Issues caused by Python buildtime dependency coherent.licensed #4383
Description
Coherent.licensed itself is a buildtime tool for injecting the license file TEMPLATE into the dist file when building a package. Now we have encountered at least two packages making use of it in the buildscript,
- python-portend
- python-pytest-enabler
Issues with coherent.licensed Itself
Most concerns are about reproducibility,
Coherent.licensed downloads license file from https://raw.githubusercontent.com/spdx/license-list-data/main/text/<LICENSENAME> at build time1, but I'm not aware of any guarantee against the checksum stability of the files.
Before writing the downloaded license, coherent.licensed also replaced the year placeholder with the year when building the package2, this is apparently unreproducible.
Indirect Impacts for Packaging
For now, at least two packages have introduced coherent.licensed, both have removed the license file from their source code. This causes some legal problems,
For example, MIT license, which is used by both python-{portend,pytest-enabler} requires the license content to be attached to any distribution of the software3,
The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
When building the project from git repository, apparently copyright notices and permission notices aren't included in the repository. I'm not sure whether this is a violation of MIT license.
One possible method to mitigate this is to build the project from tarball distributions hosted on PyPi, which are generated by project maintainers and usually contain license copies. Sadly this isn't a complete solution, either. Taking the license file included in python-portend's distribution4 for example,
MIT License
Copyright (c) 2025 <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
associated documentation files (the "Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the
following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial
portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
USE OR OTHER DEALINGS IN THE SOFTWARE.
The copyright holder is still missing in the license.
Reference: jaraco/skeleton#174
Reference: coherent-oss/system#22