PackageManagerRFC icon indicating copy to clipboard operation
PackageManagerRFC copied to clipboard

Published 20 hours ago verified publisher icon DelphiPackageManager

Dependency License Compliance Assistant

Open code-kungfu opened this issue 6 years ago • 2 comments

As the package registry starts to grow, and part of the metadata descriptor contains the package license. Wouldn't it be beneficial if the dependency management also could assist in avoiding potential license violations?

A practical example:

  • You're building a proprietary application.

  • You find an open source library that can help you greatly reduce development time.

  • Since you're a developer and focusing building awesome things, you haven't investigated what said library is licensed under and the license terms.

  • It turns out the library is licensed under the GNU General Public License v2, and you're statically linking the code into your project, essentially violating the GPL license.

With DLCA built into the package managers dependency handling, it could warn you when you're pulling in, e.g. a GPL licensed library into a commercial project. It could also handle license incompatibilities between the common open source licenses if you're creating an open source library that depends on another open source library but have an incompatible license.

code-kungfu avatar Feb 15 '19 12:02 code-kungfu

I like this idea, but will need a lot of thought. The number of open source license types is mind boggling, and understanding the incompatibilities is no simple thing.

vincentparrett avatar Feb 16 '19 00:02 vincentparrett

@vincentparrett Of course, it is a complex topic that's not solved overnight. However I think it's important to keep in the back of our heads :)

code-kungfu avatar Feb 16 '19 00:02 code-kungfu