Which licenses that apply to which files should I specify in the `license` field?

A crate I am developing is primarily licensed under Apache-2.0 OR MIT. However, CODE_OF_CONDUCT.md and some test data are licensed under different licenses such as CC-BY-4.0 and CC0-1.0. I've excluded these files from the package published on crates.io because I don't think they're necessary for the published package. This means that all files in the package are licensed under Apache-2.0 OR MIT. In this case, is it Apache-2.0 OR MIT to specify in the license field?

In another my project, library crates are licensed under Apache-2.0 OR MIT, but a binary crate is licensed under GPL-3.0-or-later. The repository also contains some files licensed under CC-BY-4.0, but all files included in the published binary crate package are licensed under GPL-3.0-or-later. In this case, is it GPL-3.0-or-later to specify in the license field of the package?

In short, my question is:

Should the license field specify the licenses for all files in the repository, or only for files in the published package?

Also, if the licenses for .rs files and other files (e.g., Cargo.toml and README.md) in the published package are different, should I specify only the license for .rs files in the license field? Or should I specify the licenses for the other files too?

1 Like

According to the documentation:

The license field contains the name of the software license that the package is released under.

And package is defined in the glossary. It is not equivalent to the repository in which the package appears. A repository may contain multiple packages, including a workspace, and may include files which are excluded from any of the packages.

When a package contains both a binary and a library that are provided under different licenses, my interpretation is that the license field should include all licenses for the binary and the library. The specification allows the AND operator for this. See B. SPDX license expressions - SPDX Specification 3.0.1.

Personally, I wouldn't worry about licenses on the README or images that it links to, even though they are "part of the package". Users of the software are not going to be bound by any licenses associated to your software's documentation if those licenses differ to that of the software. (This is not legal advice.)

1 Like