Skip Menu |

This queue is for tickets about the ExtUtils-MakeMaker CPAN distribution.

Report information
The Basics
Id: 75344
Status: resolved
Worked: 1 hour (60 min)
Priority: 0/
Queue: ExtUtils-MakeMaker
People
Owner: ETJ [...] cpan.org
Requestors: KENTNL [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in:
  • 6.56
  • 6.58
  • 6.59
  • 6.62
Fixed in: 7.05_05

History Show all quoted text
  Mon Feb 27 09:52:02 2012 KENTNL [...] cpan.org - Ticket created
Subject: Should warn/fail on an invalid LICENSE value
A quick look at the code and some EUMM based modules I find on CPAN indicates that there is nothing done to check the validity of a user specified license.

This results in users specifying weird licenses that when run through a meta2 converter, result as "unknown".

What probably should at very least happen is when an unrecognised licensing string is used, that a a warning is produced.

Though I'd personally prefer it errored in development environments when the user specified an obviously bogus license.

Instead, EUMM happly produces invalid META1.4 and META2 metadata.

https://metacpan.org/source/VIY/HTML-Template-Pro-0.9508/META.yml

https://metacpan.org/source/VIY/HTML-Template-Pro-0.9508/Makefile.PL

 

http://explorer.metacpan.org/?url=/release/VIY/HTML-Template-Pro-0.9508

> "license" : [
Show quoted text

>       "unknown"
>  ],

  Mon Feb 27 10:21:50 2012 dagolden [...] cpan.org - Correspondence added
Subject: Re: [rt.cpan.org #75344] Should warn/fail on an invalid LICENSE value
Date: Mon, 27 Feb 2012 10:21:20 -0500
To: bug-ExtUtils-MakeMaker [...] rt.cpan.org
From: David Golden <dagolden [...] cpan.org>
On Mon, Feb 27, 2012 at 9:52 AM, Kent Fredric via RT <bug-ExtUtils-MakeMaker@rt.cpan.org> wrote: Show quoted text
> A quick look at the code and some EUMM based modules I find on CPAN indicates > that there is nothing done to check the validity of a user specified license.
IMO, I don't think that's the job of EU::MM. EU:MM should be focused on being the best install tool it can be and if it can do a decent job making tarballs, fine. The "original sin" of Module::Build is that it tried to be both an installer *and* an author's tool and that's a big part of what led to its bloat over time. Dist::Zilla gets this right (as you know) by splitting the author tooling out to something that can specialize in it and leaving the install tooling to something else. Invalid license is something that xt/ tests or CPANTS can find for people. It's just not essential for the installer. David
  Mon Feb 27 10:21:52 2012 The RT System itself - Status changed from 'new' to 'open'
  Mon Feb 27 10:29:33 2012 KENTNL [...] cpan.org - Correspondence added

Show quoted text
> Invalid license is something that xt/ tests or CPANTS can find for
> people. It's just not essential for the installer.

The catch here of course is it will primarily occur for people who don't realise its a potential issue. By the time they've thrown in an xt/ test, they're already likely to have realised that this notation is invalid and set a valid license.

A simple whitelist of valid license strings + a warning would be the /least/ we could do.

 

( To make matters worse, MI also encourages/supports invalid license strings, and it just also passes them blindly to eumm unvetted , so putting a warning at the EUMM level would benefit people on the MI side too )

  Tue Feb 28 21:05:34 2012 mschwern [...] cpan.org - Correspondence added
While I agree with David in principle, I think that boat has sailed. I'd honestly figured CPAN::Meta would take care of it. Silently failing on invalid input makes hard to produce bugs. It should at least produce a warning. I think this can be done with minimal code simply by checking if CPAN::Meta returns back "unknown" as the license (and the LICENSE field wasn't blank or "unknown"). It would be nice to bundle a copy of Software::License, but it has dependencies. Software::License is really just license data with some utility functions. Perhaps the data can be separated into its own distribution which is easier to bundle. See https://rt.cpan.org/Ticket/Display.html?id=75395
  Wed Dec 31 16:14:37 2014 ETJ [...] cpan.org - Correspondence added 60 min
RT-Send-CC: dagolden [...] cpan.org
Now warns if CPAN::Meta converts given LICENSE to 'unknown': https://github.com/Perl-Toolchain-Gang/ExtUtils-MakeMaker/commit/b6fc9bff1ca55cc6711df3f2655719c5e5f47179
  Wed Dec 31 16:14:44 2014 ETJ [...] cpan.org - Status changed from 'open' to 'patched'
  Wed Dec 31 16:14:44 2014 ETJ [...] cpan.org - Taken
  Wed Dec 31 22:59:30 2014 ETJ [...] cpan.org - Status changed from 'patched' to 'resolved'
  Wed Dec 31 22:59:36 2014 ETJ [...] cpan.org - Fixed in 7.05_05 added