Store licenses for packages

[lucacasonato]

Each package / package version should have a license field. This field should be a SPDX ID of a license.

This license should be visible via the API and UI, and could be useful for auditing purposes.

We should sniff the LICENSE file (like GitHub does) to populate this field. There should be a fallback where you can explicitly set the license SPDX ID via either a field in the package settings, or via a directive in the license file.

[MarkTiedemann]

How about using the license info from the JSDoc @license tag in the same comment that contains the @module tag?

/* My module.
 *
 * @license MIT
 *
 * @module
 */

A "license" key in the deno/jsr.json file seems useful, too.

Alternatively, checking the first few lines of the module entry points for a // SPDX-License-Identifier: comment sounds viable, too.

[EdJoPaTo]

Its interesting to me why a license field is not something required. This is horrible for auditing and attributing / honoring dependency licenses. This is a big reason why companies might not want to use JSR when they can not ensure they are honoring every dependency license.

crates.io requires a license to publish a crate and seeing deno being heavily inspired by cargo I am not sure why this is not the same.

[vwkd]

What happens if you use a custom license?

[EdJoPaTo]

What happens if you use a custom license?

I would do it similar to crates.io. Either SPDX via license or license-file. Exactly one being required. Custom → file.

[dsherret]

Deno will start warning about missing license files in 1.45.3 (denoland/deno#24677). In 1.46 it will start erroring denoland/deno#24676

[dsherret]

Work on adding a license field in addition to auto-discovering LICENSE files: denoland/deno#25056