From e98885f3bd2260868aacaa962c49dd8c6f98eca5 Mon Sep 17 00:00:00 2001
From: Martin Haug <mhaug@live.de>
Date: Tue, 7 Jan 2025 10:25:46 +0100
Subject: [PATCH 1/3] Allow CC-BY, CC-BY-SA, or CC0 licenses

Closes #1511
---
 README.md           |  7 ++++++-
 bundler/Cargo.lock  | 26 ++++++++++++++++++++------
 bundler/Cargo.toml  |  2 ++
 bundler/src/main.rs | 22 +++++++++++++++++++---
 4 files changed, 47 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 88aa96040..32e95b5d0 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,12 @@ Required for submissions to this repository:
   address, homepage, or GitHub handle in angle brackets. The latter must start
   with an `@` character, and URLs must start with `http://` or `https://`.
 - `license`: The package's license. Must contain a valid SPDX-2 expression
-  describing one or multiple [OSI-approved][OSI] licenses.
+  describing one or multiple licenses that are either [OSI-approved][OSI]
+  licenses or a version of CC-BY, CC-BY-SA, or CC0. We recommend you do not
+  license your package using a Creative Commons license unless it is a
+  derivative work of a CC-BY-SA-licensed work or if it is not primarily code,
+  but content or data. In most other cases, [a free/open license specific to
+  software is better suited for Typst packages](https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software).
 - `description`: A short description of the package. Double-check this for
   grammar and spelling mistakes as it will appear in the [package list][list].
 
diff --git a/bundler/Cargo.lock b/bundler/Cargo.lock
index c00086699..0142e02bd 100644
--- a/bundler/Cargo.lock
+++ b/bundler/Cargo.lock
@@ -61,7 +61,9 @@ dependencies = [
  "flate2",
  "ignore",
  "image",
+ "once_cell",
  "rayon",
+ "regex",
  "semver",
  "serde",
  "serde_json",
@@ -346,9 +348,9 @@ dependencies = [
 
 [[package]]
 name = "once_cell"
-version = "1.19.0"
+version = "1.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
+checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775"
 
 [[package]]
 name = "png"
@@ -416,11 +418,23 @@ dependencies = [
  "bitflags 1.3.2",
 ]
 
+[[package]]
+name = "regex"
+version = "1.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
 [[package]]
 name = "regex-automata"
-version = "0.4.7"
+version = "0.4.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df"
+checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -429,9 +443,9 @@ dependencies = [
 
 [[package]]
 name = "regex-syntax"
-version = "0.8.4"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b"
+checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 
 [[package]]
 name = "rustix"
diff --git a/bundler/Cargo.toml b/bundler/Cargo.toml
index 588a0fe7c..06a9bd59f 100644
--- a/bundler/Cargo.toml
+++ b/bundler/Cargo.toml
@@ -22,3 +22,5 @@ toml = { version = "0.8", default-features = false, features = ["parse"] }
 unicode-ident = "1.0.12"
 unscanny = "0.1.0"
 walkdir = "2"
+regex = "1.11.1"
+once_cell = "1.20.2"
diff --git a/bundler/src/main.rs b/bundler/src/main.rs
index d853d322b..86cb353f7 100644
--- a/bundler/src/main.rs
+++ b/bundler/src/main.rs
@@ -13,6 +13,7 @@ use anyhow::{bail, Context};
 use image::codecs::webp::{WebPEncoder, WebPQuality};
 use image::imageops::FilterType;
 use semver::Version;
+use spdx::LicenseId;
 use typst_syntax::package::{PackageInfo, PackageManifest, TemplateInfo, UnknownFields};
 use unicode_ident::{is_xid_continue, is_xid_start};
 
@@ -25,6 +26,13 @@ use self::timestamp::determine_timestamps;
 const DIST: &str = "dist";
 const THUMBS_DIR: &str = "thumbnails";
 
+macro_rules! regex {
+    ($re:literal $(,)?) => {{
+        static RE: once_cell::sync::OnceCell<regex::Regex> = once_cell::sync::OnceCell::new();
+        RE.get_or_init(|| regex::Regex::new($re).unwrap())
+    }};
+}
+
 fn main() -> anyhow::Result<()> {
     println!("Starting bundling.");
 
@@ -106,7 +114,7 @@ fn main() -> anyhow::Result<()> {
         determine_timestamps(&paths, &mut index)?;
 
         // Sort the index.
-        index.sort_by_key(|info| (info.package.name.clone(), info.package.version.clone()));
+        index.sort_by_key(|info| (info.package.name.clone(), info.package.version));
 
         println!("Writing index.");
         fs::write(
@@ -247,8 +255,11 @@ fn parse_manifest(path: &Path, namespace: &str) -> anyhow::Result<PackageManifes
             .id()
             .context("license must not contain a referencer")?;
 
-        if !id.is_osi_approved() {
-            bail!("license is not OSI approved: {}", id.full_name);
+        if !id.is_osi_approved() && !is_allowed_cc(id) {
+            bail!(
+                "license is neither OSI approved nor allowed CC license: {}",
+                id.full_name
+            );
         }
     }
 
@@ -454,3 +465,8 @@ fn is_id_start(c: char) -> bool {
 fn is_id_continue(c: char) -> bool {
     is_xid_continue(c) || c == '_' || c == '-'
 }
+
+// Check that a license is any version of CC-BY, CC-BY-SA, or CC0.
+fn is_allowed_cc(license: LicenseId) -> bool {
+    regex!(r"^CC(-(BY(-SA)?)|0)-[0-9]\.[0-9](-[A-Z]+)?$").is_match(license.name)
+}

