Normalized licenses on ecosyste.ms do not match package manager data

[rng70]

While collecting and validating data obtained from ecosyste.ms, we noticed a discrepancy between the values reported by ecosyste.ms and the package’s original package manager.

For example, when querying data for the cryptography package, we observed the following:

• ecosyste.ms:cryptography
normalized_licenses: ["GPL-1.0+"]

• PyPI:cryptography
licenses: ["Apache-2.0" OR "BSD-3-Clause"]

These two results do not appear to be compatible. We also verified the license information directly on PyPI, and it indicates that cryptography is dual-licensed under Apache-2.0 or BSD-3-Clause.

Additionally, found that different versions of cryptography are published under different license expressions. For example, version

• pypi:cryptography:39.0.2 (and some other versions): (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0,
• pypi:cryptography:45.0.0: (Apache-2.0 OR BSD-3-Clause).

Also noticed that ecosyste.ms provides a licenses field associated with each version, but that field is null.

• ecosyste.ms:cryptography:45.0.0
• ecosyste.ms:cryptography:39.0.2

[andrew]

Thanks for reporting, I'm looking into this now

[andrew]

I'm deploying fixes now, will need to go back through and resync incorrect ones and also sync all the versions again to pick up per version license data

[rng70]

will the data be synced again soon?

[andrew]

I will be manually syncing it soon, sorry for the delay, some family issues atm slowing my work progress down

[rng70]

this data also seems incorrect

Package info:

"package_name": "cglib:cglib"
"registry": "repo1.maven.org",
"url": "https://packages.ecosyste.ms/api/v1/registries/repo1.maven.org/packages/cglib%3Acglib"

Result:

"licenses": "ASF 2.0",
"normalized_licenses": [
  "MulanPSL-2.0"
],