[PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[David A. Wheeler]

Warn cloners if there is no LICENSE* or COPYING* file that makes
the license clear.  This is a useful warning, because if there is
no license somewhere, then local copyright laws (which forbid many uses)
and terms of service apply - and the cloner may not be expecting that.
Many projects accidentally omit a license, so this is common enough to note.
For more info on the issue, feel free to see:
http://choosealicense.com/no-license/
http://www.wired.com/2013/07/github-licenses/
https://twitter.com/stephenrwalli/status/247597785069789184

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---
 builtin/clone.c | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/builtin/clone.c b/builtin/clone.c
index 9572467..9863b04 100644
--- a/builtin/clone.c
+++ b/builtin/clone.c
@@ -748,6 +748,41 @@ static void dissociate_from_references(void)
 		die_errno(_("cannot unlink temporary alternates file"));
 }
 
+static int starts_with_ignore_case(const char *str, const char *prefix)
+{
+	for (; ; str++, prefix++)
+		if (!*prefix)
+			return 1;
+		else if (tolower(*str) != tolower(*prefix))
+			return 0;
+}
+
+static int contains_license(void)
+{
+	DIR *dir = opendir("."); /* Examine current directory for license. */
+	struct dirent *e;
+	struct stat st;
+	int ret = 0;
+
+	if (!dir)
+		return 0;
+
+	while ((e = readdir(dir)) != NULL)
+		if (starts_with_ignore_case(e->d_name, "license") ||
+		    starts_with_ignore_case(e->d_name, "copyright")) {
+			if (stat(e->d_name, &st))
+				continue;
+			if (st.st_size > 1) {
+				ret = 1;
+				break;
+			}
+		}
+
+	closedir(dir);
+	return ret;
+}
+
+
 int cmd_clone(int argc, const char **argv, const char *prefix)
 {
 	int is_bundle = 0, is_local;
@@ -1016,6 +1051,9 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
 	junk_mode = JUNK_LEAVE_REPO;
 	err = checkout();
 
+	if (!option_no_checkout && !contains_license())
+		warning(_("Repository has no LICENSE or COPYING file with content."));
+
 	strbuf_release(&reflog_msg);
 	strbuf_release(&branch_top);
 	strbuf_release(&key);
-- 
2.1.4

Re: [PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[Dennis Kaarsemaker]

On za, 2015-03-21 at 14:06 -0400, David A. Wheeler wrote:
> Warn cloners if there is no LICENSE* or COPYING* file that makes
> the license clear.  This is a useful warning, because if there is
> no license somewhere, then local copyright laws (which forbid many uses)
> and terms of service apply - and the cloner may not be expecting that.

Please no, especially not without an option to switch this off. Git is
not only used in open source settings, this would be highly annoying at
$work, where no repo has (or needs) such a file.

-- 
Dennis Kaarsemaker
www.kaarsemaker.net

Re: [PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[Stefan Beller]

On 21.03.2015 13:21, Dennis Kaarsemaker wrote:
> On za, 2015-03-21 at 14:06 -0400, David A. Wheeler wrote:
>> Warn cloners if there is no LICENSE* or COPYING* file that makes
>> the license clear.  This is a useful warning, because if there is
>> no license somewhere, then local copyright laws (which forbid many uses)
>> and terms of service apply - and the cloner may not be expecting that.
> 
> Please no, especially not without an option to switch this off. Git is
> not only used in open source settings, this would be highly annoying at
> $work, where no repo has (or needs) such a file.
> 

To spin this further it would be interesting to have
a server advertisement during git clone which indicates
if this setting is recommended to be set.
Then hosting sites popular in the open source world such as
github could enable this feature, and the client may enable
this for the currently cloned repository (the user may have
a global setting set to suppress this message though).

At $work the default of not advertising checking for such a
feature would be set.

Re: [PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[Junio C Hamano]

Stefan Beller <stefanbeller@gmail.com> writes:

> To spin this further it would be interesting to have
> a server advertisement during git clone which indicates
> if this setting is recommended to be set.
> Then hosting sites popular in the open source world such as
> github could enable this feature, and the client may enable
> this for the currently cloned repository (the user may have
> a global setting set to suppress this message though).
>
> At $work the default of not advertising checking for such a
> feature would be set.

Hmm.

An open source hosting site can help better by checking at the
project creation time, because the people who interact with that
interface are solely in the position to set and publish licensing
terms.  The general consumer who are cloning and fetching do not
have direct control over this, and the only thing the could do to
nudge the publishers is with an out-of-line communication, e.g.
sending e-mails telling the publisher "I am interested in using your
ware, but you do not have licensing terms described, which makes me
wary; please improve".

An approach that checks only the top-level directory for fixed
filename pattern would not be an effective way to protect the
cloners, either.

I am personally not interested in the patch under discussion, with
or without "please be quiet" configuration.

Thanks.

Re: [PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[Ævar Arnfjörð Bjarmason]

On Sat, Mar 21, 2015 at 7:06 PM, David A. Wheeler <dwheeler@dwheeler.com> wrote:
> Warn cloners if there is no LICENSE* or COPYING* file that makes
> the license clear.  This is a useful warning, because if there is
> no license somewhere, then local copyright laws (which forbid many uses)
> and terms of service apply - and the cloner may not be expecting that.
> Many projects accidentally omit a license, so this is common enough to note.
> For more info on the issue, feel free to see:
> http://choosealicense.com/no-license/
> http://www.wired.com/2013/07/github-licenses/
> https://twitter.com/stephenrwalli/status/247597785069789184

As others have indicated here this feature is really specific to a
single lint-like use-case and doesn't belong in clone as a built-in
feature.

