ockam icon indicating copy to clipboard operation
ockam copied to clipboard

Published 20 hours ago verified publisher icon build-trust

NOTICE file

Open mrinalwadhwa opened this issue 5 years ago • 14 comments

our notice file is quite out of date, we should look into tools that may help us generate it.

mrinalwadhwa avatar Nov 05 '20 23:11 mrinalwadhwa

@metaclips maybe we can integrate https://github.com/embarkstudios/cargo-about into our build to at least do this on the rust side?

etorreborre avatar Feb 22 '23 09:02 etorreborre

@metaclips maybe we can integrate https://github.com/embarkstudios/cargo-about into our build to at least do this on the rust side?

Looks promising. Thanks.

metaclips avatar Feb 22 '23 09:02 metaclips

Hi there, I am working with some new contributors to open source (and ockam) and wondering if you would be open to us working on this issue?

mariannegoldin avatar Apr 20 '23 20:04 mariannegoldin

@mariannegoldin that would be fantastic! We're here to help with any questions.

mrinalwadhwa avatar Apr 20 '23 20:04 mrinalwadhwa

Our team is trying to choose a first issue. We noticed that this was closed and then re-opened. Can you give us more information on what was done and what still needs to be done?

deebrecke avatar Apr 20 '23 23:04 deebrecke

@deebrecke thank you for spending time on it. The closing of the issue was accidental during our triage, so nothing has been done yet.

Desired behavior

The goal is to once a week run a github actions workflow that will list the licences of all the crates Ockam depends on and if needed create a pull request to update our NOTICE file to thank and give attributions to all the projects we depend on.

Proposed Implementation

The action should run in the ockam-builder docker container which has all the tools you would need:

Here's an example of another action defined to run in the ockam-builder docker container: https://github.com/build-trust/ockam/blob/3227d2aa5d5a21971fbd11cc8cb30aa2309de4fc/.github/workflows/rust.yml#L64-L70

You can pull and use this container locally on your machine if you want, as follows (this is big ~5GB download)

docker run --rm -it -e HOST_USER_ID=$(id -u) --volume $(pwd):/work ghcr.io/build-trust/ockam-builder:latest bash

The container has a tool called cargo deny

If you run cargo deny with following command in the root folder of the ockam repo. It shows all the licences:

» cargo deny --all-features list --config=tools/cargo-deny/deny.toml --format json 
{
  "licenses": [
    [
      "0BSD",
      [
        "adler 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
        "stm32f4xx-hal 0.15.0 (registry+https://github.com/rust-lang/crates.io-index)",
        "stm32h7xx-hal 0.14.0 (registry+https://github.com/rust-lang/crates.io-index)"
      ]
    ],
    [
      "Apache-2.0",
      [
        "addr2line 0.19.0 (registry+https://github.com/rust-lang/crates.io-index)",
        "adler 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
        "aead 0.4.3 (registry+https://github.com/rust-lang/crates.io-index)",
        "aes 0.7.5 (registry+https://github.com/rust-lang/crates.io-index)",
        "aes-gcm 0.9.4 (registry+https://github.com/rust-lang/crates.io-index)",
        "ahash 0.8.3 (registry+https://github.com/rust-lang/crates.io-index)",
        "aligned 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)",

The action would run the above command and covert its JSON output into the following format:

Crate Name, License
adler, 0BSD
stm32f4xx-hal, 0BSD

After the above is working, we may want to add some thank you notes around the generated text but we can tackle that in a separate next step.

Please let us know if you have any questions.

mrinalwadhwa avatar Apr 21 '23 06:04 mrinalwadhwa

Thank you for the clarification on this issue. Our group has chosen a different issue as our first one. I may choose to take this on myself further down the road, but for now, if you want to open it back up (I'm not really sure how the process works), I will not be working on it for at least the next few weeks.

deebrecke avatar Apr 24 '23 22:04 deebrecke

@deebrecke thank you for telling us. Let us know if you have any questions as you look at other issues. We added a bunch of new ones yesterday that are simple improvement to command help. This would make great first issues https://github.com/build-trust/ockam/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22

mrinalwadhwa avatar Apr 24 '23 22:04 mrinalwadhwa

@mrinalwadhwa So sorry to be going back and forth on this one. After further research into what we chose as our first issue, my group has re-evaluated what we think we can get done and would like to try this one out, if you don't mind re-assigning it to me. Thank you for understanding the pendulum swings of eagerness and trepidation that we students go through when venturing down a new path.

deebrecke avatar Apr 27 '23 23:04 deebrecke

@mrinalwadhwa So sorry to be going back and forth on this one. After further research into what we chose as our first issue, my group has re-evaluated what we think we can get done and would like to try this one out, if you don't mind re-assigning it to me. Thank you for understanding the pendulum swings of eagerness and trepidation that we students go through when venturing down a new path.

Re-assigned to you 🫡

metaclips avatar Apr 28 '23 06:04 metaclips

My team is making progress on this issue. It has been a steep learning spike for us, but we are close. Steps involved have been basically: use GitHub Action to run cargo-deny on a weekly interval, pull out the info from the JSON file and format it, run a checksum against the last run and update the notice file if any changes have been made. We are almost to the point that this works. Once this is done, a new PR will need to be signed each time to accept the changes. We want to automate the PR so that it generates whenever changes are made. While the learning spikes thus far have been beneficial and necessary, we would appreciate not re-inventing the wheel as far as auto-generating a PR. It seems likely that there are other automated processes that require periodic automated PRs and we would appreciate any assistance anyone on this project can give us to make this leg of the journey easier.

deebrecke avatar May 23 '23 22:05 deebrecke

We restrict GitHub action from creating pull requests https://github.blog/changelog/2022-05-03-github-actions-prevent-github-actions-from-creating-and-approving-pull-requests/ so we can't automate PRs. What we should do is

Create a bash script/program that'll

  • Update our NOTICE file using cargo deny
  • Add the NOTICE file with git add and commit
  • Create a pull request with GH CLI https://cli.github.com/manual/gh_pr_create A human will then run the script to update the NOTICE file. Script can be added in a folder in the tools directory

To ensure that our notice file is always up to date, we can create a GitHub action that'll

  • Create an intermediate NOTICE file and compare with what we have in our repository
  • If NOTICE files differ, then CI should fail and also tell users to update the notice file This lint CI should be added as a job in the all workflow

metaclips avatar May 26 '23 07:05 metaclips

@deebrecke Are you still working on this? I'd love to try my hand at it if not. Please let me know.

Wryhder avatar Mar 09 '24 17:03 Wryhder

Thanks @Wryhder. There's a pending https://github.com/build-trust/ockam/pull/5126 please feel free to continue from there or start afresh, whichever is easier for you. I'll be assigning this issue to you now.

metaclips avatar Mar 09 '24 17:03 metaclips