When using Rust to create binary applications (e.g. *.exe
files for Windows), I might have to comply with a number of third party licenses.
Luckily, many crates are published under liberal (non-viral) licenses and there already exists cargo tree -f "{p} {l}"
, which lists all dependencies including their license according to the SPDX license identifier.
There is also the cargo-deny
crate, which allows you to automatically check that all licenses are either whitelisted or approved by the FSF or OSI (whichever you want to require).
However, even if many used licenses are pretty liberal, they still require attribution in regard to the author(s)/copyright holder(s). When I distribute something that includes 3rd party code (such as a binary), I have to ensure that all relevant licenses are bundled with my product. At the same time, I don't want to include licenses or authorship information for components that are not included in the final product (e.g. build dependencies or dependencies for other platforms).
I have found the following tools:
But testing these, I was greatly disappointed. For example, cargo-about
seems to create different output depending on how I select a "threshold" for "detecting" licenses. I don't want to detect which license is used (I have cargo deny
to do that), I simply want to copy all licenses and authorship information into a folder. The other choice, cargo-bundle-licenses
, doesn't seem to be configurable in regard to the build target, and I don't like the output format options.
Which other possibilities do I have? I ended up writing a quick-and-dirty script, which parses the output of
cargo tree --target=x86_64-pc-windows-msvc -e normal --prefix none
and then copies all LICENSE*
, License*
, license*
, COPYING*
files from ~/.cargo/registry/src/index.crates.io-…/{package}-{version}/
. I then have to manually check if some packages have no license file and decide on a case-by-case basis what to do.
It's not too much work to do that once, but it is somewhat painful when updating dependencies on a reguar basis in the future.
Is there any better option?
Why doesn't crates.io require specifying a license file in addition to the SPDX identifier? For me, as a package creator, cargo
even discourages me from specifying the license file in the manifest:
warning: only one of
license
orlicense-file
is necessary
license
should be used if the package license can be expressed with a standard SPDX expression.
license-file
should be used if the package uses a non-standard license.
See https://doc.rust-lang.org/cargo/reference/manifest.html#the-license-and-license-file-fields for more information.
I feel like it's a design flaw to not support (or even require) a more machine-processable way of license management / attribution when it comes to the particular license texts (i.e. with word-by-word correctness including the copyright notices).