Checking package licenses

[wlandau]

r-multiverse/multiverse.internals#39 flags uncommon licenses for manual review, but I think we may need to do more to check the licenses of packages. Community already has one package without a real license: https://github.com/humaniverse/DEPAHRI/blob/87459858693a051761b2a64de31a5d7c70d0dc5b/DESCRIPTION#L10

Detecting these packages is straightforward:

free <- as.data.frame(available.packages("https://community.r-multiverse.org/src/contrib", filters = "license/FOSS"))
all <- as.data.frame(available.packages("https://community.r-multiverse.org/src/contrib"))
setdiff(all$Package, free$Package)
#> [1] "DEPAHRI"

A simple solution is to just flag the license as an issue and exclude from production. Do we need to do more than that?

[wlandau]

Do we need to do more than that?

Yes we do. We need solid guarantees that the intellectual property rights of package owners are protected. Even the appearance of copyright infringement, or vagueness about copyright, could be extremely problematic given the scale R-multiverse aims for.

But I think I have fixes in place for this:

1. New policy language proposed in Revise the review policy r-multiverse.github.io#33 requires packages to have valid FOSS licenses.
2. Align with upcoming review policy multiverse.internals#39 flags contributions with non-standard licenses for manual review.
3. record_nonstandard_licenses() multiverse.internals#41 adds a new record_nonstandard_licenses() to make it easy to track non-standard licenses in community and staging.