I don't see anything in crates-io policies about the license/usage policy of the crate metadata published to crates-io.
- As a package author, what usage rights do I give to crates-io?
- As a 3rd party crawler/consumer of the database dump, what am I allowed to do with this data?
For code it's clear: there's
license-file. But is this license supposed to also apply to each crate's README, description, and authorship information?
Not all licenses make sense for metadata. If crates.io contains a README under AGPL, does that make crates-io and everything in it a derived work?
It's also unclear to me whether "permissive" crate licenses also give permission to use personal information contained in crates. Crate metadata contains people's names, e-mails, and team memberships. I would prefer to have clear guidelines what is acceptable use of this information, e.g. can 3rd parties reproduce this data, and do they have to honor requests to update it or take it down.