Replies: 2 comments
-
|
This is a very interesting point you bring up @da1910 - we should explicitly state that the If we ever identify libraries/dependencies that despite their metadata do not have a proper license, we should do a more thorough check. And determine whether to include or exclude them. Let's clarify it in the action's description. I can take the action to do so. |
Beta Was this translation helpful? Give feedback.
-
|
The issue here is the second part, managing the truth. There are plenty of solutions to do this, but at the end of the day you need a place to store information about decisions. I have deployed https://dependencytrack.org/ in the past as a way to handle this, which works very well, but there are plenty of alternatives. This has the added benefit of integrating well with other tools like sonarqube. |
Beta Was this translation helpful? Give feedback.
-
The license check action is a nice idea, but it's trickier than it seems to make it actually work reliably. First of all there's no guarantee that a package actually declares the right license on its pypi page, the metadata there is... somewhat fictional.
Secondly just because a package declares that it has an MIT license, for example, does not mean that it does, or that it has followed the required steps.
As a first pass to check things, this is probably fine, but if it's actually important that the dependencies are OK, for example if someone packages the code into a binary then we need to be a lot more diligent with our license checking.
We probably ought to make clear, either in documentation, or in the output from the action, that the check is not exhaustive, is definitely not guaranteed to be correct, and should not be used to decide whether to compile a library into a binary.
As an aside, two examples of where things go awry:
PyWin32 (A dependency of just about every library that does anything on windows)
pywin32
PyWin32 declares that it uses the PSF license on pypi, but the repo lists no overall license text:
https://github.com/mhammond/pywin32
The Pythonwin module does include a license.txt file, but with 3 clause BSD:
https://github.com/mhammond/pywin32/blob/main/Pythonwin/License.txt
The adodbapi module also has a license.txt file, but this is LGPL:
https://github.com/mhammond/pywin32/blob/main/adodbapi/license.txt
The isapi does not include a license.txt file but the header in each source file includes the MIT license text:
https://github.com/mhammond/pywin32/blob/main/isapi/src/PyExtensionObjects.cpp
Requests-Negotiate-SSPI (The simple way to authenticate with kerberos on windows)
requests-negotiate-sspi
The library correctly identifies Apache 2.0 as the license on PyPI and includes a license.txt file with the text of the license, however the terms of the Apache 2.0 license explicitely require text to be included somewhere indicating the name of the copyright holder. This is not included, and so by the letter of the license it is not applicable.
requests-negotiate-sspi
Beta Was this translation helpful? Give feedback.
All reactions