Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check whether extension has an OSI approved license #513

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Check whether extension has an OSI approved license #513

wants to merge 7 commits into from

Conversation

filiptronicek
Copy link
Collaborator

@filiptronicek filiptronicek commented Nov 25, 2021
edited
Loading

Fixes #510

How to test

  1. Add the following to extensions.json
  "filiptronicek.unlicensed": {
    "repository": "https://github.com/filiptronicek/test-unlicensed-repo"
  },
  1. Execute this command and watch the terminal output (also add your own GITHUB_TOKEN, so that the script can request the GitHub API for the license)
GITHUB_TOKEN=xxx EXTENSIONS=filiptronicek.unlicensed node publish-extensions

ToDo

  • Make sure licenses are checked in every case, including fetching from GitHub releases
    • Using the GitHub API to check the license should be a last resort, because it is not possible to query a license for a specific time

@filiptronicek
Copy link
Collaborator Author

Published https://www.npmjs.com/package/osi-license-checker

akosyakov
akosyakov reviewed Nov 26, 2021
View reviewed changes
lib/resolveExtension.js Outdated
@@ -53,6 +54,26 @@ exports.resolveExtension = async function ({ id, repository, location }, ms) {
await exec(`git clone --filter=blob:none --recurse-submodules ${repository} ${repoPath}`, { quiet: true });

const packagePath = [repoPath, location, 'package.json'].filter(p => !!p).join('/');

//#region Check if the extension has an OSI-approved open-source license
try {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should not we check a revision form which we build vsix file?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch, @akosyakov, I was thinking about doing that, settled on "licenses don't change from commit to commit, right?". In edge cases where a license might be changed, added, or removed, I'll integrate it into the resolveVersion function to avoid otherwise duplicating the code over and over.

publish-extensions/lib/resolveExtension.js

Lines 60 to 71 in 4d65730

async function resolveVersion(ref) {
try {
await exec(`git reset --hard ${ref} --quiet`, { cwd: repoPath, quiet: true });
const manifest = JSON.parse(await fs.promises.readFile(packagePath, 'utf-8'));
if (`${manifest.publisher}.${manifest.name}`.toLowerCase() !== id.toLowerCase()) {
return undefined;
}
return manifest.version;
} catch {
return undefined;
}
}

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just looked into this again, and it seems there is no way to fetch the license for a specific time in the repository, just the current state. I checked with both the REST and GraphQL APIs, the only parameters allowed are name and owner.

@filiptronicek filiptronicek self-assigned this Jan 18, 2022
@filiptronicek filiptronicek marked this pull request as ready for review January 20, 2022 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akosyakov akosyakov akosyakov left review comments

Assignees

@filiptronicek filiptronicek

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

auto check that license is OSI approved
2 participants
@filiptronicek @akosyakov