Add license to package installation metadata #705
Conversation
RobbeSneyders
requested review from
ericwb,
ghugo,
lukehinds and
sigmavirus24
as code owners
There was a problem hiding this comment.
https://packaging.python.org/specifications/core-metadata/#license
This field is to denote licenses that differ from the License Trove classifiers. It's also used to distinguish a particular version. Since our classifier just notes as Apache Software License, this field is properly adding the 2.0 context.
| @@ -6,6 +6,7 @@ description-file = | |||
| author = PyCQA | |||
| author-email = code-quality@python.org | |||
| home-page = https://bandit.readthedocs.io/en/latest/ | |||
| license = Apache-2.0 license | |||
There was a problem hiding this comment.
So I remember later. According to https://packaging.python.org/specifications/core-metadata/#license, this field is to denote licenses that differ from the License Trove classifiers. It's also used to distinguish a particular version. Since our classifier just notes as Apache Software License, this field is properly adding the 2.0 context.
|
Please see my comments above. Although this fix is approved, it has nothing to do with a tool that shows UNKNOWN for the license. A separate bug should be opened on that tool as it is incorrectly determining licenses. |
Good catch, I did not know about the trove classifiers, does need to be reverted? |
No need to revert. It's fine to included a version in this example, but not for the reasons stated in the PR. Any code looking for a license should start with the classifiers, then this license field. Using importlib.metadata and only looking at "license" is the incorrect way of determining a license for a Python module. |
This PR adds the license name to the package installation metadata so it can be checked automatically with
importlib.metadata. We automatically check the license of all our dependencies this way, and bandit currently fails since it returns "UNKNOWN".