My comments are inline.
On 12/04/2021 14:47, Juergen Landwehr wrote:
Hi Robert,... if everybody does what they are supposed to - which is not the case.
Dependencies and their version is stored in "go.mod". To ensure reproducable builds, hashes for each dependency and version are stored in "go.sum". Both files are in git and together with a local golang proxy, this should ensure reproducable builds, right?This does not sound too bad. This would also mean, that if the outside repo dies you can still build and that you know what's on your proxy.
To ensure that licences are valid and did not change over time, we developed a little tool, that goes through all dependencies and creates the following output, which we insert into our recipe:Here you
1) Totally lost which License comes from which module and I hope 2 times MIT is just a typo.
Of course if you are really serious about licensing you should use a tool like fossology, upload all your sources there and inspect them.
You will be surprised.
There are a couple of tools out there which scan your sources and some which claim to do stuff with golang as well.
2) Do you check if the licenses are compatible?
MIT and Apache are compatible:
"Both the Apache License and the MIT license are permissive, so incorporating MIT licensed code into your Apache licensed project is certainly allowed. Just be sure to attribute the original author for the parts your incorporated and include a copy of the MIT License terms, as required by the license."
Apache and BSD should also be OK:
"In both of them you must:
But in Apache, unlike BSD you must:
LIC_FILES_CHKSUM = " \really all?
You search through every single file of a go module and it's dependencies? Or just the license text, if there is one?
It might pollute the recipe a bit, but luckily we do not have thousands of dependencies like some npm projects. So I think it is still manageable. And is it much less work, than defining a recipe for each dependency.Regards,