New linter rule: validating LICENSE files #228
Comments
|
Potentially also validate against licensing restrictions that Anaconda has per company-wide policies. |
|
@skupr-anaconda, I've heard you have tooling that might already do something like this? |
|
Yeah, this script checks if the license exists on GitHub and GitLab https://github.com/anaconda-distribution/finder/blob/main/finder/common/check_urls_exist.py. |
|
Nice work @skupr-anaconda , it's at least a good starting point for this linting project. I'm guessing SHA-256 hashes are probably the safest finger printing and I think there might be existing tools out there that do some of this work for us. I know I've seen some tools at previous companies I've worked at that can detect if a license is allowed for NPM packages based on some pre-defined rules. I'm sure there's some Python equivalent library we could leverage. |
Not sure how feasible this is, but I wanted to capture the thought here anyways.
Coming out of this PR, I wonder if we can validate what we claim the license should be from what the LICENSE file in the repository indicates: AnacondaRecipes/libmicrohttpd-feedstock#1
Maybe the linter can use the
dev_urlor some other required field to probe theLICENSEfile against a known list of files (or SHA-256 hashes of known license files) to validate what we list inmeta.yamlmatches.Perhaps this can catch other mistakes in
conda-forgeor detect if the license changes between versions?The text was updated successfully, but these errors were encountered: