`brew audit` will detect the license for the main branch instead of the release about brew HOT 14 CLOSED

One option would be to use the licensee gem that GitHub use themselves for that API, which would have the bonus of working with not-GitHub sources. But it would require having the source downloaded and I don't think any of our audits do that.

Given we do have metadata file copying however, we could make it an installed keg check and read those files.

from brew.

If @issyl0 managed to make the license API work for branches I think that should be good enough at least for cases like this. I don't really know of any cases where an install time check would be better.

from brew.

It seems like we use a Github API endpoint to fetch this information which doesn't provide any way to specify the version of the repo.

• https://docs.github.com/en/rest/licenses/licenses?apiVersion=2022-11-28#get-the-license-for-a-repository

from brew.

I think we have a license mismatch allowlist we can use here? It might get forgotten though.

We do and are using that for now. But allowlists really should be for genuine exceptions rather than silencing a buggy audit.

from brew.

And did you fix it when you found out? 😅

from brew.

@SMillerDev I have a PR open, it's waiting on the team who actually works on this stuff to tell me how I should have done it. 😂

from brew.

We check files in the install all the time. Should be disable to add license

from brew.

I think we have a license mismatch allowlist we can use here? It might get forgotten though.

from brew.

Are we saying that the license could change between a release branch and the main branch? Feels like something the /repos/license endpoint should be able to handle (personal opinion).

EDIT: Hmm, tested this and gh api "repos/issyl0/rl-testing/license" returns MIT. I noticed it might take a ref query parameter, but gh api "repos/issyl0/rl-testing/license?ref=test-new-license" still returns MIT (despite the other fields saying that it's definitely on the new branch).

Maybe it only computes licenses on the main branch?

from brew.

Yeah, I'd expect the same of the endpoint

from brew.

You've successfully nerd-sniped me into figuring out why /repos/.../license?ref=blah doesn't work. 🙃

from brew.

We check files in the install all the time. Should be disable to add license

Agreed. I don't think we should do this always but it would be nice to have some sort of license audit here that can handle the case where the tarball output is correct even if the upstream repo is not.

from brew.

Okay, I now see that comment was different than what I meant, which was:

We check files in the install all the time. Should be possible to add a license check

from brew.

@SMillerDev Yeh, I agree with that too. My thinking is that we'll need to do something clever so that the install time license check is only used some of the time when we know there's problems and a mismatch otherwise (rather than moving all license checks to always be install time)

from brew.