fix: rename LICENSE-APACHE to LICENSE-APACHE-2.0 for OpenSSF Scorecard detection#69
Merged
Merged
Conversation
OpenSSF Scorecard's License check matches by filename only (it never reads
file content) and scores only the first license file alphabetically.
LICENSE-APACHE yields the SPDX id "APACHE", which is not FSF/OSI-recognized,
so the check scored 9/10 ("does not contain an FSF or OSI license").
LICENSE-APACHE-2.0 yields the valid SPDX id "Apache-2.0" and scores 10/10
(verified locally with `scorecard --local . --checks=License`).
Also remove the bare LICENSE wrapper: it was a short dual-license pointer
that licensee could not content-match (GitHub reported the license as
unknown/NOASSERTION), and Scorecard selected it first and failed on its
empty SPDX id. Its contribution note moves into the README License section
per the Rust API Guidelines.
Apply the same rename to the ordvec-python binding's license copy and update
both README Apache links. License text is unchanged (pure git renames);
LICENSE-APACHE-2.0 is byte-identical to the canonical rust-lang/rust
LICENSE-APACHE.
Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
Review Summary by QodoFix license detection by renaming LICENSE-APACHE to LICENSE-APACHE-2.0
WalkthroughsDescription• Rename LICENSE-APACHE to LICENSE-APACHE-2.0 for valid SPDX detection • Remove bare LICENSE wrapper file to fix GitHub license recognition • Move contribution terms into README License section per guidelines • Update Apache license links in README files to reference renamed file Diagramflowchart LR
A["LICENSE wrapper<br/>bare dual-license pointer"] -->|removed| B["README License<br/>section"]
C["LICENSE-APACHE<br/>invalid SPDX id"] -->|renamed| D["LICENSE-APACHE-2.0<br/>valid SPDX id"]
D -->|fixes| E["OpenSSF Scorecard<br/>10/10 License check"]
B -->|includes| F["Contribution terms<br/>from removed LICENSE"]
File Changes1. LICENSE
|
Code Review by Qodo🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)
Great, no issues found!Qodo reviewed your code and found no material issues that require review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request removes a root copyright/license description file, updates references from LICENSE-APACHE to LICENSE-APACHE-2.0 in both the main README.md and the Python package's README.md, and adds a new "Contribution" section to the main README.md outlining the dual-licensing terms for contributions. There are no review comments to address, and I have no feedback to provide.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
project-navi-bot
approved these changes
May 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the OpenSSF Scorecard License check (was 9/10) and GitHub's "unknown
license" display for this dual-licensed (
MIT OR Apache-2.0) repo.Root cause — the license tools detect differently:
first license file.
LICENSE-APACHE→ SPDXAPACHE(not a valid id) → 9/10"does not contain an FSF or OSI license".
LICENSEwrapper (a short dual-license pointer) was being picked firstby Scorecard (empty SPDX → 9/10) and could not be content-matched by GitHub's
licensee (→ NOASSERTION / "unknown").
Changes
LICENSEwrapper; move its contribution note into the README## Licensesection (per Rust API Guidelines).LICENSE-APACHE→LICENSE-APACHE-2.0(repo root +ordvec-python/copy) sothe filename yields the valid SPDX id
Apache-2.0.README.mdandordvec-python/README.md.License text is unchanged (pure git renames);
LICENSE-APACHE-2.0staysbyte-identical to the canonical rust-lang/rust
LICENSE-APACHE(appendix-less).Cargo.toml/pyproject.tomlreference the SPDX expression, not filenames, sopackaging is unaffected.
Verification
scorecard --local . --checks=License→ 10.0 / 10(
Info: FSF or OSI recognized license: Apache License 2.0: LICENSE-APACHE-2.0:0).Before: 9.0/10 on
LICENSE:0, thenLICENSE-APACHE:0.LICENSE-APACHEreferences remain, and no CI/packagingreference to the removed
LICENSEwrapper.Notes
has no SPDX-
ORsupport, which is unavoidable for genuinely dual-licensed repos./licenseAPI (NOASSERTION for dual repos), sofloss_license/license_locationare best attested manually there rather than satisfied with a bare
LICENSEfile.