cargo ianal

[epage]

A tool to help with licensing needs

• create report for company legal compliance audits
• create legal notices for distributing binaries
  • ideally provide this as a library so tools like cargo-tarball can integrate it
• automated license audits
  • license blacklist/whitelist
  • rules engine?

Related

• lichking
• license-hound

[epage]

For things like notice support, when it comes across an unknown license, it could report an error, telling the user how to manually resolve it and provide a hash of the license to store to record it is resolved for what version of the license.

[epage]

For more ideas, see

• fossa
• scancode

[epage]

For audits and generating binaries, I think it'd be useful for us to have two modes

• Use dependencies for current features / target: what is relevant to the current binary
• All features / targets: what would be relevant for any generated binary

[compenguy]

There's a couple important things to consider here.

As a crate author, you'd probably want the ability review the impact of dependency permutations, not at the level of permutations themselves, but just for how they impact the set of included licenses.

As a binary author, there's a lot more going on.

You might want the ability to interfere with cargo's dependency resolution to blacklist crates with certain licenses, or undeclared licenses.

You might want the ability to statically declare an alternate license on behalf of a dependency crate (a project might be MIT licensed, but incorporate, for example, BSD-licensed content without correctly reflecting that at the project level, and a binary author might want the ability to override the MIT-only declaration for that crate).

You will want the ability to audit and approve the licenses of all included crates.

You will want the ability collect/generate and approve applicable legal notices for included crates.

You should want the ability to automatically estimate the confidence in the completeness/correctness of the declared license, or estimate (with confidence interval) the license of a crate for which none is declared by finding copyright statements in the project and examining whether license text or identifiers appear near them, etc.

You will want the ability to do incremental review of updated dependencies (did the license type change, and how? did the contents of the license file change, and how? Did the confidence interval change, and why?).

The SPDX licensing standard provides a lot of material that could be used to help seed a lot of this: standard identifiers for referencing licenses, standard forms of the licenses themselves, and standard file formats for reporting applicable legal notices, as well as review/approval of the included components.

I'm imagining a suite of crates:

• A SPDX licenses-and-identifiers crate that just has copies of all the relevant licenses, and an interface for enumerating/matching identifier names and using those to fetch the text of those licenses

• A license discovery heuristic crate, for examining a source tree and determining the applicable license(s) their text, a confidence interval, and the ability to query for the chunks of text that appeared to be relevant to determining license

• A crate for parsing/modifying SPDX rdf/xml declarations data (the notices files)

• The top level crate for orchestrating the workflow - verifying that the SPDX declarations are up-to-date, that everything's been reviewed and approved, summarizing what's new or changed in dependencies, etc.

[epage]

I'll have to dig through the various spdx related crates to see if there is anything that could help with this.

[compenguy]

askalono looks like the only one worth its salt for what you want to do here. The license discovery heuristic crate could build on askalono for part of the job it's trying to do.

It occurs to me that there'd be another crate that would be useful as part of the suite - a kind of a "clippy for licensing" that could apply configurable checks for whether source files have license headers, warn about potential license incompatibilities (you have to be careful with this one, though), etc.