Suggestion: Put licenses for dependencies in deps

suggestions
#1

I would like to suggest the addition of a license directory in deps, where we could have a copy of the dependencies license files. I think that is important to make it clear to the user which licenses they are dealing with.

#2

That sounds like you are asking for FOSSA support for Julia.

#3

It’s a little unclear what exactly you’re asking for but JuliaTeam has some support for analyzing the licenses of the packages used in a given manifest and will have more support for that kind of thing in the future.

2 Likes
#4

Sorry for not making it clear. What I was thinking is related to have a standard of adding the licenses for dependencies on Pkg.jl/deps/licenses or something similar/better.

I’ve seen some packages with this behavior, for example imagine PkgX.jl has MIT license, but it downloads libpkgx (on most cases already compiled) which has a license different than MIT. You will find the license only by searching this library. But adding the license to deps would make it easier to find the information needed.

I understand that it may no be a good idea to add it to the source code, but it could be useful to have this after the building process.

#5

Interesting tool. Thanks for sharing it.

#6

I don’t think that it makes much sense to put the licenses in the source directory of a project. After all, we don’t put the source code of dependencies in the there, why would we put their licenses in there? It does, however, make a lot of sense to make license info easily accessible programmatically and provide tooling support for license analysis for an entire application.

3 Likes
#7

@StefanKarpinski I think there’s one distinction, which is that many (if not all) licenses explicitly require that copies be included in any derivative works. Along with the actual copyright statement.

In practice, this isn’t something which really happens, but having some sort of automated tool for it would be nice…

Edit: That said, maybe links would be a better approach, like in Julia’s own LICENSE file.

#8

You don’t have to include the license unless you’re shipping the code, in which case you’re already shipping the license file…

#9

Oh. I’d figured creating a git release/registry PR counted as shipping in this case. But am not a lawyer or expert, so will defer to you on that.

#10

You are not shipping or publishing your dependencies then, only your own code.

3 Likes
#11

I think this is a related issue (https://github.com/JuliaPackaging/BinaryBuilder.jl/issues/309) but no comments.

1 Like
#12

I understand that when shipping code the license is really required and not necessary on Julia packages’ case. But for example, on linux if you check /usr/share/doc you will be able to see documentation, including licenses, for software installed with the package manager. With the package manager you get the compiled software, not the source code.

Now, an specific case. IANAL but if you are using a library with GPL, it means the package needs to be compatible with GPL. In this situation having the licensing information is kind of important.

Adding license files was only a suggestion based on what I mentioned about Linux before, but may not be practicable. Having the information easily accessible would be really interesting.

#13

Julia packages are installed as source including any license file that is in the package repo.

1 Like