CI: check for dependency licenses#1779
Conversation
Since our project is licensed under the MIT License, we can't be using any dependencies in our project. This commit adds a step to the CI lint phase that will use pip-licenses to verify that all the installed packages are part of an ALLOWED_LICENSE variable. This variable is currently set to be every license we currently use. We opted to use an allowlist instead of a denylist to make sure that new licenses are reviewed by hand and added to that variable.
Akarys42
force-pushed
the
experiments/akarys/check-licenses
branch
from
4b03a94 to
b3b9d3f
Compare
Xithrius
added
a: CI
Thanks to raimon49/pip-licenses#109, we are now able to ignore spaces around the allow-only parameter. Rejoice!
Akarys42
requested review from
Den4200,
MarkKoz,
SebastiaanZ and
jb3
as code owners
|
This is now ready for review! Once merged, we should probably port that to our other major projects. |
|
How was it determined which licences are compatible with MIT? |
I've looked at choose-a-license.org to see what their requirements are, and they all seemed to be okay with being used with MIT. All of those are very permissive. Note that I'm not a lawyer and this is not a legal advice, you know the drill |
|
I looked at LGPL and even if it might be compatible with MIT, it does have some extra requirements. See section 4, which states that copies of licence must be included among other things. |
|
@MarkKoz my understanding here is we are only a consumer of the original library and never modify it, meaning it isn't a derived work and aren't subject to those rules. Although I'm honestly not sure, should we ask anyone about this? |
It is a combined work. What I've heard is importing a library is considered to be linking to it. So, see the licence's definition of a combined work:
|
|
As this project uses pre-commit, I feel like it would make sense to add this as a pre-commit hook, using the local configuration options, and setting it to only run on edits to pyproject.toml/poetry.lock. This would help ensure that regressions are discovered before they're ever commited. |
|
I must be doing something wrong, as I tried this locally and added fuzzywuzzy as a dependency and this did not flag it at all. |
|
@MarkKoz alright, so we have two packages that uses LGPL. One of them is flake8-import-order which is quite easy to swap for Isort and would be quite an improvement. The other is chardet, a dependency of aiohttp. It is a bit more problematic, but we could dodge it using the accelator lib instead cChardet, which is under the Mozilla license. Maybe we could explore that if we want to get rid of them? Another solution would be to simply include a @onerandomusername we opted to run it only in the CI to facilitate things, as running custom hooks on both Windows and Linux can be a pain. I don't think it matters when it is detected, as the work will have to be re-done either way. Also I don't know how you managed to not make it work, here is an (accidental) working example: 384d5b4. Updating |
ChrisLovering
left a comment
ChrisLovering
left a comment
There was a problem hiding this comment.
This PR is good to catch the licenses that are obviously against our MIT license.
I think we should create an issue to discuss what to do about the grey area licenses, rather than blocking this feature.
Port of python-discord/bot#1779 --- Since our project is licensed under the MIT License, we can't be using any incompatible license-wise dependencies in our project, such as GPL. This commit adds a step to the CI lint phase that will use pip-licenses to verify that all the installed packages are part of an ALLOWED_LICENSE variable. This variable is currently set to be every license we currently use. We opted to use an allowlist instead of a denylist to make sure that new licenses are reviewed by hand and added to that variable.
Port of python-discord/bot#1779 --- Since our project is licensed under the MIT License, we can't be using any incompatible license-wise dependencies in our project, such as GPL. This commit adds a step to the CI lint phase that will use pip-licenses to verify that all the installed packages are part of an ALLOWED_LICENSE variable. This variable is currently set to be every license we currently use. We opted to use an allowlist instead of a denylist to make sure that new licenses are reviewed by hand and added to that variable.
* CI: check for license compatibility Port of python-discord/bot#1779 --- Since our project is licensed under the MIT License, we can't be using any incompatible license-wise dependencies in our project, such as GPL. This commit adds a step to the CI lint phase that will use pip-licenses to verify that all the installed packages are part of an ALLOWED_LICENSE variable. This variable is currently set to be every license we currently use. We opted to use an allowlist instead of a denylist to make sure that new licenses are reviewed by hand and added to that variable. Co-authored-by: ChrisJL <ChrisLovering@users.noreply.github.com> Co-authored-by: Xithrius <15021300+Xithrius@users.noreply.github.com> Co-authored-by: Vivaan Verma <54081925+doublevcodes@users.noreply.github.com>
6 participants
Since our project is licensed under the MIT License, we can't be using any dependencies in our project.
This PR adds a step to the CI lint phase that will use pip-licenses to verify that all the installed packages are part of an ALLOWED_LICENSE variable. This variable is currently set to be every license we currently use.
We opted to use an allowlist instead of a denylist to make sure that new licenses are reviewed by hand and added to that variable.