Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include list of all dependencies and their licenses in any release #379

Closed
andrewdavidmackenzie opened this issue Jun 17, 2017 · 3 comments
Closed

Include list of all dependencies and their licenses in any release #379

andrewdavidmackenzie opened this issue Jun 17, 2017 · 3 comments

Comments

@andrewdavidmackenzie
Copy link
Member

Downstream users of this repo would like to know the licenses that apply to it and all of it's transitive dependencies.

The request is for releases of this repo to have a structured file (cv, json, xml preferred) containing at least the following information:

  • list of all transitive dependencies
  • for each dependency:
    • name and version
    • name of the license that applies to the dependency
    • url to the license text
@mikz mikz added this to the 3.1 milestone Jul 25, 2017
@mikz
Copy link
Contributor

mikz commented Aug 16, 2017

Though about this long and hard.

I could not find any decent lua package manager that would lock dependencies and be able to say what are the exact versions being used.

Only reasonable way of doing this is scan the luarocks install tree and find out what is installed after it was installed. That rules out license_finder.

This step can be done in the build phase.

@mikz
Copy link
Contributor

mikz commented Nov 21, 2017 

rover inspect  --roverfile gateway/Roverfile
luafilesystem	 	1.7.0-2	 	MIT/X11
router	 	2.1-0	 	MIT
ldoc	 	1.4.6-2	 	MIT/X11
lua-resty-http	 	0.11-0	 	2-clause BSD
lua_cliargs	 	3.0-1	 	MIT <http://opensource.org/licenses/MIT>
lua-resty-env	 	0.4.0-1	 	Apache License 2.0
luasystem	 	0.2.1-0	 	MIT <http://opensource.org/licenses/MIT>
luassert	 	1.7.10-0	 	MIT <http://opensource.org/licenses/MIT>
busted	 	2.0.rc12-1	 	MIT <http://opensource.org/licenses/MIT>
lua-resty-execvp	 	0.1.0-1	 	Apache License 2.0
say	 	1.3-1	 	MIT <http://opensource.org/licenses/MIT>
lua-resty-jwt	 	0.1.11-0	 	Apache License Version 2
lua-term	 	0.7-1	 	MIT/X11
penlight	 	1.5.4-1	 	MIT/X11
lua-resty-url	 	0.2.0-1	 	Apache License 2.0
lua-resty-iputils	 	0.3.0-1	 	MIT
argparse	 	0.5.0-1	 	MIT/X11
inspect	 	3.1.0-1	 	MIT <http://opensource.org/licenses/MIT>
liquid	 	scm-1	 	BSD-2-Clause
mediator_lua	 	1.1.2-0	 	MIT <http://opensource.org/licenses/MIT>
markdown	 	0.33-1	 	MIT/X11
lua-resty-repl	 	0.0.6-0	 	MIT <http://opensource.org/licenses/MIT>
dkjson	 	2.5-2	 	MIT/X11

We include all dependencies, but should be easy to limit it to some group (like production) 3scale/lua-rover#7.

@mikz mikz removed this from the 3.1 milestone Nov 21, 2017
@davidor
Copy link
Contributor

davidor commented Nov 8, 2018

Releases now include a licenses.xml with the information requested in the issue.

@davidor davidor closed this as completed Nov 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikz @davidor @andrewdavidmackenzie