-
-
Notifications
You must be signed in to change notification settings - Fork 14
Description
While collecting and validating data obtained from ecosyste.ms, we noticed a discrepancy between the values reported by ecosyste.ms and the package’s original package manager.
For example, when querying data for the cryptography package, we observed the following:
-
ecosyste.ms:
cryptography
normalized_licenses:["GPL-1.0+"] -
PyPI:
cryptography
licenses:["Apache-2.0" OR "BSD-3-Clause"]
These two results do not appear to be compatible. We also verified the license information directly on PyPI, and it indicates that cryptography is dual-licensed under Apache-2.0 or BSD-3-Clause.
Additionally, found that different versions of cryptography are published under different license expressions. For example, version
- pypi:cryptography:39.0.2 (and some other versions):
(Apache-2.0 OR BSD-3-Clause) AND PSF-2.0, - pypi:cryptography:45.0.0:
(Apache-2.0 OR BSD-3-Clause).
Also noticed that ecosyste.ms provides a licenses field associated with each version, but that field is null.