I am getting 404 for the packages below. Can this be fixed? Is there anything I can do to help?

This CodeProject.ObjectPool definition is still declared as NOASSERTION even though there's a merged PR with a declared license included in this PR #2297. The definition is also tagged with "curated".

From an initial glance, I believe the problem might be the capitalization in the file led to a mismatch with the revision name in PR #2297, however ClearlyDefined still thinks that it "counts" as a curation according to the definition page.

There's a new PR out from Microsoft (#11543) with the correct capitalization that should resolve this.

After this PR went through our missing license information for EWS did not update
#19750

Our alerts page still says Missing License information.

I know that clearlydefined analyzes npm dependencies transitively. What about go-lang dependencies? Does clearlydefined analyze go-lang dependency transitively or developer should provide each dependency separately for analyzing?

Help me

Originally posted by @tyevil in hashicorp/vault#18498 (comment)

Originally posted by @tyevil in #23266

I'm trying to submit a curation for a new version of DPDK stable:

https://clearlydefined.io/definitions/git/github/dpdk/dpdk-stable/7849366693a2a2cbc5279a6bfd39cbb457fe7c96

However, when I do this using the WebUI I get "Contribution failed" message with no other details. It looks like the tooling is creating branches with my changes (e.g. master...AlanElder_231204_103406.542) but then is not able to submit the PR.

When someone is publishing a NuGet package that contains code from other sources for the sole purpose of making it publicly available on NuGet.org, should the source be the repo where the NuGet package comes from or the source of the package contents?

A recent example is some packages that were published from http://nugetpackages.codeplex.com. Some do include custom scripts (e.g. jQuery), but others are just copies of other libraries (e.g. yepnope, gRaphael).

When cloning this repo on Windows I get:

warning: the following paths have collided (e.g. case-sensitive paths
on a case-insensitive filesystem) and only one from the same
colliding group is in the working tree:

  'curations/nuget/nuget/-/DiscUtils.yaml'
  'curations/nuget/nuget/-/Discutils.yaml'
  'curations/nuget/nuget/-/EMGU.CV.yaml'
  'curations/nuget/nuget/-/Emgu.CV.yaml'
  'curations/nuget/nuget/-/GitLink.yaml'
  'curations/nuget/nuget/-/gitlink.yaml'
  'curations/nuget/nuget/-/Microsoft.AspNetCore.Authentication.JwtBearer.yaml'
  'curations/nuget/nuget/-/microsoft.aspnetcore.authentication.jwtbearer.yaml'
  'curations/nuget/nuget/-/MSBuildTasks.yaml'
  'curations/nuget/nuget/-/MsBuildTasks.yaml'
  'curations/nuget/nuget/-/React.Core.yaml'
  'curations/nuget/nuget/-/react.core.yaml'
  'curations/nuget/nuget/-/StructureMap.yaml'
  'curations/nuget/nuget/-/structuremap.yaml'
  'curations/nuget/nuget/-/System.Data.HashFunction.SpookyHash.yaml'
  'curations/nuget/nuget/-/system.data.hashfunction.spookyhash.yaml'
  'curations/nuget/nuget/-/System.Windows.Interactivity.WPF.yaml'
  'curations/nuget/nuget/-/system.windows.interactivity.wpf.yaml'
  'curations/nuget/nuget/-/TinyMCE.JQuery.yaml'
  'curations/nuget/nuget/-/TinyMCE.jQuery.yaml'
  'curations/nuget/nuget/-/ValueInjecter.yaml'
  'curations/nuget/nuget/-/valueinjecter.yaml'
  'curations/nuget/nuget/-/VsWhere.yaml'
  'curations/nuget/nuget/-/vswhere.yaml'
  'curations/pypi/pypi/-/Pillow.yaml'
  'curations/pypi/pypi/-/pillow.yaml'
  'curations/pypi/pypi/-/Resource.yaml'
  'curations/pypi/pypi/-/resource.yaml'

I believe the contents of these pairs of files should be merged, and the capitalization should be aligned to the spelling used in the respective registry. Would you agree with that rationale @capfei @fossygirl?

We should consider adopting main as the default branch. Any reason that could break things?

Same component with different casings have different definitions but with the same pending curation. Looks to be an edge-case:

• https://clearlydefined.io/definitions/nuget/nuget/-/Nancy.ViewEngines.Razor/1.4.3
• https://clearlydefined.io/definitions/nuget/nuget/-/Nancy.Viewengines.Razor/1.4.3

Help me

Originally posted by @tyevil in hashicorp/vault#18498 (comment)

After this PR went through our missing license information for angula rdid not update
#20476

Our alerts page still says Missing License information.

