-
Notifications
You must be signed in to change notification settings - Fork 841
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for licensing issues in dependency tree #577
Comments
This sounds like something best done as a separate tool / plugin, perhaps? Since the space of possible policies to implement here is rather large. |
I think the bare-bones version could be implemented rather easily. Since |
Take a look at this package for a possible solution: https://hackage.haskell.org/package/cabal-dependency-licenses |
|
|
I'm confused what the problem with LGPL is since #399 seems to have been closed without anything done? That is, depending on a LGPL program does not mean that you need to (L)GPL your program too. You're free to choose any license for your program (that's the whole point of LGPL). |
You do need to provide a way for users to use a different version of the LGPL library. That can be done by dynamic linking or by distributing object code that users can link into an executable. |
See also #1049 for more about the requirements of the LGPL and the problem with lack of dynamic linking on Windows. |
Since #2576 Stack can print dependency licenses. It is not hard to then write a simple script that validates those against a whitelist of allowed licenses or packages:
Would this satisfy your needs? |
That's very cool. I think for this to be truly "helpful" it would need to be a check done by default (i.e. without opt-in). I think the vast majority of uses cases will involve someone accidentally including a package that is not licensed the way they expect. Because of that, you really want to warn them of the issue without asking. But maybe people disagree with me? |
Something automated would be cool, @3noch. How about in your
I'd only want to have the check done by |
@mgsloan That would be awesome, I think. |
Once a user is aware that there could potentially be licensing issues, I think the current situation is sufficient. You can make the whitelist check part of CI to avoid accidentally depending on an incompatible library. However, I think that many users are not aware of potential issues, or they simply haven’t thought about them. For that case a default-on check would be helpful indeed, but that would also mean that Stack has to know about license compatibility, which I’m not sure it should. |
I wouldn't mind if |
I wanted to have a sorted overview of the licenses, similar to what
( Implementing grouping and counting for an overview (just like |
I don't believe this functionality should go into Stack itself, there are too many variations that could be desired. As mentioned above, Stack provides the ability to dump relevant output to automate this externally. |
Having to deal with LGPL problems in
integer-gmp
manifested a possible enhancement forstack
that would show users if their project might have licensing problems. At the simplest level,stack
could merely warn the user if any project dependencies are not aBSD
variant,MIT
, orPublic Domain
.More advanced versions of this feature could actually try to detect licensing problems for some given target license. For example, if building a project targeting LPGL,
stack
would considerLPGL
dependencies as a non-issue. But if the same project were stated to be a commercial product,stack
would issue a warning.The text was updated successfully, but these errors were encountered: