build.ncl: declare + cross-source audit license_spdx (282 declared, 38 corrected; infra#193 follow-up)#236
Merged
Merged
Conversation
… infra#193 follow-up) Adds the resolved SPDX license to the 229 build.ncl that detect a license but did not declare one. Sourced from the DB resolved pkgs_commit_history.license (the GitHub-wins resolution from the #193 backfill) so disagreements are already settled the safe way; no re-detection needed. A declared license_spdx is authoritative (trumps detection), making the license explicit + source-of-truth in build.ncl. The 66 truly-undetectable packages (sqlite/postgres/X11/prebuilts) stay the manual queue. Validated: minimal dump --packages parses all 368. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
📝 WalkthroughWalkthroughThe PR adds ChangesPackage build license metadata
Sequence Diagram(s)None. Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 19
🧹 Nitpick comments (1)
packages/gawk-bootstrap/build.ncl (1)
43-46: 💤 Low valueMissing
Attrstype annotation on attrs block.The
attrsblock on line 43 is missing the| Attrstype annotation that is present in other files (e.g., file/build.ncl line 86, findutils/build.ncl line 67). While this doesn't affect the license_spdx addition in this PR, consider adding the annotation for consistency.♻️ Proposed fix to add type annotation
- attrs = { + attrs = { upstream_version = version, license_spdx = "GPL-3.0-only", - }, + } | Attrs,Note: You'll also need to import
Attrson line 1:-let { BuildSpec, Local, OutputBin, OutputData, OutputLib, Source, .. } = import "minimal.ncl" in +let { Attrs, BuildSpec, Local, OutputBin, OutputData, OutputLib, Source, .. } = import "minimal.ncl" in🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/gawk-bootstrap/build.ncl` around lines 43 - 46, The attrs block in build.ncl lacks the consistent type annotation; add the union type annotation by changing the attrs declaration to include "| Attrs" (i.e., use the same typed attrs pattern as other files) and import the Attrs symbol at the top of the file so the annotation resolves; update the attrs declaration and add the Attrs import near the existing imports to match the style used in file/build.ncl and findutils/build.ncl.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/autoconf/build.ncl`:
- Line 36: Update the SPDX expression stored in the license_spdx variable for
the Autoconf package: replace the incorrect "(GPL-2.0-only AND GPL-3.0-only)"
value with the correct "GPL-3.0-or-later WITH Autoconf-exception-3.0" string so
the license_spdx reflects GPL-3.0-or-later plus the Autoconf Configure Script
Exception (Autoconf-exception-3.0).
In `@packages/bzip3/build.ncl`:
- Line 51: Update the SPDX license identifier by changing the value assigned to
the license_spdx variable from "LGPL-3.0" to "LGPL-3.0-only" in the build.ncl
manifest; locate the license_spdx assignment and replace the string literal to
reflect upstream’s LGPL-3.0-only licensing.
In `@packages/dbus/build.ncl`:
- Line 54: The SPDX expression in build.ncl uses license_spdx =
"(BSD-3-Clause-HP AND FSFULLRWD)"; verify that this reflects dbus’s actual
licensing (i.e., both licenses apply conjunctively to the same content) rather
than an OR/dual-license or file‑scoped split, and update the license_spdx value
accordingly; inspect upstream dbus license headers/COPYING to determine whether
you should use AND, OR, or a combined per‑file expression and then replace the
license_spdx token in the file with the correct canonical SPDX expression (using
the SPDX identifiers BSD-3-Clause-HP and FSFULLRWD as appropriate).
In `@packages/emacs-config-dev1/build.ncl`:
- Line 191: The SPDX identifier used in the build.ncl is deprecated: update the
license_spdx value (the license_spdx symbol) to a current SPDX identifier by
replacing "GPL-3.0" with either "GPL-3.0-only" or "GPL-3.0-or-later" to reflect
the project’s licensing intent; choose the correct one for your project and
ensure any related documentation or metadata is consistent with that choice.
In `@packages/eudev/build.ncl`:
- Line 39: The SPDX identifier in the build.ncl entry uses the deprecated
"GPL-2.0"; update the license_spdx value to a current SPDX identifier by
replacing "GPL-2.0" with either "GPL-2.0-only" if the code is licensed strictly
under v2, or "GPL-2.0-or-later" if the "or later" clause applies; modify the
license_spdx assignment in the file (the license_spdx symbol) accordingly so the
project uses a valid SPDX identifier.
