type is, and eventually they fail the import pipeline.

In the case of these two packages, they're combinations of MIT and BSD-2-Clause, which means we can manually fix them up when importing to the registry. However, a lot of packages are failing this way (~360 versions across ~50 packages), so it may be unrealistic that we fix them manually.

Still, these are packages that ought to be in the registry and which do have valid license files, despite the errors resulting from our attempt to parse them.

---

One possible solution: we could some sort of "resolutions" step, where if we find a license parsed as NOASSERTION, we:

1. Print the LICENSE contents to the console
2. Ask the user to review the LICENSE and manually choose licenses (providing an empty array if it's not a valid license file)
3. Save the user's manual feedback to a license-resolutions.json file
4. On subsequent runs, skip detecting from the LICENSE file if the package version is present in the license-resolutions file

This could be a reasonably quick way to run through the ~360 versions that are failing for this reason.

There may also be a more automated solution, but we start getting into diminishing returns vs. manual processing in these last few packages.

[mikesol]

Would it make sense for license to ne a nonempty array? That punts but could resolve this issue.

[thomashoneyman]

@mikesol We do parse licenses into a NonEmptyArray, and we combine the result into a valid SPDX-recognized license. A valid SPDX representation of multiple licenses combines them together using AND or OR, for example "MIT OR BSD3-Clause".

In this case, the issue is that we're not able to automatically parse the LICENSE file using the licensee CLI tool because it contains multiple licenses, and so we're going to have to parse it another way -- either writing some new code, or manually reading the LICENSE file and providing a resolution. Either way we'll produce an array of licenses, which will later be combined.

[mikesol]

Reading over the SPDX matching guidelines, here is the relevant bit:

2.1.1 Guideline: Verbatim Text License and exception text should be the same verbatim text (except for the guidelines stated here). The text should be in the same order, e.g., differently ordered paragraphs would not be considered a match.

2.1.2 Guideline: No Additional Text Matched text should only include that found in the vetted license or exception text. Where a license or exception found includes additional text or clauses, this should not be considered a match.

2.1.3 Guideline: Replaceable Text Some licenses include text that refers to the specific copyright holder or author, yet the rest of the license is exactly the same as a generic version. The intent here is to avoid the inclusion of a specific name in one part of the license resulting in a non-match where the license is otherwise an exact match (e.g., the third clause and disclaimer in the BSD licenses, or the third, fourth, and fifth clauses of Apache 1.1). In these cases, there should be a positive license match.

Being a bit pedantic, it seems like 2.1.2 would exclude license files with multiple licenses, as "License and exception text should be the same verbatim text" would be violated if there were a second or third license ("additional text" as defined in 2.1.2) in a license file. Furthermore, they state "A conservative approach is taken in regards to rules about disregarded or replaceable text.", so there would be a valid argument to stick to a literal reading of the rules.

[thomashoneyman]

That’s a good point.

Perhaps instead we should choose packages that fail for this reason that we really want in the registry and open PRs fixing their licenses (or issues asking them to). Anything in the current package set would be a good bet.

And, since this represents an invalid license, perhaps this check should also be added to the package publishing pipeline in which we verify your SPDX license before publishing.

[thomashoneyman]

These are the packages affected by this invalid license issue:

