Solved License information for many ports/packages is missing

[obsigna]

I am going to ship a FreeBSD system to a customer and this customer wants me to install a kind of a limited desktop system. My problem is now that even a quite tiny set of functionality drags in tons of dependencies, and in order to be save with the various license requirements, I wanted to provide a list consisting of the installed software packages and the respective licences to my customer. For this the following sqlite3(1) looked quite promising:
sqlite3 -line /var/db/pkg/local.sqlite 'SELECT packages.origin AS Portname,packages.version AS Version,licenses.name AS License FROM packages LEFT JOIN pkg_licenses ON packages.id = pkg_licenses.package_id LEFT JOIN licenses ON pkg_licenses.license_id = licenses.id ORDER BY licenses.id ASC;'

Portname = databases/db5
version = 5.3.28_6
License =

Portname = x11/libXau
version = 1.0.8_3
License =

Portname = textproc/libxml2
version = 2.9.7
License =

Portname = devel/libpthread-stubs
version = 0.4
License =

Portname = x11/kbproto
version = 1.0.7
License =

Portname = x11/xextproto
version = 7.3.0
License =

Portname = x11/fixesproto
version = 5.0
License =

Portname = x11/libICE
version = 1.0.9_1,1
License =

...
...
...

Portname = www/firefox
version = 59.0,1
License =

...
...
...

Portname = graphics/argyllcms
Version = 1.9.2_2
License = AGPLv3

Portname = multimedia/libquvi-scripts09
Version = 0.9.20131130_1
License = AGPLv3

Portname = multimedia/libquvi09
Version = 0.9.4_3
License = AGPLv3

Portname = databases/postgresql10-client
Version = 10.3
License = PostgreSQL

Portname = databases/postgresql10-contrib
Version = 10.3
License = PostgreSQL

Portname = databases/postgresql10-docs
Version = 10.3
License = PostgreSQL

Portname = databases/postgresql10-server
Version = 10.3
License = PostgreSQL

Portname = graphics/imlib2
Version = 1.5.0,2
License = imlib2

Portname = x11-fonts/webfonts
Version = 0.30_13
License = EULA

Portname = net/openldap24-client
Version = 2.4.45
License = OPENLDAP

Portname = dns/py-dnspython
Version = 1.15.0
License = ISCL

Portname = devel/boehm-gc
Version = 7.6.2
License = BDWGC

Portname = www/w3m
Version = 0.5.3.20180125_1
License = w3m

Unfortunately, there are a lot of ports without any license information, and among these is a lot of X11 stuff and the most prominent one is Firefox 59.

Perhaps I can cycle through the ports directories of the installed packages, execute make extract and then try to pick out the LICENSE file.

I would be glad to hear about more ideas, on how to deal with the situation.

 

[ShelLuser]

I didn't even realize there was a license entry

Anyway, your best bet is to look into the projects which you're going to use and check the licenses from there. So either check their website and/or check the installed files to see if you can spot a license. There is no standard way in which this is handled right now that I know off.

In fact: I think you have no other choice either way, even if this information were provided in the database.

I can only assume that you're interested in this information due to legal aspects. So what if a port maintainer made a mistake and accidentally mentioned the wrong license within the package database? Port maintainers are not necessarily involved with the project which their port distributes. So think that if people pay you to provide this kind of information then your only option is to make sure you got it right.

(edit)

Forgot to mention:

/usr/local/share/licenses could be an interesting place to look. It's not full proof but many packages use this location.

 

[Datapanic]

You can also just use pkg query -C %L <package name> to get the type of license.

 

[scottro]

That's a useful one that I didn't know, hence the thanks. However, for the OP, it doesn't solve the problem as the packages that have no license listed will just echo an empty line.

pkg query -C %L libxml2

vs

$ pkg query -C %L tmux
ISCL

 

[obsigna]

Well, yeah, the point that the info in the pkg database besides being incomplete might be even wrong is a valid one. I think, I will really need to execute make extract in the respective ports directories and crawl the licenses out of the sources. If possible, I want to avoid manually looking-up the licenses upstream for 500+ installed ports.

 

[talsamon]

There are a lot of PR's open with license changes or correchtions. You must understand it is not first priority. (e.g. PR 222580).

 

[rigoletto@]

obsigna

Many ports does not contain the LICENSE section because they are SLAVE ports and so inherit the LICENSE of the MASTER port.

 

[Datapanic]

freshports also has more license info - for example, in the original post kbproto showed no license info, but it's there on freshports....

Licensing has always been ouch-hurt on tghe behindster.

 

[talsamon]

My post does not mean nobody cares of that. If you look at freshports, you can see every day between 3 and 10 (someday maybe more) changes or corrections of licenses are committed.

 

[obsigna]

Many thanks to everybody for your insights. After thinking about what I want to achieve, I found out that for full filling all the xGPLy license terms, I need anyway to provide the full source of everything, and the authoritative LICENSE file or something similar for sure must be present in the distribution package.

I need to elaborate more on the idea of cycling through the ports directories of the installed ports/packages and call for each make extract. Then I would do a hard-link clone of only said ports directories to let's say /distribution. Now, having the /distribution completely populated with the extracted distribution packages, probably I wouldn't even need to separate out the license files -- I have to check this though.

Anyway, I marked this thread solved, because the underlying approach turned out to be a dead end.