In `@packages/fio/build.ncl`:
- Line 44: Update the SPDX identifier assigned to the license_spdx field: change
the current value "GPL-2.0" to "GPL-2.0-only" in the build.ncl entry where
license_spdx is defined so it accurately reflects fio's GPLv2-only licensing.
In `@packages/fribidi/build.ncl`:
- Line 43: Replace the legacy SPDX string used in the build manifest: update the
license_spdx variable (currently set to "LGPL-2.1") to the explicit SPDX
identifier that matches upstream (either "LGPL-2.1-only" if the project is
licensed strictly under v2.1, or "LGPL-2.1-or-later" if the notice allows later
versions); verify the upstream license text to choose the correct one and then
set license_spdx accordingly.
In `@packages/grafana/build.ncl`:
- Line 54: Update the license_spdx value from "AGPL-3.0" to the canonical
"AGPL-3.0-only": locate the license_spdx assignment (currently set to
"AGPL-3.0") and change the string to "AGPL-3.0-only", preserving surrounding
syntax/commas so the build.ncl remains valid.
In `@packages/gurk/build.ncl`:
- Line 46: The package sets license_spdx = "AGPL-3.0" which is deprecated;
update the value of the license_spdx field in packages/gurk/build.ncl (the
license_spdx variable) to the correct SPDX identifier used by gurk-rs
upstream—either "AGPL-3.0-only" or "AGPL-3.0-or-later" as appropriate—so replace
"AGPL-3.0" with the chosen canonical identifier.
In `@packages/libcap-ng/build.ncl`:
- Line 56: Update the deprecated SPDX value in packages/libcap-ng/build.ncl by
replacing the bare "GPL-2.0" assigned to license_spdx with a correct SPDX
expression covering both licenses used in the repo (the utilities/scripts under
GPL-2.0-or-later and core under LGPL-2.1-or-later); set license_spdx to an
expression such as "LGPL-2.1-or-later OR GPL-2.0-or-later" (or an equivalent
SPDX expression) so the metadata accurately reflects both licenses.
In `@packages/libidn2/build.ncl`:
- Line 39: The SPDX expression assigned to license_spdx in the libidn2 package
is incorrect (uses AND and GPL-3.0-only); replace it with the correct upstream
expression for the library, e.g. "GPL-2.0-or-later OR LGPL-3.0-or-later" by
updating the license_spdx value in build.ncl, and if you're declaring the whole
package (including tools/tests/examples) add "OR GPL-3.0-or-later" to the
expression so the final SPDX matches upstream component scope.
In `@packages/libpng/build.ncl`:
- Line 41: The license_spdx value is outdated for libpng 1.6.58: update the
license_spdx variable (the assignment named license_spdx in the build.ncl for
libpng) from "libpng-1.6.35" to the correct SPDX identifier "libpng-2.0" so it
matches PNG Reference Library License v2 used by version 1.6.58; ensure no other
license fields conflict after the change.
In `@packages/libseccomp/build.ncl`:
- Line 43: Update the SPDX license identifier value to the correct modern
identifier by changing the license_spdx assignment in build.ncl from "LGPL-2.1"
to "LGPL-2.1-only" (i.e., locate the license_spdx = "LGPL-2.1" entry and set it
to "LGPL-2.1-only").
In `@packages/libusb/build.ncl`:
- Line 38: The SPDX identifier used in the build config is deprecated: update
the value of license_spdx (in packages/libusb/build.ncl) from "LGPL-2.1" to the
correct SPDX token that matches project intent—either "LGPL-2.1-only" or
"LGPL-2.1-or-later"—so change the license_spdx assignment accordingly (e.g., set
license_spdx = "LGPL-2.1-only" if the project intends only that version).
In `@packages/libvips/build.ncl`:
- Line 59: The SPDX identifier used in the build manifest is deprecated: update
the license_spdx value (the variable named license_spdx) to an explicit form
such as "LGPL-2.1-only" or "LGPL-2.1-or-later" that matches libvips' actual
licensing terms; replace the current "LGPL-2.1" string with the chosen explicit
identifier so SPDX tooling and compliance checks are correct.
In `@packages/patchelf/build.ncl`:
- Line 36: Update the package metadata to reflect the correct SPDX expression:
change the license_spdx value from "GPL-3.0" to "GPL-3.0-or-later" so it matches
the upstream COPYING wording; locate the license_spdx assignment in the
build.ncl (symbol: license_spdx) and replace the string literal accordingly.