{
  "aff-bus": [
    "v1.0.0",
    "v2.0.0",
    "v3.0.0",
    "v3.0.1",
    "v3.1.0",
    "v4.0.0",
    "v5.0.0"
  ],
  "aff-future": ["v1.0.0", "v2.0.0"],
  "base58": ["v0.0.3"],
  "benchmark": ["v0.1.0"],
  "birds": ["v1.0.2"],
  "boomerang": [
    "0.0.1",
    "v0.0.10",
    "v0.0.11",
    "v0.0.12",
    "v0.0.13",
    "v0.0.14",
    "v0.0.2",
    "v0.0.3",
    "v0.0.4",
    "v0.0.5",
    "v0.0.6",
    "v0.0.7",
    "v0.0.8",
    "v0.0.9",
    "v1.0.0",
    "v1.0.1",
    "v1.1.0",
    "v1.1.1",
    "v1.2.0",
    "v1.2.1",
    "v1.3.0",
    "v1.4.0",
    "v1.5.0",
    "v1.5.1",
    "v1.6.0",
    "v1.7.0",
    "v1.8.0",
    "v1.8.1"
  ],
  "boxes": ["v1.0.0", "v1.0.1", "v1.0.2", "v2.0.0", "v2.0.1"],
  "contravariant": [
    "v0.2.1",
    "v0.2.2",
    "v0.2.3",
    "v1.0.0",
    "v1.0.0-rc.1",
    "v1.0.0-rc.2",
    "v2.0.0",
    "v3.0.0",
    "v3.1.0",
    "v3.2.0",
    "v3.3.0"
  ],
  "difference-containers": ["v0.0.2", "v1.0.0"],
  "dominator-core": ["v0.1.0", "v0.1.1"],
  "dual-tree": ["v0.0.1", "v0.0.2"],
  "elm-compat": [
    "elm-0.17",
    "elm-0.18",
    "v0.0.0",
    "v1.0.0",
    "v2.0.0",
    "v2.0.1",
    "v3.0.0",
    "v4.0.0",
    "v4.0.1",
    "v4.0.2",
    "v4.0.3",
    "v4.0.4"
  ],
  "errors": [
    "v0.1.0",
    "v0.1.1",
    "v0.1.2",
    "v0.1.3",
    "v0.1.4",
    "v0.2.0",
    "v0.3.0",
    "v1.0.0",
    "v2.0.0",
    "v2.1.0",
    "v2.2.0",
    "v2.3.0",
    "v2.4.0",
    "v3.0.0",
    "v4.0.0",
    "v4.0.1",
    "v4.1.0"
  ],
  "ethereum": [
    "0.1.0",
    "v0.1.0",
    "v0.2.1",
    "v0.2.10",
    "v0.2.2",
    "v0.2.3",
    "v0.2.4",
    "v0.2.5",
    "v0.2.6",
    "v0.2.7",
    "v0.2.8",
    "v0.2.9"
  ],
  "eulalie": ["v1.0.0", "v2.0.0", "v3.0.0", "v4.0.0", "v4.1.0", "v5.0.0"],
  "flow": ["v0.0.1", "v0.0.2"],
  "foreign-generic": [
    "v0.1.0",
    "v0.1.1",
    "v0.2.0",
    "v0.3.0",
    "v1.0.0",
    "v10.0.0",
    "v11.0.0",
    "v4.0.0",
    "v4.1.0",
    "v4.2.0",
    "v4.3.0",
    "v5.0.0",
    "v5.0.1",
    "v6.0.0",
    "v7.0.0",
    "v8.0.0",
    "v8.1.0",
    "v9.0.0"
  ],
  "free": ["v5.1.0", "v5.2.0", "v6.0.0", "v6.0.1", "v6.1.0"],
  "gl-matrix": ["v1.0.0", "v1.0.1", "v2.0.0", "v2.0.1"],
  "homogeneous": ["v0.3.0"],
  "jack": [
    "v0.0.0",
    "v0.0.1",
    "v0.0.2",
    "v0.1.0",
    "v0.2.0",
    "v1.0.0",
    "v2.0.0",
    "v3.0.0"
  ],
  "lists": [
    "v3.2.0",
    "v3.2.1",
    "v3.2.2",
    "v3.3.0",
    "v3.4.0",
    "v4.0.0",
    "v4.0.1",
    "v4.1.0",
    "v4.1.1",
    "v4.10.0",
    "v4.11.0",
    "v4.12.0",
    "v4.2.0",
    "v4.3.0",
    "v4.4.0",
    "v4.5.0",
    "v4.6.0",
    "v4.6.1",
    "v4.7.0",
    "v4.8.0",
    "v4.9.0",
    "v4.9.1"
  ],
  "logoot-core": ["v0.0.1", "v0.0.2"],
  "markdown": [
    "v1.10.0",
    "v1.11.0",
    "v1.11.1",
    "v1.12.1",
    "v1.12.2",
    "v1.5.1",
    "v1.5.2",
    "v1.6.0",
    "v1.7.0",
    "v1.7.1",
    "v1.8.0",
    "v1.9.0",
    "v1.9.1",
    "v10.0.0",
    "v11.0.0",
    "v11.0.1",
    "v12.0.0",
    "v2.0.0",
    "v2.0.1",
    "v3.0.0",