However perhaps an interesting generalization of this would be
something like a post-clone hook, obviously you couldn't store that in
.git/hooks/ like other githooks(5) since there's no repo yet, but
having it configured via the user/system config might be an
interesting feature.

If you're still interested in getting this functionality perhaps a
patch to have some general post-clone hook mechanism would be
accepted, then you could check license files or anything else you
cared about.

You could also just have a shell alias that wrapped git-clone...

Re: [PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[David A. Wheeler]

Junio C Hamano:
>    An open source hosting site can help better by checking at the
>   project creation time, because the people who interact with that
>    interface are solely in the position to set and publish licensing terms.

That doesn't help with the many projects that have *already* been created.
E.G., GitHub has a license chooser now, but didn't for years, and it's still optional.
Also, repos stored as shared filesystems don't do that kind of checking.

More importantly, focusing on the "hosting site" doesn't warn people
who *clone* from repos. The people who take on legal risks are often not
the posters, but the people who clone *from* the sites.  Thus, *they* are the
ones who need the warning, and git is in an especially good spot to detect the issue.


>     The general consumer who are cloning and fetching do not
>    have direct control over this, and the only thing the could do to
>     nudge the publishers is with an out-of-line communication...

That's an option, but another option is to NOT use it. Often
people have no idea there's an issue, and in their rush and lack of warning
they forget to check the basics.


>    An approach that checks only the top-level directory for fixed
>    filename pattern would not be an effective way to protect the
>    cloners, either.

I disagree, I think it's remarkably effective. *Many* projects
do this, including git itself. After all, many humans need to find out the licensing
basics too; having a simple convention for *finding* it helps humans and tools alike.
It's not even limited to open source software; developers of proprietary materials
(software or now) *also* typically want to declare licensing.

Sure, the top-level licensing text might be incomplete, but having that information
provides a big help, and it's what most people rely on anyway. Indeed, a *lack*
of this is a sign of trouble, which is exactly what warnings are good for.

--- David A. Wheeler

(P.S. I posted this previously but it seems to have failed for some reason,
so I'm resending this in a different way.)

Re: [PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[Ævar Arnfjörð Bjarmason]

On Mon, Mar 23, 2015 at 5:46 PM, David A. Wheeler <dwheeler@dwheeler.com> wrote:
> Junio C Hamano:
>>    An approach that checks only the top-level directory for fixed
>>    filename pattern would not be an effective way to protect the
>>    cloners, either.
>
> I disagree, I think it's remarkably effective. *Many* projects
> do this, including git itself. After all, many humans need to find out the licensing
> basics too; having a simple convention for *finding* it helps humans and tools alike.
> It's not even limited to open source software; developers of proprietary materials
> (software or now) *also* typically want to declare licensing.
>
> Sure, the top-level licensing text might be incomplete, but having that information
> provides a big help, and it's what most people rely on anyway. Indeed, a *lack*
> of this is a sign of trouble, which is exactly what warnings are good for.

I don't think you're going to find people disagreeing with you that
it's good to have license information where appropriate, but Git is
the wrong tool to warn about this.

It's a generic content tracking tool, it shouldn't be warning on the
assumption that what you're tracking is a) an open source project and
b) that you care to be notified about some arbitrary files being
missing.

A lot of Git repositories don't care at all about licensing, and
having git-clone warn about this would just be useless noise most of
the time. E.g. anything I put on gist.github.com, the code hundreds of
people contribute to at work (we never distribute it anywhere, so a
license would be pointless). I even have open source projects myself
where there's no LICENSE or COPYING files since that would be
redundant to notices in the files themselves, but I digress.

Re: [PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[Kevin D]

On Sat, Mar 21, 2015 at 02:06:33PM -0400, David A. Wheeler wrote:
> Warn cloners if there is no LICENSE* or COPYING* file that makes
> the license clear.  This is a useful warning, because if there is
> no license somewhere, then local copyright laws (which forbid many uses)
> and terms of service apply - and the cloner may not be expecting that.
> Many projects accidentally omit a license, so this is common enough to note.
> For more info on the issue, feel free to see:
> http://choosealicense.com/no-license/
> http://www.wired.com/2013/07/github-licenses/
> https://twitter.com/stephenrwalli/status/247597785069789184
> 

LWN article that lead to this patch: https://lwn.net/Articles/636261/

Re: [PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[David A. Wheeler]

On Sun, 22 Mar 2015 18:56:52 +0100, Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> However perhaps an interesting generalization of this would be
> something like a post-clone hook, obviously you couldn't store that in
> .git/hooks/ like other githooks(5) since there's no repo yet, but
> having it configured via the user/system config might be an
> interesting feature.

Would that be acceptable to the wider group?

--- David A. Wheeler

Re: [PATCH] clone: Warn if clone lacks LICENSE or COPYING file

[Junio C Hamano]

Ævar Arnfjörð Bjarmason <avarab@gmail.com> writes:

> As others have indicated here this feature is really specific to a
> single lint-like use-case and doesn't belong in clone as a built-in
> feature.
>
> However perhaps an interesting generalization of this would be
> something like a post-clone hook, obviously you couldn't store that in
> .git/hooks/ like other githooks(5) since there's no repo yet,

Yes, and these things come from templates, and you can specify the
template source location when running "git clone".

So I do not think anything is needed on our side and it's all doable
with what the users already have, as long as we are talking about
making it only an opt-in feature.

Which means

> You could also just have a shell alias that wrapped git-clone...

is also perfectly acceptable, I would think.