In `@packages/pciutils/build.ncl`:
- Line 40: The license_spdx field currently uses the deprecated value "GPL-2.0";
update the license_spdx entry in the build.ncl (the license_spdx assignment) to
the correct SPDX identifier "GPL-2.0-or-later" so it reflects “GPL version 2, or
any later version”.
In `@packages/shellcheck/build.ncl`:
- Line 41: Update the license_spdx value to the correct SPDX identifier by
changing the variable license_spdx from "GPL-3.0" to "GPL-3.0-or-later"; locate
the declaration named license_spdx in the build.ncl for the ShellCheck package
and replace the string literal accordingly.
In `@packages/teamtype/build.ncl`:
- Line 38: The SPDX identifier is wrong: update the license_spdx assignment in
packages/teamtype/build.ncl from "AGPL-3.0" to "AGPL-3.0-or-later" so it matches
the LICENSE.md wording; locate the license_spdx declaration and replace the
string value accordingly to reflect the "or-later" variant.
---
Nitpick comments:
In `@packages/gawk-bootstrap/build.ncl`:
- Around line 43-46: The attrs block in build.ncl lacks the consistent type
annotation; add the union type annotation by changing the attrs declaration to
include "| Attrs" (i.e., use the same typed attrs pattern as other files) and
import the Attrs symbol at the top of the file so the annotation resolves;
update the attrs declaration and add the Attrs import near the existing imports
to match the style used in file/build.ncl and findutils/build.ncl.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: fe8173fe-2a18-47f9-9e98-0c8ba46d0731
📒 Files selected for processing (229)
packages/abseil-cpp/build.nclpackages/acl/build.nclpackages/actions-runner/build.nclpackages/age/build.nclpackages/agent-browser/build.nclpackages/alex/build.nclpackages/alsa-lib/build.nclpackages/ast-grep/build.nclpackages/at-spi2-core/build.nclpackages/atk/build.nclpackages/attr/build.nclpackages/atuin/build.nclpackages/autoconf/build.nclpackages/automake/build.nclpackages/bash-bootstrap/build.nclpackages/bash/build.nclpackages/bat/build.nclpackages/biff/build.nclpackages/binutils-arm-none-eabi/build.nclpackages/binutils/build.nclpackages/bison/build.nclpackages/bottom/build.nclpackages/bzip2/build.nclpackages/bzip3/build.nclpackages/c-ares/build.nclpackages/cabal/build.nclpackages/cairo/build.nclpackages/check/build.nclpackages/clipper2/build.nclpackages/cmake/build.nclpackages/coreutils/build.nclpackages/cython/build.nclpackages/dav1d/build.nclpackages/dbus/build.nclpackages/dejagnu/build.nclpackages/delta/build.nclpackages/dfu-util/build.nclpackages/diffoscope/build.nclpackages/difftastic/build.nclpackages/diffutils/build.nclpackages/dnsutils/build.nclpackages/dust/build.nclpackages/elfutils/build.nclpackages/emacs-config-dev1/build.nclpackages/emacs/build.nclpackages/eudev/build.nclpackages/expat/build.nclpackages/eza/build.nclpackages/file/build.nclpackages/findutils/build.nclpackages/fio/build.nclpackages/flex/build.nclpackages/flit-core/build.nclpackages/foundationdb/build.nclpackages/fribidi/build.nclpackages/gawk-bootstrap/build.nclpackages/gawk/build.nclpackages/gcc-arm-none-eabi/build.nclpackages/gcc/build.nclpackages/gdbm/build.nclpackages/gettext/build.nclpackages/ghc/build.nclpackages/ghostscript/build.nclpackages/glibc/build.nclpackages/gmp/build.nclpackages/gnutls/build.nclpackages/golangci-lint/build.nclpackages/gopls/build.nclpackages/govulncheck/build.nclpackages/gperf/build.nclpackages/gradle/build.nclpackages/grafana/build.nclpackages/grep/build.nclpackages/groff/build.nclpackages/grpcurl/build.nclpackages/grype/build.nclpackages/gtest/build.nclpackages/gurk/build.nclpackages/gws/build.nclpackages/gzip/build.nclpackages/happy/build.nclpackages/helm/build.nclpackages/hex-patch/build.nclpackages/hexhog/build.nclpackages/iana-etc/build.nclpackages/icu/build.nclpackages/imgcatr/build.nclpackages/inetutils/build.nclpackages/iproute2/build.nclpackages/jansson/build.nclpackages/jaq/build.nclpackages/jnv/build.nclpackages/jqfmt/build.nclpackages/jsongrep/build.nclpackages/kittyview/build.nclpackages/lcms2/build.nclpackages/lean/build.nclpackages/less/build.nclpackages/libaom/build.nclpackages/libass/build.nclpackages/libcap-ng/build.nclpackages/libcap/build.nclpackages/liberation-fonts/build.nclpackages/libffi/build.nclpackages/libgd/build.nclpackages/libidn2/build.nclpackages/libopus/build.nclpackages/libpipeline/build.nclpackages/libpng/build.nclpackages/libpsl/build.nclpackages/libseccomp/build.nclpackages/libsodium/build.nclpackages/libssh2/build.nclpackages/libsvtav1/build.nclpackages/libtool/build.nclpackages/libunistring/build.nclpackages/liburcu/build.nclpackages/libusb/build.nclpackages/libuv/build.nclpackages/libvips/build.nclpackages/libvmaf/build.nclpackages/libvpx/build.nclpackages/libwebp/build.nclpackages/libx264/build.nclpackages/libx265/build.nclpackages/libxau/build.nclpackages/libxcb/build.nclpackages/libxcrypt/build.nclpackages/libxdamage/build.nclpackages/libxdmcp/build.nclpackages/libxshmfence/build.nclpackages/libyaml/build.nclpackages/lief/build.nclpackages/linux_headers/build.nclpackages/llvm-bootstrap/build.nclpackages/llvm/build.nclpackages/m4/build.nclpackages/make/build.nclpackages/man-db/build.nclpackages/manifold/build.nclpackages/mermaid-ascii/build.nclpackages/mermaid-cli/build.nclpackages/meson-python/build.nclpackages/meson/build.nclpackages/mpfr/build.nclpackages/mtools/build.nclpackages/nano/build.nclpackages/nasm/build.nclpackages/nats-cli/build.nclpackages/nats-server/build.nclpackages/ncurses/build.nclpackages/nettle/build.nclpackages/nghttp2/build.nclpackages/nghttp3/build.nclpackages/nginx/build.nclpackages/nickel-lsp/build.nclpackages/nickel/build.nclpackages/ninja/build.nclpackages/node-lts/build.nclpackages/node/build.nclpackages/nss/build.nclpackages/numpy/build.nclpackages/nushell/build.nclpackages/onetbb/build.nclpackages/oniguruma/build.nclpackages/openblas/build.nclpackages/opencode/build.nclpackages/opencv/build.nclpackages/openssl/build.nclpackages/or-tools/build.nclpackages/otel-collector/build.nclpackages/pango/build.nclpackages/patch/build.nclpackages/patchelf/build.nclpackages/pciutils/build.nclpackages/perl/build.nclpackages/picocom/build.nclpackages/pkgconf/build.nclpackages/prek/build.nclpackages/probe-rs/build.nclpackages/procps-ng/build.nclpackages/procs/build.nclpackages/pulumi/build.nclpackages/py-build/build.nclpackages/py-packaging/build.nclpackages/pyproject-hooks/build.nclpackages/pyproject-metadata/build.nclpackages/railway/build.nclpackages/readline/build.nclpackages/ripgrep/build.nclpackages/rust-arm-embedded/build.nclpackages/screen/build.nclpackages/scrt/build.nclpackages/sed/build.nclpackages/setuptools/build.nclpackages/shadow/build.nclpackages/shellcheck/build.nclpackages/skopeo/build.nclpackages/socat/build.nclpackages/spire/build.nclpackages/stack/build.nclpackages/starship/build.nclpackages/stlink/build.nclpackages/syft/build.nclpackages/tailscale/build.nclpackages/tar/build.nclpackages/tcl/build.nclpackages/teamtype/build.nclpackages/time/build.nclpackages/tmux/build.nclpackages/tree-sitter/build.nclpackages/typst/build.nclpackages/unzip/build.nclpackages/ut/build.nclpackages/util-linux/build.nclpackages/varlock/build.nclpackages/virtio-linux/build.nclpackages/weathr/build.nclpackages/wget/build.nclpackages/xcb-proto/build.nclpackages/xorgproto/build.nclpackages/yazi/build.nclpackages/yq/build.nclpackages/z3/build.nclpackages/zellij/build.nclpackages/zig/build.nclpackages/zizmor/build.nclpackages/zlib/build.nclpackages/zstd/build.ncl
| attrs = | ||
| { | ||
| upstream_version = version, | ||
| license_spdx = "GPL-2.0", |
Contributor
There was a problem hiding this comment.
