Check license name first?

[hfhbd]

At the moment, if a url is set in the pom file, it is preferred to resolve the spdx. But often, the url is "wrong" (points to an invalid fallback url or to a custom hosted license text). Instead, the license name often matches the spdx identifier. So do you want to keep the current logic in

licensee/src/main/kotlin/app/cash/licensee/licenses.kt

Line 53 in 5561100

if (url != null) {

to first check the url and then the license name? For example, the jna lib has this pom file, which fails because the links are wrong:

<project>
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.example</groupId>
  <artifactId>example</artifactId>
  <version>1.0.0</version>
  <licenses>
    <license>
      <name>Apache-2.0</name>
      <url>https://www.apache.org/licenses</url>
    </license>
    <license>
      <name>BSD-3-Clause</name>
      <url>https://opensource.org/licenses</url>
    </license>
  </licenses>
</project>

[JakeWharton]

I'm not sure first is a good measure. The fact that you have a valid SPDX name and include URL is something of a miracle. Usually it's the opposite.

When I started the project I chose name as the mechanism and was blown away by how bad the data is. Probably 99% of the artifacts I sampled had a non-SPDX string. When I checked URLs the invalid numbers were something like 15-30%.

There's a lot of copy/pasta in licenses. Hell, I haven't started a project in 10+ years without just cp -r-ing an existing one. When I decided on URL it was based on the numbers and the idea that it should be easy to convince people to specify a valid URL. They might not go with the canonical SPDX URL or its alternative URLs but I didn't see how you could argue in good faith that a non-resolving URL was a good idea. Hence, this is why we bake in fallback URLs.

Additionally, one thing we wanted to support was non-SPDX licenses. If you use proprietary libraries (like Google Play Services SDKs) we found they often point to a valid URL. For internal artifacts we throught a URL was also an easy way to allow your own stuff (but you could also use a groupId exception).

I think it would take much more data to convince me that name makes sense. Maybe we can think about what it means to use it as a fallback, but there's a lot of edge cases to consider.

[hfhbd]

I understand and yeah, the current design makes sense. I don't know the numbers which use case, url or name first, is better. I only know my limited usage.
But at the moment, if licensee find a valid spdx url, it matches the current spdx in the json file. Using allowUrl results into a unknownLicenses, even if I checked the license manually and it uses a SPDX license.
Sure you can request a change in the library, but it will only work, if the library is updated regularly and you can use the new version. Adding various fallback urls into licensee upstream sounds strange to me, if the url is not common used, eg because the maintainer uses a custom hosted license.