• Apache-2.0 AND blessing: #10499
• NONE: #10059
• NONE: #10154
• GPL-2.0-or-later OR LGPL-2.1-or-later OR MPL-1.1: #10380
• NONE: #10067
• Not sure: #10364
• NONE: #10065
• PSF-2.0: #10486
• PSF-2.0: #10483

Being able to override all versions of a particular package is useful, especially ones with many, many version (think firebase)

The current format (to my understanding) requires that versions be explicitly declared to provide an override, like the following example:

coordinates:
  name: communication-calling
  namespace: '@azure'
  provider: npmjs
  type: npm
revisions:
  1.0.0:
    licensed:
      declared: OTHER
  1.0.0-beta.1:
    licensed:
      declared: OTHER
  1.0.1-beta.1:
    licensed:
      declared: OTHER
  1.1.0:
    licensed:
      declared: OTHER
  1.1.0-beta.1:
    licensed:
      declared: OTHER
  1.1.0-beta.2:
    licensed:
      declared: OTHER
  1.2.0-beta.1:
    licensed:
      declared: OTHER
  1.2.1-beta.1:
    licensed:
      declared: OTHER
  1.2.2-beta.1:
    licensed:
      declared: OTHER
  1.2.3-beta.1:
    licensed:
      declared: OTHER
  1.3.2:
    licensed:
      declared: OTHER
  1.3.2-beta.1:
    licensed:
      declared: OTHER
  1.4.1-beta.1:
    licensed:
      declared: OTHER
  1.4.3-beta.1:
    licensed:
      declared: OTHER
  1.4.4:
    licensed:
      declared: OTHER
  1.5.4:
    licensed:
      declared: OTHER
  1.5.4-beta.1:
    licensed:
      declared: OTHER
  1.6.1-beta.1:
    licensed:
      declared: OTHER
  1.6.3:
    licensed:
      declared: OTHER

If we introduce version wildcards we can simply this list down to 1 entry

coordinates:
  name: communication-calling
  namespace: '@azure'
  provider: npmjs
  type: npm
revisions:
  1.*:
    licensed:
      declared: OTHER

Additionally, if the license does change in 2.0.0 this override list won't affect it

Several curations use "OTHER" as the declared license, e.g.

First of all, there is a general problem as "OTHER" is not a valid SPDX expression. Secondly, at the concrete example of jsonify, consuming the ClearlyDefined curation worsens the meta data from "Public Domain" as declared in its package.json to "OTHER", which is even less telling, and causes ORT (which has a mapping from "Public Domain" to "LicenseRef-scancode-public-domain-disclaimer") to run into issues.

That's why I'd like to propose to not use "OTHER" at all. What do you think @capfei @fossygirl?

I want to get validation for kubernetes/apimachinery v0.18.16 . I see this dependency in the https://clearlydefined.io/?sortDesc=true&sort=releaseDate&name=apimachinery , but I can't find any related yamls for this dependency at this repository to create update pr... Could you point me what I am doing wrong?

I've declared a bunch of licenses and hit the "Contribute" button and received no indication anything went through and did not receive an email from the clearlydefinedbot that anything happened. Also, I do not see what I contributed here: https://github.com/clearlydefined/curated-data/pulls.. ?

I'm looking at several entries of libraries coded in Java or TypeScript; those do have license headers and so on, they're very clean from source perspective. However, the license score is very low because the derived files (.class or .js files) are binary-sh and don't contain license information which got lost at compilation.
Is there some configuration possible on the project to get a better license-score for that case when binary is... binary?

There is e.g.

but according to both the spec and this test, facets should not be arrays (but structures).

Recently we merged this PR containing license info for above package #23397. PR is merged but our alerts page still says Missing License information.

While attempting to manually contribute to some of the packages, it is observed that we are only allowed to enter the github URL's only? Doesn't this limit the scope of any contribution? since there are many packages hosted on bitbucket, gitlab, maven, etc, & etc.

After this PR went through our missing license information for amcharts did not update
#18060

Our alerts page still says Missing License information.
Same for few other components like
amstock3
#18059

Cumulus.InfrastructureContracts
#18061

The Google.Protobuf.Tools NuGet package links to https://github.com/protocolbuffers/protobuf/blob/master/LICENSE for its license. (I looked at version 3.14 in particular.) This LICENSE file does not exactly match the 3-clause BSD license. It includes the following additional text at the end of the license (permalink to the revision I copied this from):

Code generated by the Protocol Buffer compiler is owned by the owner
of the input file used when generating it. This code is not
standalone and requires a support library to be linked with it. This
support library is itself covered by the above license.

Is this still considered a 3-clause BSD license? If not, does this warrant its own license or its own exception?

The SPDX Matching Guidelines v2.1 say:

2.1.2 Guideline: No Additional Text

Matched text should only include that found in the vetted license or exception text. Where a license or exception found includes additional text or clauses, this should not be considered a match.

(Is there a better venue to raise these sort of discrepancies?)

    PR validation is a great idea. we have an spdx library that should be able to do that work so putting together an action should be straight forward. 

cc @nellshamrell

Originally posted by @jeffmcaffer in #7937 (comment)