What dependency uses MIT-0?

[EliahKagan]

The cargo deny check for licenses passes, and when run on the whole workspace and told to consider dependencies through all features, there are no warnings about licenses that are present in the allowlist but unused:

ek in 🌐 catenary in gitoxide on  main is 📦 v0.42.0 via 🦀 v1.86.0
❯ cargo deny --all-features --workspace check licenses
licenses ok

I would expect such a warning if any listed license were superfluous, as had been shown prior to #1927, and as is shown for the OpenSSL license when --all-features is omitted:

ek in 🌐 catenary in gitoxide on  main is 📦 v0.42.0 via 🦀 v1.86.0
❯ cargo deny --workspace check licenses
warning[license-not-encountered]: license was not encountered
   ┌─ /home/ek/repos/gitoxide/deny.toml:31:6
   │
31 │     "OpenSSL",
   │      ━━━━━━━ unmatched license allowance

licenses ok

Given that there are no errors and no warnings with --all-features --workspace and that cargo deny ordinarily warns if anything extra is in the allowlist, it seems like the removal of any item from the allowlist should produce an error. But removing MIT-0 from the allowlist produces no error:

ek in 🌐 catenary in gitoxide on  main is 📦 v0.42.0 via 🦀 v1.86.0
❯ sed -i '/\<MIT-0\>/d' deny.toml

ek in 🌐 catenary in gitoxide on  main [!] is 📦 v0.42.0 via 🦀 v1.86.0
❯ git diff
diff --git a/deny.toml b/deny.toml
index eb328f3d6..e1af73766 100644
--- a/deny.toml
+++ b/deny.toml
@@ -26,7 +26,6 @@ allow = [
     "BSD-3-Clause",
     "BSL-1.0",
     "MIT",
-    "MIT-0",
     "ISC",
     "OpenSSL",
     "Zlib",

ek in 🌐 catenary in gitoxide on  main [!] is 📦 v0.42.0 via 🦀 v1.86.0
❯ cargo deny --all-features --workspace check licenses
licenses ok

What dependency (including transitive dependencies), if any, is licensed MIT-0? Should that license continue to be listed?

It is no crisis to list it: MIT-0 is an extremely permissive "public domain equivalent" license (similar to the somewhat more popular 0BSD license). But if nothing is using it then I think it may as well be delisted (it could be relisted if and when we start depending on something that uses it).

I am not at all confident than delisting it is the right thing to do, though. That no warning is ever given due to its present suggests either that something is somehow using it in some way or that my understanding of cargo deny check licenses diagnostics incorporates some misunderstandings.

It occurs to me that one possibility is if some dependency is dual-licensed under MIT-0 and some other license that we also list. I am not sure what that would be. I am not sure how to check efficiently.

Note: I suspect I will figure this out myself. I'm posting it in case anyone sees it and immediately knows. I'll update this when I find out more.

[EliahKagan]

I looked further and found that It's one of three license options for dunce, which is a direct dependency of gix-discover and thus a transitive dependency of various other crates (including the gitoxide crate):

$ cargo quickinstall cargo-license
...
$ cargo license | grep -F MIT-0
Apache-2.0 OR CC0-1.0 OR MIT-0 (1): dunce

$ git grep -Fwn dunce -- **/Cargo.toml
gix-discover/Cargo.toml:28:dunce = "1.0.3"

---

This raises the question of when we should allowlist a license. For example, we are not currently allowlisting CC0-1.0:

$ tomlq .licenses.allow deny.toml
[
  "Apache-2.0",
  "BSD-3-Clause",
  "BSL-1.0",
  "MIT",
  "MIT-0",
  "ISC",
  "OpenSSL",
  "Zlib",
  "MPL-2.0",
  "Unicode-3.0"
]

(So I might look into and/or inquire about that separately.)

[EliahKagan]

Update: I don't think we need to allowlist CC0-1.0 at this time, nor that we need to delist MIT-0:

• As far as I know, there are no concerns about MIT-0 that would suggest it would be better not to allow it.
• Although it seems to me that it would be okay to allow CC0-1.0, it might be better to wait until we use something that would require adding it to deny.toml, to evaluate if its patent weakness is a problem.