shards icon indicating copy to clipboard operation
shards copied to clipboard

Published 20 hours ago verified publisher icon crystal-lang

[RFC] shards licenses

Open didactic-drunk opened this issue 2 years ago • 6 comments

Proposal: A new shards command to see all licenses in use.

shards licenses

Output:

foo MIT
gmp GPL2+
  dynamic link -lgmp GPL2
baz GPL2,GPL3
  static link -lbaz MIT,Apache,Other

A software package may have multiple licenses.

A more structured yaml option may be preferred with either a path to the file or the license itself.

Also see https://github.com/crystal-lang/crystal/issues/11488

didactic-drunk avatar Mar 10 '22 06:03 didactic-drunk

Sounds good! We can easily assemble the license properties of all dependencies' shards.yml.

The link information however would be difficult to obtain. And it probably doesn't make much sense for a source distribution format. The reason is that the Crystal code only contains lib bindings, not the libraries themselves. Which binary libraries are linked in the end and what licenses they have is not conclusively determined by the bindings. It depends on link time configuration. For example, the bindings may target libfoo but there's also a compatible libfu and you can link either one of them.

straight-shoota avatar Mar 10 '22 12:03 straight-shoota

The link information however would be difficult to obtain. And it probably doesn't make much sense for a source distribution format. The reason is that the Crystal code only contains lib bindings, not the libraries themselves. Which binary libraries are linked in the end and what licenses they have is not conclusively determined by the bindings. It depends on link time configuration. For example, the bindings may target libfoo but there's also a compatible libfu and you can link either one of them.

Then I guess link targets could still be supplied? The file linked is probably more useful than -lfoo as some shards build with non-distro packages (I have 3 shards that download the latest software rather than use the package manager).

It's too bad pkg-config doesn't have this information.

There are a few distro specific shell one liners to get the copyright of a package. Maybe their inclusion isn't too cumbersome?

didactic-drunk avatar Mar 11 '22 06:03 didactic-drunk

Yeah, maybe we could collect all the @[Link] annotations from the source tree. That needs an understanding of Crystal syntax, so it would rather be a feature of the compiler, not shards. Not sure how reliable it would be, though. Which bindings end up being used depends on the target system and compile time configuration. You can either go by actually used code, but that's only valid for the current system and configuration. Or you can collect everything in any potentially reachable code, but that would likely include bindings that wouldn't ever be used (think about the bindings in stdlib, like libgmp, libxml, libyaml). It's a recall vs precision problem with no clear solution.

straight-shoota avatar Mar 11 '22 10:03 straight-shoota

@[Link] may run shell commands. Should the compiler spit out a list of resolved '@[Link]`'s? Is there a simpler way to get this information?

didactic-drunk avatar Mar 11 '22 17:03 didactic-drunk

If you pass -v to crystal it will spit out the final linker command

asterite avatar Mar 11 '22 17:03 asterite

It's --verbose, the short arg doesn't work. But --cross-compile is also more useful for this because all Crystal's object files are already merged, while --verbose prints tons of individual modules.

straight-shoota avatar Mar 11 '22 17:03 straight-shoota