Detecting a wrong package name for scipy 1.9.2 installed by pip about licensed HOT 7 CLOSED

Thank you for a response!

1. run pip list and see if GCC runtime library is listed as an installed package

No, GCC runtime library doesn't show up in pip list, while scipy does.

2. run pip show scipy in your project and see if there is anything there related to the GCC runtime library dependency

pip show scipy displays the whole license text including the bundled libraries. There is nothing else related to the GCC runtime library.

3. is there a cached license metadata file for scipy.dep.yml with accurate information (name, version, licenses)?

No, scipy.dep.yml doesn't exist when installing scipy==1.9.2. When scipy==1.9.1 is installed, the following scipy.dep.yml is generated:

---
name: scipy
version: 1.9.1
type: pip
summary: 'SciPy: Scientific Library for Python'
homepage: https://www.scipy.org
license: other
licenses:
- sources: LICENSE.txt
  text: [The whole license text]
notices: []

from licensed.

Sorry for the delay on this. I've opened #555 as a fix to finding the wrong package name

It looks like that licensed determines the name of the cache file from information in the license file. I guess it should instead use package information directly.

This was the cause of the issue - the license text that is output from pip show scipy includes Name: GCC runtime library. The metadata parsing logic was too naive and overwrote the Name: scipy metadata that was encountered earlier in the output.

Licensed might be failing to parse the first part of the scipy license file as a BSD 3-clause licensed. At a glance it looks like a normal BSD 3-clause license sentences.

Licensed uses licensee to parse license text and attempt to match the text to a known license. Licensee is not setup to read multiple licenses in a single body of text (i.e. read from a single LICENSE file) and will by default report other. I don't mean to ignore this but this is not the right repo to report that as an issue since Licensed doesn't directly handle license detection 😅

You can open an issue in the licensee repo but I'm not sure that it will get much traction. Detecting multiple licenses from a single file can get complicated because

1. AFAIK there's no standard for how to separate the different licenses which makes detection hard and error prone.
2. many times when multiple licenses are used each license applies to specific parts of the distributed code. the additional text like "this license applies to files A,B,C" makes it almost a certainty that licensee won't have enough confidence to determine a match. unfortunately again, fixing that problem is hard and error prone.

from licensed.

@kwkbtr ah sorry, I was trying to also get a fix for #541 into the release but that one is a bit larger and I haven't had enough time to finish it yet. I'll put out a patch release today

from licensed.

Thanks for the report! I'll take a closer look at this during my daytime tomorrow (MST USA timezone) and try to set up a repro, but in the meantime can you provide any info about the following:

1. run pip list and see if GCC runtime library is listed as an installed package
2. run pip show scipy in your project and see if there is anything there related to the GCC runtime library dependency
3. is there a cached license metadata file for scipy.dep.yml with accurate information (name, version, licenses)?

from licensed.

Thank you for the fix!
As for reading a license text containing multiple licenses: thank you for clarification, I agree with you that it is error prone, so it may be better to leave it as is. I can override the license once the file name is fixed, so it should not be a problem.

from licensed.

Will this fix be released soon?
I'm not sure if this is the right place to ask, but I'm using https://github.com/jonabc/setup-licensed to install licensed on GitHub Actions, and it seems that it only supports release versions.

from licensed.

Thank you, my CI has been fixed!

from licensed.