You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the moment, it is hard to generate a bill of materials for dependencies.
Since IIUC standard Haskell practice is to link statically, that seems to mean
that binary distributions effectively are redistributing derivative works of all
dependencies, and so my understanding is that all their license terms need to be
distributed along with the software.
However, I acknowledge that even projects as conservative as Debian aren't
bothering to do this, so this may be a solution looking for a
problem. On the other hand, the existence of cabal-plan license-report suggests to me that some people are bothering to do
this.
In particular stack ls dependencies --license isn't enough.
This is for a couple of reasons:
For some licenses (MIT, BSD, ISC, ...), the license text needs to also be
distributed.
The output still needs to be massaged into an actual report
It'd be nice if the report could canonicalize the license strings -- right now
it seems it produces the raw license strings from the .cabal files.
(A further ask that requires social, not technical, solutions is to have the
license strings be SPDX identifiers, since the current freeform standard gives
rise to such ambiguities as "What does GPL mean?" (version is ambiguous, as
is whether using later versions is permitted))
Hacking a solution around cabal-plan is not viable, since it requires both a plan.json (which might be generated from a freezefile, but…) and also a
populated Cabal store. Hence, a stack-native solution is necessary. For the
same reason, it is unreasonable to push this to cabal-plan, and given that stack ls dependencies --license exists, it makes sense to push for it to
actually be useful.
The text was updated successfully, but these errors were encountered:
At the moment, it is hard to generate a bill of materials for dependencies.
Since IIUC standard Haskell practice is to link statically, that seems to mean
that binary distributions effectively are redistributing derivative works of all
dependencies, and so my understanding is that all their license terms need to be
distributed along with the software.
However, I acknowledge that even projects as conservative as Debian aren't
bothering to do this, so this may be a solution looking for a
problem. On the other hand, the existence of
cabal-plan license-reportsuggests to me that some people are bothering to dothis.
In particular
stack ls dependencies --licenseisn't enough.This is for a couple of reasons:
For some licenses (MIT, BSD, ISC, ...), the license text needs to also be
distributed.
The output still needs to be massaged into an actual report
It'd be nice if the report could canonicalize the license strings -- right now
it seems it produces the raw license strings from the
.cabalfiles.(A further ask that requires social, not technical, solutions is to have the
license strings be SPDX identifiers, since the current freeform standard gives
rise to such ambiguities as "What does
GPLmean?" (version is ambiguous, asis whether using later versions is permitted))
Hacking a solution around cabal-plan is not viable, since it requires both a
plan.json(which might be generated from a freezefile, but…) and also apopulated Cabal store. Hence, a
stack-native solution is necessary. For thesame reason, it is unreasonable to push this to cabal-plan, and given that
stack ls dependencies --licenseexists, it makes sense to push for it toactually be useful.
The text was updated successfully, but these errors were encountered: