Add option to list recursive dependencies of a package along with their licenses #879

Open
bos opened this Issue May 24, 2012 · 9 comments

Projects

None yet

7 participants

@bos
Contributor
bos commented May 24, 2012

(Imported from Trac #889, reported by joeyadams on 2011-09-27)

It should be possible to list all of the dependencies of a package, including their licenses. This would be useful for:

  • Developers writing proprietary applications.
  • Developers who don't want their liberally-licensed libraries to be "upgraded" to the GPL or similar by subtle dependencies.
Attached is a simple patch that makes cabal-install list this information when the verbosity level is 2 or higher. Sample usage:
$ cabal install --verbose=2 --dry-run gnutls
Reading available packages...
Resolving dependencies...
base         BSD3
bytestring   BSD3
ffi          BSD3
ghc-prim     BSD3
gnutls       GPL (Just (Version {versionBranch = [3], versionTags = []}))
integer-gmp  BSD3
monads-tf    BSD3
rts          BSD3
transformers BSD3
In order, the following would be installed:
monads-tf-0.1.0.0 (new package)
gnutls-0.1 (new package)
This is a quick hack, as I am not familiar with the Cabal codebase. This should probably be wrapped as a --list-licenses command line switch. Pretty-printing licenses would be a plus.

I am already finding this feature useful, and hope others will too.

@bos
Contributor
bos commented May 24, 2012

(Imported comment by @kosmikus on 2011-09-27)

Vaguely related to #539. (Both are about getting more info about the overall dependency graph, but admittedly in quite different ways.)

@ivanperez-keera

I would find this useful to list all the dependencies of a project when I need to reinstall them (for instance, with --enable-library-profiling).

I suggest that this behaviour be included with 'list-dependencies' (either as a command or a flag of some other command), and that licenses be printed only when --verbose is used.

@tibbe
Member
tibbe commented Sep 29, 2013

@ivanperez-keera We're solving the freezing of dependencies another way, namely using #1519

@mtullsen

This (the "along with their licenses" part) is something that Galois is very interested in. On one of our projects we are delivering a binary to a customer and we want some confidence regarding the license(s) for that binary.
What we currently have is highly ad hoc:

  • a "cabal test" target with a 'postTest' user hook that prints the licenses.

We basically want a way to list the package dependencies and their licenses. Here's some ideas as to a more principled way to add this capability:

How to invoke the feature:

  • Alternative 1: add options to the cabal list command:

    cabal list --dependencies-only
    cabal list --dependencies-only --simple-output --show-licenses
    

    (In the latter case we need --show-licenses because --simple-output doesn't print the license information.)

  • Alternative 2: a new cabal command that works similar to 'cabal list':

    cabal list-dependencies ... [--show-licenses]
    

Also, we might generalize --showlicenses to an ability to display the value of any cabal field:

cabal list-dependencies --show-field=license
cabal list-dependencies --show-field=author
...

What seem to be less desirable approaches:

  • As an option to install: we'd like to extract this information after installation without having to re-install.

  • Using the by-products of cabal freeze: I see that I can get the list of dependencies from

    cabal freeze --dry-run
    

    but I'd much prefer to not be parsing the by-product of another command.

Yet another need we have:

  • Getting the information needed so that we can snag all the license files to bundle them into our binary distribution. Maybe this capability could be built into the --show-field option, but I'm not sure how we'd get the information where the license files are stored.

Galois is interested in doing the development needed. But before we start, we'd like to get some consensus on what the community is interested in (and what patches would be likely to be accepted :-).

Input? Wishes? Other thoughts?

Thanks, Mark

@23Skidoo
Member

@mtullsen

Galois is interested in doing the development needed.

Great! You may be interested in https://github.com/jaspervdj/cabal-dependency-licenses which also implements this functionality.

Alternative 1: add options to the cabal list command.

I'm +1 on this alternative.

Getting the information needed so that we can snag all the license files to bundle them into our binary distribution. Maybe this capability could be built into the --show-field option, but I'm not sure how we'd get the information where the license files are stored.

The licenses are stored under ~/.cabal/share/doc/$arch-$os-$compiler/$pkgid (aka InstallDirs.docdir), so if you know the target platform and have a package description of the dependency in question (which tells you the value of license-file), retrieving them is easy. Note that there can be multiple license files per package. Also note that with GHC 7.10, $pkgid also includes the package key in addition to package name and version. Maybe we could add a flag to cabal copy to do what you want.

@23Skidoo
Member

/cc @dcoutts

@mtullsen

Great! You may be interested in https://github.com/jaspervdj/cabal-dependency-licenses which also implements this functionality.

Thanks for the pointer, I was completely unaware of this.

We'd still be interested in bringing this functionality into cabal-install. I'm assuming that others would also find this useful ...?

@mietek
Contributor
mietek commented Nov 27, 2014

In a similar vein, I would like to be able to list the build-tools and extra-libs used by a project's transitive dependencies. I have done some work towards this, but it is not quite satisfactory (mietek/haskell-on-heroku#34).

@dcoutts
Member
dcoutts commented Nov 27, 2014

People have looked before at the feature to collect the bundle of licenses for a package (in a particular configuration). Would that be enough and cover the other use cases or do we need it in multiple places?

@mtullsen mtullsen added a commit to mtullsen/cabal that referenced this issue Mar 1, 2016
@mtullsen mtullsen Extend the cabal 'list' command with --dependencies
Implements one solution to #879.

Extends the cabal list command (as described in #879): generalizing the idea of
listing the license field to listing multiple, arbitrary fields of the dependent
packages.
9504521
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment