Skip to content

License: enumerate bundled MIT UI components in sdist PKG-INFO License-File #755

Open
Open
License: enumerate bundled MIT UI components in sdist PKG-INFO License-File#755
Labels
status/needs-triageNew issue, needs triage
@elijahbenizzy

Description

@elijahbenizzy
elijahbenizzy
opened on May 4, 2026

Raised by Jarek Potiuk during the 0.42.0-incubating RC3 PPMC review. Non-blocking for the release.

Issue

The sdist tarball's PKG-INFO License-File metadata only references LICENSE-wheel, NOTICE, and DISCLAIMER. It does not separately enumerate the third-party MIT-licensed UI components in website/src/components/ui/ (Magic UI + shadcn).

The components ARE properly attributed in the LICENSE file (Apache 2.0 + appended MIT notices), and our .rat-excludes covers them. So this is a metadata-completeness gap, not a licensing gap.

What downstream tooling expects

Some downstream consumers (e.g. PyPI license scanners, package indexers, Linux distro packagers) read License-File to enumerate every distinct license file shipped with the artifact. Today they would see only Apache 2.0 + the project NOTICE/DISCLAIMER and might miss that there are MIT components inside.

Suggested fix

Either:

  • Split out the MIT notices for the UI components into a separate file (e.g. LICENSE-third-party-ui) and add it to pyproject.toml's license-files list
  • Or add the existing combined LICENSE file to the sdist license-files list (it already contains the Apache 2.0 text + MIT appendices)

The latter is simpler. The former is more discoverable.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    status/needs-triageNew issue, needs triage

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions