mirror of
https://github.com/digital-asset/daml.git
synced 2024-11-10 10:46:11 +03:00
73 lines
2.6 KiB
Markdown
73 lines
2.6 KiB
Markdown
# Open Source Software Compliance
|
|
|
|
## Overview
|
|
|
|
The package contains tools & processes to:
|
|
* generate our open source Bill Of Materials
|
|
* validate the open source licenses are in line with the permitted ones
|
|
* [todo] validate the open source libraries are part of a
|
|
|
|
The tools ingest license information generated by language specific tools (e.g. *mvn* & *scala*) to produce a consistent report covering on all the open source libraries used.
|
|
|
|
Details about language specifics tools used as inputs:
|
|
|
|
### JDK
|
|
|
|
To retrieve JDK dependencies we are using the [license maven plugin](http://www.mojohaus.org/license-maven-plugin/):
|
|
|
|
`mvn license:aggregate-download-licenses`
|
|
|
|
generating an xml file containing all the relevant licenses extracted from the maven poms.
|
|
|
|
### Haskell
|
|
|
|
The Haskell licensing checks are now done in [../../da-docs-daml-user-guide/licenses/extract.py](compiler/daml-licenses/licenses/extract.py)
|
|
|
|
|
|
## OSS Compliance in Action
|
|
|
|
The logical steps are the following:
|
|
|
|
* generate a list of dependencies for both haskell and java (and javascript in the future)
|
|
* for each single dependency, check:
|
|
* the license is whitelisted as per [LICENSES_WHITE_LIST.csv](LICENSES_WHITE_LIST.csv)
|
|
* the package is whitelisted as per [PACKAGES_WHITE_LIST.csv](PACKAGES_WHITE_LIST.csv)
|
|
* any dependency whose license or package is not whitelisted is then considered **non compliant**
|
|
|
|
### Licenses
|
|
|
|
We use a *white list* approach: explicitly defining which licenses are allowed.
|
|
|
|
The white listed licenses are defined in [LICENSES_WHITE_LIST.csv](LICENSES_WHITE_LIST.csv)
|
|
|
|
As you can see the file is grouped by *license group* (e.g. EPL, *Eclipse Public License*).
|
|
|
|
The *license group* is a logical constructor and it's only used to group similar licenses in the csv file.
|
|
|
|
Especially in the maven world, there are many variants on how a an underlying open source license is defined that makes sense to group them together.
|
|
|
|
### Packages
|
|
|
|
[PACKAGES_WHITE_LIST.csv](PACKAGES_WHITE_LIST.csv) is a way to filter packages created internally.
|
|
|
|
|
|
### What if the check fails?
|
|
|
|
#### Failure due to a non white-listed dependency
|
|
|
|
Please coordinate with the SPG group to ensure the offending license is reviewed with CTO / General Counselor.
|
|
|
|
It may be a variation of an already approved license. If that's the case, once approved, it can be added to the white listed licenses.
|
|
|
|
TODO: provide a link to a list of approved licenses
|
|
|
|
### How to invoke the compliance check
|
|
|
|
To invoke the oss compliance check, invoke:
|
|
|
|
`make oss-compliance`
|
|
|
|
This will then trigger the following:
|
|
|
|
[check_oss_license.sh](check_oss_license.sh)
|