Is the libfuzzer license information still accurate?

[hanna-kruppe]

The SPDX expression is "(MIT OR Apache-2.0) AND NCSA" and the README says:

All files in the libfuzzer directory are licensed NCSA.

Everything else is dual-licensed Apache 2.0 and MIT.

But the vendored version of libfuzzer is from LLVM 19.x, long after LLVM started relicensing from NCSA to Apache-2.0 WITH LLVM-exception. There doesn't seem to be any definite statement whether the relicensing is 100% complete, but it's pretty far along:

1. Some rust-lang projects have updated their license strings in line with the new LLVM license, dropping NCSA (e.g., Update licensing to MIT AND Apache-2.0 WITH LLVM-exception rust-lang/compiler-builtins#717)
2. Since 2024-06-01, LLVM upstream no longer requires new contributions to be dual-licensed under NCSA and Apache-2.0 WITH LLVM-exception. The currently vendored commit includes some changes to libfuzzer made since then, which presumably aren't licensed under NCSA at all.

I'm no licensing expert but it seems like NCSA should be replaced with Apache-2.0 WITH LLVM-exception in Cargo.toml and README.

[fitzgen]

I'm no licensing expert either but your explanation makes sense to me.

[Manishearth]

I think that's fine