Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce license auditing tooling to CI #1502

Closed
workingjubilee opened this issue Jan 29, 2024 · 0 comments · Fixed by #1504
Closed

Introduce license auditing tooling to CI #1502

workingjubilee opened this issue Jan 29, 2024 · 0 comments · Fixed by #1504
Labels
ci Work related to continuous integration deps About dependency management legal licensing, etc.

Comments

@workingjubilee
Copy link
Member

workingjubilee commented Jan 29, 2024
edited
Loading

The pgrx crates have a lot of transitive dependencies. Our total dependency tree is about 246 entries... that's including pgrx itself, last I checked, so the actual number of dependencies we don't personally control is smaller. But not that much smaller. We should be using some tooling like cargo vet or cargo deny to check our licensing requirements in our continuous integration workflows, and probably eventually expand that to soundness concerns (though such an expansion would be low priority, as right now we have to reinforce our own glass house). This would make it easier to handle the massive updates to our dependency tree that we like to do for releases, so that our software depends on the latest versions.

Note that because software licenses treat these cases differently, we may have very different licensing requirements for cargo-pgrx and pgrx: one of these gets linked into binaries (pgrx, the library crate), the other is just a build tool (cargo-pgrx). Although pgrx-pg-sys using pgrx-pg-config in its build.rs may make it look like pgrx-pg-config is in pgrx's directly-linked dependency tree, this is not the case, it is in [build-dependencies] only. This is relevant because we recently had the very silly "oh no, an upstream maintainer is deviously trying to make software developers ship a download link to source code published on crates.io!" scare due to dirs. Making the license for pgrx itself clearer would be another benefit from

Any dependents on pgrx may wish to mention what policies they would like to see checked in this issue.

cc @johnrballard re: helping answer this for TCDI.
@workingjubilee workingjubilee added ci Work related to continuous integration dependencies legal licensing, etc. labels Jan 29, 2024
This was referenced Jan 30, 2024
Merged
Merged
workingjubilee added a commit that referenced this issue Jan 31, 2024
@workingjubilee
Add license check (#1504)
9eb5c18 
This uses an allow list, mostly-duplicates the deny.toml, and runs a
simple shell script instead of using the action, so that the pgrx
library can have an independently tracked set of licenses. This is done
because the dependencies of that are liable to be actually linked into
extensions as dynamic libraries.

In order to let the deny.toml have accurate reporting, the example
extension crates are marked as being unpublished. I also tweaked the
version on them because I didn't care about the version field in my
regex-replace.

Closes #1502
@workingjubilee workingjubilee added deps About dependency management and removed dependencies labels Feb 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ci Work related to continuous integration deps About dependency management legal licensing, etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add license check workingjubilee/pgrx
1 participant
@workingjubilee