GitHub and the Perl License
When we publish our Perl module repository on GitHub, we might notice something peculiar in the "About"
section of our repository: GitHub doesn't recognize the Perl 5 license. This can be a bit
confusing, especially when we've explicitly stated the licensing in our LICENSE file.
Without properly defined license, GitHub ranks the quality of a repository lower. This is also unfortunate because it limits the "searchability" of our repository. GitHub cannot index it according to the license and users cannot search by license. This is today more important than ever before as many enterprises rule out open source projects purely on the grounds that their license is poorly managed.
The Problem: Two Licenses in One File
The standard Perl 5 license, as used by many modules, is a dual license: Artistic License (2.0) and GNU
General Public License (GPL) version 1 or later. Often, this is included in a single LICENSE file
in the repository root.
GitHub's license detection mechanism, powered by Licensee, is designed to identify a single, clear license. When it encounters a file with two distinct licenses concatenated, it fails to make a definitive identification.
Here's an example of a repository where GitHub doesn't recognize the license. Notice the missing license badge in the "About" section:
Also the "quick select" banner above Readme file does not acknowledge which license there is.
The Solution: Separate License Files
The simplest and most effective solution is to provide each license in its own dedicated file. This allows Licensee to easily identify and display both licenses. This is perfectly valid because the Perl 5 license explicitly allows for distribution under either the Artistic License or the GPL. Providing both licenses separately simply makes it clearer which licenses apply and how they are presented.
(The other reason for having multiple licenses is situation where different parts of the repository are under different licenses. But this is not our problem here.)
For example, instead of a single LICENSE file containing both, we would have:
- LICENSE-Artistic-2.0
- LICENSE-GPL-3
Let's look at an example from my own env-assert repository. In this repository, I've separated the licenses into LICENSE-Artistic-2.0 and LICENSE-GPL-3.
And here's how GitHub's "About" section looks for env-assert, clearly recognizing both licenses:
As we can see, GitHub now correctly identifies "Artistic-2.0" and "GPL-3.0" as the licenses for the project.
Same is also visible in the "quick select" bar:
Automating with Software::Policies and Dist::Zilla::Plugin::Software::Policies
Manually creating and maintaining these separate license files for every module can be tedious. Fortunately, there is a way to automate this process if you are using Dist::Zilla for authoring.
Dist::Zilla::Plugin::Software::Policies
If we're using Dist::Zilla for our module authoring,
Dist-Zilla-Plugin-Software-Policies
can automatically check that we have the correct License files. It uses Dist::Zilla's
internal variable licence to determine the correct license files.
The Dist::Zilla plugin uses Software-Policies as a backend to do the heavy lifting.
Software::Policies
Software::Policies is a module that provides a
framework for defining and enforcing software policies, including licensing. It comes with a
pre-defined policy for Perl 5's double license. It can also generate other policy files,
such as CONTRIBUTING.md, CODE_OF_CONDUCT.md, and SECURITY.md.
By using Software::Policies, we can programmatically check for the presence and content of our
license files.
This approach not only solves the GitHub license detection problem but also helps us maintain consistent and correct licensing across all our Perl modules, integrating it directly into our build workflow.
By configuring this plugin in our dist.ini, we can ensure that our distribution always includes
the correct and properly formatted license files, making GitHub (and other license scanners) happy.
Here's a simplified example of how we might configure it in our dist.ini:
[Software::Policies / License]
policy_attribute = perl_5_double_license = true
[Test::Software::Policies]
include_policy = License
This configuration tells Dist::Zilla plugin Test::Software::Policies to apply the Perl
licensing policy, which typically means Artistic License 2.0 and GPL. When we build our
distribution with Dist::Zilla, the plugin will create a test file checks for the existence
and content of the LICENSE-Artistic-2.0 and LICENSE-GPL-3 files.
During testing phase, when running dzil test or dzil release, the test files will be run
and if the license files are missing or incorrect, the tests will fail.
To generate the files, we can run the command dzil policies License or just dzil policies.
This will create the files according to config in dist.ini, the [Software::Policies / License]
part of dist.ini.
We cannot create the files automatically during build because then they will only be included in the release, not in the repository. It is precisely in the repository that we need them for GitHub's sake. So the process to create or update the license files has to have this small manual stage.
Perl Programmer for fun and office.
CPAN modules and command line tools.
Thanks for figuring this out. Sometimes I think not even GitHub knows how these things work.
For myself, I just use the Artistic License instead of the dual license, although there are some modules I adopted and have kept whatever license came with them.
The licensing model of Perl, with two licenses, causes unnecessary complications.
**Many enterprises reject anything and everything which has a GPL license.**
Technically Perl doesn't force GPL because user can select either GPL or Artistic but it doesn't help. The presence of the word "GPL" causes rejection, or at the very least questions. It hurts Perl needlessly.
It would be better if Perl adopted a simpler license, e.g. MIT or Apache license straight out, or we make our own simpler and shorter than what we have currently.
The CopyFilesFromBuild plugin can be used to include build files in the repo. But for something static like licenses probably easier to not create them during build.
So that's how you make it work. I have had two license files for several years because it made it easier to test for obsolete license text. But I use
LICENSES/ArtisticandLICENSES/Copying(which is the name of the file the FSF puts the GPL in). Looks like I need to rearrange my licenses. Again.Thanks for figuring this out.
Update: under CPAN Licensing Guidelines, The Perl and Raku Foundation recommends that dual-licensed packages put each license in a separate file in a
LICENSES/directory. Does this recommendation need to change?For certain other policy files, such as CONTRIBUTING and CODE_OF_CONDUCT, GitHub allows three different locations:
- The .github folder
- The root of the repository
- The docs folder
But this DOES NOT APPLY to LICENSE-* files!
https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file
As for GitLab and other repository hosting providers, I do not know how they handle these things.
It seems a bit flaky. It didn't work for me with LICENSE-Artistic-1.0 and LICENSE-GPL-1 ("the same terms as the Perl 5 programming language system itself"). Github only recognized the Artistic. Replacing LICENSE-GPL-1 with LICENSE-GPL-2 made github only recognize GPL-2. It only recognizes both when there is Artistic-2.0 and GPL-3.
And github ignores the LICENSES directory.
I use the REUSE Specification for licenses:
REUSE - Make licensing easy for everyone
https://reuse.software/
I don't know if it's well-supported or not. Github doesn't seem to know about it. I think it's aimed at compliance auditing tools.
I tend to have redundant formats (not for modules though):
LICENSE for the main license, and COPYING when including other people's code.
And a LICENSES/ directory containing licenses downloaded from https://github.com/spdx/license-list-data/tree/main/text, and a .reuse/ directory containing dep5 which specifies which files have which copyright notices and licenses (in the format used for Debian packages). It's helpful when things get complicated.
But it doesn't help with github.
Maybe Licensee can be fixed to detect the perl license as is. There are issues raised concerning multiply-licensed projects and REUSE and the LICENSES directory. But adding support to detect the commonly used perl license would be good. That way, all perl modules would show up properly in github without anyone needing to reorganise the licenses.