Use current SPDX identifier for GPL-2.0.
GPL-2.0 is deprecated in SPDX License List 3.0+. Use GPL-2.0-only (if no "or later" clause) or GPL-2.0-or-later (if "or later" clause applies).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/eudev/build.ncl` at line 39, The SPDX identifier in the build.ncl
entry uses the deprecated "GPL-2.0"; update the license_spdx value to a current
SPDX identifier by replacing "GPL-2.0" with either "GPL-2.0-only" if the code is
licensed strictly under v2, or "GPL-2.0-or-later" if the "or later" clause
applies; modify the license_spdx assignment in the file (the license_spdx
symbol) accordingly so the project uses a valid SPDX identifier.
Deep dive on the license_spdx coverage gap, two threads: 1. Manual queue — the "undetectable" packages askalono + the GitHub license API miss (custom LICENSE text, prebuilt binaries with no scannable source, or no upstream metadata). Declared canonical SPDX for 53 via per-package upstream-LICENSE verification: sqlite=blessing, postgres=PostgreSQL, redis=AGPL-3.0/SSPL (v8 era), terraform=BUSL-1.1, jdk=GPL-2.0 WITH Classpath-exception, pcre2=BSD-3 WITH PCRE2-exception, etc. bc corrected to BSD-2-Clause (the pinned 7.x is Gavin Howard's bc, not GNU bc). graphviz held at EPL-1.0 (the EPL-2.0 relicense postdates the pinned 14.1.1). 3 stay undeclared with cause: android-sdk + claude-code (proprietary, no SPDX id), zsh (custom permissive license, no SPDX id). 7 internal/meta packages (base, toolchain, ...) and mono (rides with PR #233) excluded by design. 2. Compound-expression audit — the whole-tarball askalono scan over-matches, folding license text from vendored deps / test fixtures / data files / per-file headers into AND-joined expressions. Verified all 13 compounds against the real upstream LICENSE files: - false positives dropped: py-packaging (Pixar — matched packaging's OWN _spdx.py id lookup table, not a grant), tcl (SMLNJ), dbus (BSD-3-Clause-HP + FSFULLRWD — 0 hits across the source tree), libffi (GPL from build files) - AND->OR for choose-one duals: cairo, gmp, nettle, less, zstd - restored dropped options: gmp + nettle LGPL - precise exceptions: socat (openvpn-openssl-exception), autoconf (Autoconf-exception-generic-3.0) - dbus kept as (AFL-2.1 OR GPL-2.0-or-later) AND GPL-2.0-or-later: the package ships GPL-only dbus-* tools alongside the dual-licensed core. Coverage 96.5% (327/339 packages). All 368 parse (minimal dump --packages). Every declared id re-validated against the canonical SPDX list (729 licenses + 85 exceptions). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… cross-source audit) Final-pass corrections after auditing the auto-detected declarations against five independent sources: the SPDX canonical list, the SPDX isDeprecatedLicenseId flag, per-package upstream LICENSE files, the GitHub license API, and Repology distro consensus. Single-license false positives (rare-id spot check — askalono matched a secondary/vendored license and missed the primary): - liburcu Boehm-GC -> LGPL-2.1-or-later AND LGPL-2.1-only AND MIT AND Boehm-GC - perl GPL-1.0-only -> Artistic-1.0-Perl OR GPL-1.0-or-later - stack LGPL-3.0-only -> BSD-3-Clause (the LGPL/GPL-v3 text was a LICENSE appendix) Deprecated SPDX id forms -> modern -only/-or-later, decided per the upstream "or later" clause (CodeRabbit flagged ~12; the isDeprecatedLicenseId check found all 22): - fio GPL-2.0-only, libseccomp LGPL-2.1-only, grafana/gurk AGPL-3.0-only, bzip3 LGPL-3.0-only (the explicit -only cases, verified against upstream) - check/eudev/fribidi/libusb/libvips LGPL-2.1-or-later, patchelf/shellcheck/weathr/ emacs-config-dev1 GPL-3.0-or-later, pciutils/picocom GPL-2.0-or-later, teamtype AGPL-3.0-or-later - linux_headers/virtio-linux GPL-2.0-only WITH Linux-syscall-note (kernel is v2-only) - compounds: libcap-ng (GPL-2.0-or-later AND LGPL-2.1-or-later), util-linux (GPL-2.0-or-later AND LGPL-2.1-or-later AND BSD-3-Clause), libxcrypt (LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD) - CR items: autoconf -> GPL-3.0-or-later WITH Autoconf-exception-3.0 (the autoconf-specific exception, not the generic one), libpng -> libpng-2.0 All 368 parse (minimal dump --packages). Every declared id re-validated: canonical SPDX, zero deprecated. Repology cross-check: 235 license-family matches, 9 disagreements all resolved (X11-variant naming, or Repology project name-collisions where our value is confirmed correct via the GitHub API: jdk=OpenJDK/Temurin vs Oracle, mpc=GNU MPC vs music-player client, ut=ksdme/ut vs boost-ext/ut). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bryan-minimal
