A License check is failing. I know how to fix that. Let me push some commits...

I am struggling to see what is wrong with the license configuration. When I run enso/gatherLicenses locally, it generates a different number of warnings than on the CI. How can I reproduce https://github.com/enso-org/enso/actions/runs/7694191923/job/20964475421?pr=8883#step:10:1471 locally?

Please help @radeusgd

GitHub

Upgrading to GraalVM 21.0.2 · enso-org/enso@41b7efc

Hybrid visual and textual functional programming. Contribute to enso-org/enso development by creating an account on GitHub.

I am struggling to see what is wrong with the license configuration. When I run enso/gatherLicenses locally, it generates a different number of warnings than on the CI. How can I reproduce enso-org/enso/actions/runs/7694191923/job/20964475421?pr=8883#step:10:1471 locally?

Please help @radeusgd

GitHub**Upgrading to GraalVM 21.0.2 · enso-org/enso@41b7efc**Hybrid visual and textual functional programming. Contribute to enso-org/enso development by creating an account on GitHub.

CI does not run gatherLicenses at all. It only runs verifyLicensePackages which just checks if the hashcode of the dependency config and the reports are the same as the one written in the committed report-state file. The warnings count is also written to that file - so that the CI knows if it should be failing - but the count of warnings is generated only locally and has to be committed. Maybe the differing amount of warnings is from a previous run of the tool by Jaroslav? Anyway, you should just try to update the config locally to have 0 warnings and then you can commit the 'fixed' report state and you should be able to get this to pass.

Anyway, you should just try to update the config locally to have 0 warnings

How does one "update the config"? Is there a command to invoke to generate the update? I am dreaming about sbt gatherLicenses to update all the license file on disk. Then I just review the changes and integrated them.

Instead of that I get a page like this:

What that is supposed to mean? Yes, I found licenses.md...

Found legal review configuration for package org.graalvm.polyglot.polyglot-23.1.0, but no such dependency has been found. Perhaps it has been removed?

Eh? Where did the tool find it? Why can't I even grep for it? Can't it have a link?

(NotReviewed)

A red message. Oh, surprise, it is clickable! How can one find that out without accidentally clicking on it!?

What's the point of clicking each NotReviewed and selecting ignore? Making the changes automatically would have the same effect and would be way less work while providing the same legal shielding (e.g. almost none at all).

Found legal review configuration for package org.graalvm.polyglot.polyglot-23.1.0, but no such dependency has been found. Perhaps it has been removed?

Eh? Where did the tool find it? Why can't I even grep for it? Can't it have a link?

In the subdirectory for a given component within tools/legal-review, as stated by the documentation you linked.

A red message. Oh, surprise, it is clickable! How can one find that out without accidentally clicking on it!?

Sorry that the tool design is lacking, it was made in a very short time and we never invested more time in improving it. I made it mostly as a replacement for manually gathering licenses of about 100 of our dependencies back in the day. I'm happy to improve it if we find time for this.

What's the point of clicking each NotReviewed and selecting ignore?

The idea was to rather select 'Keep with context' most of the time. Licenses like Apache specify that we should redistribute copyright notices that are found within the libraries. This was the simplest way to ensure all copyrights are redistributed (even if maybe it would not be strictly necessary to keep all of them).

But as you say, it's a very rudimentary system. Until we have a proper legal team review this, I think it's a decent 'due diligence' we can be doing in trying to satisfy the copyright notice requirements.

But I definitely agree it is very minimal (it was a 'better anything than nothing' solution) and we should actually get our official distribution reviewed by someone competent (a lawyer) to ensure all licenses we are using are indeed compatible and we satisfy the requirements in the distribution.

The idea was that 'Ignore' is only used for false-positives i.e. stuff that matches that is not a copyright notice.

If you think we could use something else instead of this tool, I have nothing against migrating.

Thanks a lot for finishing and merging this PR.