On Fri, 24 Jul 2020, Jason Tibbitts wrote:
Are any of the following acceptable?
1) Trust the packager to do a license review, with no reviewer
verification.
Definitely need a second opinion IMHO (IANAL).
2) Trust the output of an automated tool which attempts to detect
project licenses (such as askalono).
My understanding is that such tools are pretty accurate when a license
is positively identified, and this can be a reasonable 2nd opinion.
When the tool fails to find or confirm a license, then manual search may be
required.
3) Trust the license tag from a project hosting service such as
github?
(I understand that the answer may depend on the hosting service.)
Ask a real lawyer. I would be inclined to not trust the service, but
it might count as "due diligence".