bosh icon indicating copy to clipboard operation
bosh copied to clipboard
verified publisher icon cloudfoundry

Exclude dev/test gems with GPL license to simplify license compliance

Open rkoster opened this issue 1 year ago • 6 comments

While looking at BlackDuck scan results I noticed that there are a few dev/test gems that bring (strong) copy left licenses. Since these gems are not a runtime dependency, let's try and exclude these from our final releases.

rkoster avatar May 28 '24 10:05 rkoster

@rkoster have you built/deployed/tested with this configuration, or are you depending on the pipeline to fail after this is merged? It seems like a fine change.

selzoc avatar May 29 '24 16:05 selzoc

@selzoc shouldn't we -at minimum- correct the comment introduced by the modification?

klakin-pivotal avatar May 29 '24 17:05 klakin-pivotal

@selzoc shouldn't we -at minimum- correct the comment introduced by the modification?

You mean coderay having an MIT license? Yes, agreed.

selzoc avatar May 29 '24 17:05 selzoc

I have not tested this change myself and was hoping to rely on the pipeline for that. I did create a release with these changes and verified the it resolved some of the license compliance issues Black Duck found, and it did.

rkoster avatar May 29 '24 17:05 rkoster

I'm also thinking about maybe excluding all gems from test groups. What do you y'all think?

rkoster avatar May 29 '24 17:05 rkoster

I'm worried about the fragility of hand-coded exclusions. Probably fine for the time being but perhaps there is a bundle flag to exclude non-production gems from vendor/cache/ all together?

aramprice avatar May 29 '24 18:05 aramprice