setup.cfg: include llhttp LICENSE in license-files

[threexc]

What do these changes do?

Make sure that the llhttp LICENSE file is included in the wheel by modifying setup.cfg's license-files field to be a list according to the Python Packaging User Guide.

Are there changes in behavior for the user?

No.

Is it a substantial burden for the maintainers to support this?

The main difference is that the maintainers will have to further update the license-files field in setup.cfg (or possibly modify pyproject.toml if that config content moves there) should llhttp's LICENSE file change name, etc.

Related issue number

Fixes: #11225

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes
• If you provide code modification, please add yourself to CONTRIBUTORS.txt
  • The format is <Name> <Surname>.
  • Please keep alphabetical order, the file is sorted by names.
• Add a new news fragment into the CHANGES/ folder
  • name it <issue_or_pr_num>.<type>.rst (e.g. 588.bugfix.rst)
  • if you don't have an issue number, change it to the pull request
    number after creating the PR
    • .bugfix: A bug fix for something the maintainers deemed an
      improper undesired behavior that got corrected to match
      pre-agreed expectations.
    • .feature: A new behavior, public APIs. That sort of stuff.
    • .deprecation: A declaration of future API removals and breaking
      changes in behavior.
    • .breaking: When something public is removed in a breaking way.
      Could be deprecated in an earlier release.
    • .doc: Notable updates to the documentation structure or build
      process.
    • .packaging: Notes for downstreams about unobvious side effects
      and tooling. Changes in the test invocation considerations and
      runtime assumptions.
    • .contrib: Stuff that affects the contributor experience. e.g.
      Running tests, building the docs, setting up the development
      environment.
    • .misc: Changes that are hard to assign to any of the above
      categories.
  • Make sure to use full sentences with correct case and punctuation,
    for example:

    Fixed issue with non-ascii contents in doctest text files
    -- by :user:`contributor-gh-handle`.

Testing:

From master branch (building with python3 -m build in a venv):

(venv) tgamblin@megalith ~/workspace/git/pythonsrc/aiohttp (master)$ unzip -l dist/aiohttp-4.0.0a2.dev0-cp313-cp313-linux_x86_64.whl | grep LICEN
      588  06-17-2025 20:08   aiohttp-4.0.0a2.dev0.dist-info/licenses/LICENSE.txt

and from my patch branch:

(venv) tgamblin@megalith ~/workspace/git/pythonsrc/aiohttp (tgamblin/llhttp-license-fix)$ unzip -l dist/aiohttp-4.0.0a2.dev0-cp313-cp313-linux_x86_64.whl | grep LICEN
      588  06-17-2025 20:16   aiohttp-4.0.0a2.dev0.dist-info/licenses/LICENSE.txt
     1105  06-17-2025 20:16   aiohttp-4.0.0a2.dev0.dist-info/licenses/vendor/llhttp/LICENSE

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.76%. Comparing base (ebf65d9) to head (7a04f39).
Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #11226   +/-   ##
=======================================
  Coverage   98.76%   98.76%           
=======================================
  Files         129      129           
  Lines       43374    43374           
  Branches     2323     2323           
=======================================
  Hits        42837    42837           
  Misses        383      383           
  Partials      154      154           

Flag	Coverage Δ
CI-GHA	98.64% <ø> (ø)
OS-Linux	98.38% <ø> (ø)
OS-Windows	96.81% <ø> (ø)
OS-macOS	97.69% <ø> (ø)
Py-3.10.11	97.32% <ø> (-0.02%)	⬇️
Py-3.10.18	97.72% <ø> (-0.01%)	⬇️
Py-3.11.13	97.92% <ø> (ø)
Py-3.11.9	97.53% <ø> (ø)
Py-3.12.10	97.62% <ø> (-0.02%)	⬇️
Py-3.12.11	98.02% <ø> (-0.01%)	⬇️
Py-3.13.3	98.28% <ø> (ø)
Py-3.9.13	97.22% <ø> (+<0.01%)	⬆️
Py-3.9.23	97.61% <ø> (ø)
Py-pypy7.3.16	87.10% <ø> (-5.91%)	⬇️
VM-macos	97.69% <ø> (ø)
VM-ubuntu	98.38% <ø> (ø)
VM-windows	96.81% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codspeed-hq]

CodSpeed Performance Report

Merging #11226 will not alter performance

_{Comparing threexc:tgamblin/llhttp-license-fix (7a04f39) with master (ebf65d9)}

Summary

✅ 59 untouched benchmarks

[webknjaz]

Not sure how to best handle this.

There's a way to build a pure-python wheel that doesn't link against llhttp and so that would be misleading.

At the Packaging Summit, one of the round table discussions tackled specifically what the semantics of pointing to various licenses is.

My understanding is that there's a plan to have a clarifying PEP post PEP 639.

cc @befeleme @CAM-Gerlach could you chime in on how to declare licences for occasionally vendored deps?

[befeleme]

Not sure how to best handle this.

There's a way to build a pure-python wheel that doesn't link against llhttp and so that would be misleading.

At the Packaging Summit, one of the round table discussions tackled specifically what the semantics of pointing to various licenses is.

My understanding is that there's a plan to have a clarifying PEP post PEP 639.

cc @befeleme @CAM-Gerlach could you chime in on how to declare licences for occasionally vendored deps?

In supershort, within the boundaries of PEP 639, there are two questions:

• does this apply to both sdist and wheel(s)? If not, PEP 639 doesn't bring an answer, and this is a subject to be tackled in the future.
• how are the published artifacts built (what do they contain)? License files should apply to the published distribution(s), not to every theoretical combination that can be built by other entities.

[webknjaz]

In supershort, within the boundaries of PEP 639, there are two questions:

• does this apply to both sdist and wheel(s)? If not, PEP 639 doesn't bring an answer, and this is a subject to be tackled in the future.

I believe that sdist contains the source code of vendored llhttp and the wheels on PyPI have it bundled into the compiled modules.

• how are the published artifacts built (what do they contain)? License files should apply to the published distribution(s), not to every theoretical combination that can be built by other entities.

There's a request to ship an additional pure-python wheel that wouldn't contain the C-extensions and the vendored llhttp wouldn't be bundled either. We're planning to implement it as it's a small change to the CI.

[threexc]

I've pushed a new version of the commit that should incorporate all suggestions.

[threexc]

I've rebased the branch. Is there a preferred way to move forward with this?

[webknjaz]

This is probably fine but let me try to ask options today at the packaging summit if I don't forget..

[webknjaz]

I've shown this to Karolina at EuroPython the other day, which is where the SPDX point came from. Now that it's integrated, this is good to merge. We can try to deal with the pure-python wheel corner case separately.

[webknjaz]

@threexc I recommend you to always accept suggested changes via GH UI and then rewrite commits locally. This makes sure that you can credit additional authors correctly: https://hynek.me/til/easier-crediting-contributors-github/.

[patchback]

Backport to 3.12: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.12/8afdc4dc5b5f9ced7cb52c13a66c136bd19c35cd/pr-11226

Backported as #11328

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[patchback]

Backport to 3.13: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.13/8afdc4dc5b5f9ced7cb52c13a66c136bd19c35cd/pr-11226

Backported as #11329

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[threexc]

@threexc I recommend you to always accept suggested changes via GH UI and then rewrite commits locally. This makes sure that you can credit additional authors correctly: https://hynek.me/til/easier-crediting-contributors-github/.

Thanks, will do that from now on.