From a1411b98f71002f03aa3077368b5079dfd5ace07 Mon Sep 17 00:00:00 2001
From: Martin Haug <mhaug@live.de>
Date: Tue, 7 Jan 2025 10:39:31 +0100
Subject: [PATCH 2/3] Drop once_cell in favor of LazyLock

---
 bundler/Cargo.lock  |  1 -
 bundler/Cargo.toml  |  1 -
 bundler/src/main.rs | 13 +++++--------
 3 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/bundler/Cargo.lock b/bundler/Cargo.lock
index 0142e02bd..043246b88 100644
--- a/bundler/Cargo.lock
+++ b/bundler/Cargo.lock
@@ -61,7 +61,6 @@ dependencies = [
  "flate2",
  "ignore",
  "image",
- "once_cell",
  "rayon",
  "regex",
  "semver",
diff --git a/bundler/Cargo.toml b/bundler/Cargo.toml
index 06a9bd59f..1d102f1be 100644
--- a/bundler/Cargo.toml
+++ b/bundler/Cargo.toml
@@ -23,4 +23,3 @@ unicode-ident = "1.0.12"
 unscanny = "0.1.0"
 walkdir = "2"
 regex = "1.11.1"
-once_cell = "1.20.2"
diff --git a/bundler/src/main.rs b/bundler/src/main.rs
index 86cb353f7..1ccbc18ff 100644
--- a/bundler/src/main.rs
+++ b/bundler/src/main.rs
@@ -8,6 +8,7 @@ use std::env::args;
 use std::fs;
 use std::io;
 use std::path::Path;
+use std::sync::LazyLock;
 
 use anyhow::{bail, Context};
 use image::codecs::webp::{WebPEncoder, WebPQuality};
@@ -26,13 +27,6 @@ use self::timestamp::determine_timestamps;
 const DIST: &str = "dist";
 const THUMBS_DIR: &str = "thumbnails";
 
-macro_rules! regex {
-    ($re:literal $(,)?) => {{
-        static RE: once_cell::sync::OnceCell<regex::Regex> = once_cell::sync::OnceCell::new();
-        RE.get_or_init(|| regex::Regex::new($re).unwrap())
-    }};
-}
-
 fn main() -> anyhow::Result<()> {
     println!("Starting bundling.");
 
@@ -468,5 +462,8 @@ fn is_id_continue(c: char) -> bool {
 
 // Check that a license is any version of CC-BY, CC-BY-SA, or CC0.
 fn is_allowed_cc(license: LicenseId) -> bool {
-    regex!(r"^CC(-(BY(-SA)?)|0)-[0-9]\.[0-9](-[A-Z]+)?$").is_match(license.name)
+    static RE: LazyLock<regex::Regex> =
+        LazyLock::new(|| regex::Regex::new(r"^CC(-(BY(-SA)?)|0)-[0-9]\.[0-9](-[A-Z]+)?$").unwrap());
+
+    RE.is_match(license.name)
 }

From 4d5cef0b3df38848cdde580fb08a2c5b69cb2ed2 Mon Sep 17 00:00:00 2001
From: Martin Haug <mhaug@live.de>
Date: Tue, 7 Jan 2025 10:44:15 +0100
Subject: [PATCH 3/3] Code Review

---
 bundler/Cargo.toml  | 2 +-
 bundler/src/main.rs | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bundler/Cargo.toml b/bundler/Cargo.toml
index 1d102f1be..6e67fb445 100644
--- a/bundler/Cargo.toml
+++ b/bundler/Cargo.toml
@@ -13,6 +13,7 @@ flate2 = "1"
 ignore = "0.4"
 image = { version = "0.24.9", default-features = false, features = ["png", "webp", "webp-encoder"] }
 rayon = "1.0"
+regex = "1.11.1"
 semver = { version = "1", features = ["serde"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
@@ -22,4 +23,3 @@ toml = { version = "0.8", default-features = false, features = ["parse"] }
 unicode-ident = "1.0.12"
 unscanny = "0.1.0"
 walkdir = "2"
-regex = "1.11.1"
diff --git a/bundler/src/main.rs b/bundler/src/main.rs
index 1ccbc18ff..c2848679a 100644
--- a/bundler/src/main.rs
+++ b/bundler/src/main.rs
@@ -251,7 +251,7 @@ fn parse_manifest(path: &Path, namespace: &str) -> anyhow::Result<PackageManifes
 
         if !id.is_osi_approved() && !is_allowed_cc(id) {
             bail!(
-                "license is neither OSI approved nor allowed CC license: {}",
+                "license is neither OSI approved nor an allowed CC license: {}",
                 id.full_name
             );
         }
@@ -463,7 +463,7 @@ fn is_id_continue(c: char) -> bool {
 // Check that a license is any version of CC-BY, CC-BY-SA, or CC0.
 fn is_allowed_cc(license: LicenseId) -> bool {
     static RE: LazyLock<regex::Regex> =
-        LazyLock::new(|| regex::Regex::new(r"^CC(-(BY(-SA)?)|0)-[0-9]\.[0-9](-[A-Z]+)?$").unwrap());
+        LazyLock::new(|| regex::Regex::new(r"^CC(-BY|-BY-SA|0)-[0-9]\.[0-9](-[A-Z]+)?$").unwrap());
 
     RE.is_match(license.name)
 }