Bug 1920223
| Summary: | Bundler script should flag null licenses for manual review | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ben Beasley <code> |
| Component: | nodejs-packaging | Assignee: | NodeJS Packaging SIG <nodejs-sig> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 34 | CC: | code, mrunge, nodejs-sig, sgallagh, tchollingsworth, thrcka, zsvetlik |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-packaging-2021.06-1.fc34 nodejs-packaging-2021.06-1.fc33 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-11 01:13:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
In case it is helpful for examining real-world cases, I have added custom tooling to check for this in nodejs-svgo. I am not necessarily proposing this approach as standard, but it may be informational: https://src.fedoraproject.org/rpms/nodejs-svgo/tree/2a4f8a4fb431a521025dfa31f34ebd827ec74324 See check-null-licenses, which is called in %check, and the audited-null-licenses.toml exceptions file. I will note that I am *not* packaging gtop, which I used here as an example, because my own audit script revealed the https://github.com/substack/node-buffers dependency not only lacks a proper license in its package.json, but declares an “MIT/X11” license in its README.md without providing any full license text anywhere in the package; which, as https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/#_license_text notes, is a requirement of the MIT license. This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34. I've made some changes to the bundling script to have it loudly announce when dependencies are missing license metadata. Thanks for the bug report! https://src.fedoraproject.org/rpms/nodejs-packaging/pull-request/5 FEDORA-2021-0bc5704285 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-0bc5704285 FEDORA-2021-69c55ffcd7 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-69c55ffcd7 FEDORA-2021-69c55ffcd7 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-69c55ffcd7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-69c55ffcd7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-0bc5704285 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-0bc5704285` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-0bc5704285 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-0bc5704285 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-69c55ffcd7 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: Bundled dependencies with missing license information may be silently included. Version-Release number of selected component (if applicable): 2021.01-2.fc34 How reproducible: Steps to Reproduce: 1. nodejs-packaging-bundler gtop 1.1.0 2. tar -xzvf /path/to/gtop-1.1.0-nm-prod.tgz 3. find node_modules_prod/ -type f -name package.json -execdir jq 'if .license==null then .name else null end' '{}' '+' | grep -vE '^null$' Actual results: nodejs-packaging-bundler produces no warnings or errors find command pipeline produces: "ansi-viewer" "event-stream" "term-canvas" "sparkline" "png-js" "memorystream" "buffers" Expected results: The packages with null or missing license field should be prominently flagged for manual review. Additional info: Directly running nodejs-packaging-bundler on a package with null license results in an empty *-license.txt file, regardless of dependency licenses. This is much less likely to occur accidentally and is therefore of less concern. In some cases, the license is missing from the package.json file, but the corresponding tag in version control does have a license file. In these cases, manual review may allow the packager to verify the license and add it to the *-license.txt file and the spec file License field. For example, https://www.npmjs.com/package/png-js has no license in package.json and no license file in the NPM package, but https://github.com/foliojs/png.js/tree/v1.0.0 does have an MIT “LICENSE” file (https://github.com/foliojs/png.js/issues/32, https://github.com/foliojs/png.js/issues/47). In other cases, dependencies may have actually been released “without a license,” or with a license not acceptable in Fedora, and so the failure to warn about null licenses may mask a serious problem. The packaging guidelines may need to be updated to explicitly mention this situation.