changed the title
twitchyliquid64
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Declare + audit
license_spdxacross the package catalog (infra#193 follow-up)Makes each package's license explicit and authoritative in
build.ncl(a declaredlicense_spdxtrumps detection in the resolve chain), removes the per-build detection cost, and settles detector disagreements once and for all. What began as a 229-package backfill turned into a full cross-source license audit.What's in the PR
1. Declared the detectable-but-undeclared set (229). Values came from the resolved license already in
pkgsec.pkgs_commit_history.license— the #193 GitHub-wins backfill — so the github-vs-tarball disagreements were already settled the safe way.2. Deep-dived the manual queue (53 of 56). The "undetectable" packages askalono + the GitHub API miss — custom LICENSE text (
sqlite=blessing,postgres=PostgreSQL), prebuilt binaries (chromium-bin=BSD-3-Clause,jdk=GPL-2.0-only WITH Classpath-exception-2.0,pcre2=BSD-3-Clause WITH PCRE2-exception), or no upstream metadata — declared via per-package upstream-LICENSE verification. Version-matched the relicensing traps (terraform=BUSL-1.1,redis=AGPL-3.0-only OR SSPL-1.0,graphvizheld atEPL-1.0since the EPL-2.0 relicense postdates the pinned tag). Caught a provenance mislabel:bcis Gavin Howard's BSD-2bc, not GNUbc.3. Audited the auto-detected declarations and fixed three classes of askalono whole-tarball-scan artifact:
AND-joined expressions.py-packaging (BSD-2-Clause AND Pixar)→Apache-2.0 OR BSD-2-Clause(thePixarmatch was in packaging's own_spdx.pyid-lookup table);dbus,tcl,libffilikewise;AND→ORfor choose-one duals (cairo,gmp,nettle,less,zstd).liburcu(Boehm-GC→LGPL-2.1-or-later AND …),perl(restored the Artistic arm),stack(LGPL-3.0→BSD-3-Clause— the LGPL/GPL text was a LICENSE appendix).GPL-2.0/GPL-3.0/AGPL-3.0/LGPL-2.1→ modern-only/-or-later, decided per each upstream's "or later" clause (e.g.linux_headers/virtio-linux→GPL-2.0-only WITH Linux-syscall-note;fio/libseccomp/grafanaare genuinely-only).Validation — five independent sources
Every declared id was checked against: (1) the canonical SPDX list (729 licenses + 85 exceptions — all valid), (2) the SPDX
isDeprecatedLicenseIdflag (zero deprecated remain), (3) per-package upstream LICENSE files (the audit workflows), (4) the GitHub license API, and (5) Repology distro consensus (235 license-family matches; the 9 disagreements all resolved as Repology project name-collisions or variant-naming where our value is confirmed correct —jdk=OpenJDK/Temurin vs Oracle,mpc=GNU MPC vs music-player client,ut=ksdme/ut vs boost-ext/ut).minimal dump --packagesparses all 368.Coverage — 327/339 declared (96.5%)
The 12 undeclared are intentional, each with cause:
base,base-bootstrap,toolchain,minimal-sshd,microvm-rootfs,resolver-quad8,virtio-kernel-rawandroid-sdk(Android SDK Terms),claude-code(closed_source=true)zshmono(mono: migrate source to GitHub tag via gs:// mirror (6.12.0.199 → 6.12.0.206) #233) — pluspy-markupsafe(untracked WIP, not part of this PR)Flagged follow-up (out of scope)
chromium-bin/chromium-headless-shell-binsetsource_provenancetomicrosoft/playwright— the binary's download vehicle, not the Chromium project. The license (BSD-3-Clause, matching the Alpine/plurality tag) is correct, but a vuln scan would match Playwright's advisories and miss Chromium's CVEs. Worth a provenance fix in a separate change.🤖 Generated with Claude Code
Summary by CodeRabbit