    "v3.1.0",
    "v3.1.1",
    "v3.1.2",
    "v4.0.0",
    "v5.0.0",
    "v6.0.0",
    "v7.0.0",
    "v8.0.0",
    "v8.0.1",
    "v9.0.0"
  ],
  "markdown-smolder": ["v1.0.0", "v1.1.0", "v1.2.0", "v1.3.0"],
  "metajelo": [
    "v1.0.0",
    "v1.0.1",
    "v1.1.0",
    "v2.0.0",
    "v3.0.0",
    "v3.0.1",
    "v3.1.0"
  ],
  "metajelo-web": ["v1.0.2", "v2.0.0"],
  "newtype-operator": ["v1.0.0"],
  "node-fs-extra": ["v0.1.0", "v0.1.1", "v0.1.2"],
  "node-websocket": ["v0.0.1", "v0.0.2", "v0.0.3"],
  "pair": ["v0.1.0", "v0.1.1"],
  "parsing": [
    "v0.8.0",
    "v0.8.1",
    "v1.0.0",
    "v2.0.0",
    "v2.1.0",
    "v3.0.0",
    "v3.0.1",
    "v3.1.0",
    "v3.2.0",
    "v3.2.1",
    "v4.0.0",
    "v4.1.0",
    "v4.2.0",
    "v4.2.1",
    "v4.2.2",
    "v4.3.0",
    "v4.3.1",
    "v5.0.0",
    "v5.0.1",
    "v5.0.2",
    "v5.0.3",
    "v5.1.0",
    "v6.0.0",
    "v6.0.1",
    "v6.0.2",
    "v7.0.0"
  ],
  "parsing-dataview": [
    "v1.0.0",
    "v1.0.1",
    "v1.0.2",
    "v1.1.0",
    "v1.1.1",
    "v2.0.0",
    "v2.0.1"
  ],
  "presto": [
    "0.2.1",
    "0.4.1",
    "v0.1",
    "v0.1.0",
    "v0.2.0",
    "v0.2.1",
    "v0.2.2",
    "v0.2.3",
    "v0.3.0",
    "v0.4.0"
  ],
  "presto-backend": [
    "0.0.1",
    "0.1",
    "0.1.0",
    "0.1.2",
    "0.1.3",
    "0.1.4",
    "0.1.5"
  ],
  "ps-cst": ["v0.0.1", "v1.2.0"],
  "pux": [
    "v10.0.0",
    "v11.0.0",
    "v12.0.0",
    "v13.0.0",
    "v4.0.0",
    "v4.0.1",
    "v4.1.0",
    "v5.0.0",
    "v5.0.1",
    "v5.0.2",
    "v5.0.3",
    "v6.0.0",
    "v6.0.1",
    "v7.0.0",
    "v7.1.0",
    "v7.2.0",
    "v8.0.0",
    "v8.1.0",
    "v8.2.0",
    "v8.3.0",
    "v8.4.0",
    "v8.5.0",
    "v8.6.0",
    "v8.7.0",
    "v8.8.0",
    "v8.9.0",
    "v9.0.0",
    "v9.1.0",
    "v9.2.0",
    "v9.3.0"
  ],
  "pux-redux": ["v0.1.0", "v0.1.1", "v0.1.2", "v0.2.0", "v0.2.1", "v0.2.2"],
  "pux-undo": ["v0.1.0"],
  "rest": ["v0.2.0", "v0.2.1", "v0.2.2", "v0.3.0", "v0.4.0", "v0.4.1"],
  "routing": ["v0.1.0", "v0.2.0", "v0.2.1", "v0.3.0"],
  "signal-socket": ["v1.0.0", "v1.1.0", "v2.0.0"],
  "simple-moment": [
    "v0.1.0",
    "v0.2.0",
    "v0.2.1",
    "v0.2.2",
    "v0.3.0",
    "v0.4.0",
    "v0.5.0"
  ],
  "slamdown-smolder": [
    "v1.0.0",
    "v1.1.0",
    "v1.2.0",
    "v1.3.0",
    "v2.0.0",
    "v2.0.1",
    "v2.1.0",
    "v2.2.0"
  ],
  "smolder": ["1.0.0", "1.0.1", "1.0.2"],
  "spidermonkey-ast": ["v1.0.0"],
  "split": ["v0.1.0", "v0.2.0"],
  "supply": ["v0.1.0"],
  "typelevel-lists": [
    "v0.2.0",
    "v0.3.0",
    "v0.3.1",
    "v1.0.0",
    "v1.1.0",
    "v2.0.0",
    "v2.0.1"
  ],
  "unicode": [
    "v0.0.1",
    "v1.0.0",
    "v2.0.0",
    "v2.0.1",
    "v2.0.2",
    "v3.0.0",
    "v3.0.1",
    "v3.0.2",
    "v4.0.0",
    "v4.0.1",
    "v5.0.0"
  ],
  "wrappable": ["v1.0.0"],
  "yaml-next": ["v0.1.0", "v0.2.0", "v1.0.0", "v2.0.0", "v3.0.0"],
  "zclipboard": ["v0.1.0", "v0.2.0", "v0.3.0"]
}

[thomashoneyman]

I'm going to close this issue since we'd like to treat this as an invalid SPDX license file.