Cannot “Verify Licenses” for R Packages

Unfortunately the R Core team considers the MIT license to be not a proper license but rather a template for a license. And so if you want to use the MIT license for an R package, you must include a LICENSE file in your package that includes just two lines, like this:

YEAR: 2000
COPYRIGHT HOLDER: Person sees this as MIT (likely because it parses the license field in the DESCRIPTION file), but GitHub (using Licensee) automatically matches LICENSE before so it’s impossible to have GitHub recognize the package as MIT. Because of this reason, you’ll never be able to resolve the “conflict” between saying “MIT” and GitHub saying “Other” as the package licenses for an R package. I’m not sure how Tidelift can help, but it would be really nice to be able to pick either or GitHub as the one identifying the correct license, especially in cases where one source can’t really determine it and says “Other” or “Unknown”.

Welcome, @StevenMMortimer! Great to see you here.

We’ve seen a few interesting edge cases of legitimate differences between GitHub/licensee and libraries but this is a new one. Appreciate your creative attempt at fixing via British spelling as well :wink: Speaking as someone who has worked with a lot of license scanners, CRAN’s template approach is a nifty hack, but not very helpful for anyone who is using a tool other than CRAN — GitHub won’t be the only tool confused by it.

For now we’ll just mark the task as done for you, and figure out how to special-case R packages going forward (or perhaps work with the CRAN community to figure out something better (like support for the REUSE spec); we’ve already fixed some issues in pypi that way).

Thanks for raising it!

1 Like

Adding, for my own records and anyone who stumbles across this later: the reason I can mark this ‘done’ in good faith is that, besides the very non-standard LICENSE file, there is also a that is scannable by tools like scancode. Another example of this in CRAN is dplyr.

In contrast, any solution we adopt should not automatically approve something like stringi, which has an informative but completely machine unparseable LICENSE file.

1 Like

Hello @luis, If stringi's LICENSE file had followed the Debian copyright spec, would that work?