daml/oss-compliance/README.md

73 lines
2.6 KiB
Markdown

# Open Source Software Compliance
## Overview
The package contains tools & processes to:
* generate our open source Bill Of Materials
* validate the open source licenses are in line with the permitted ones
* [todo] validate the open source libraries are part of a
The tools ingest license information generated by language specific tools (e.g. *mvn* & *scala*) to produce a consistent report covering on all the open source libraries used.
Details about language specifics tools used as inputs:
### JDK
To retrieve JDK dependencies we are using the [license maven plugin](http://www.mojohaus.org/license-maven-plugin/):
`mvn license:aggregate-download-licenses`
generating an xml file containing all the relevant licenses extracted from the maven poms.
### Haskell
The Haskell licensing checks are now done in [../../da-docs-daml-user-guide/licenses/extract.py](compiler/daml-licenses/licenses/extract.py)
## OSS Compliance in Action
The logical steps are the following:
* generate a list of dependencies for both haskell and java (and javascript in the future)
* for each single dependency, check:
* the license is whitelisted as per [LICENSES_WHITE_LIST.csv](LICENSES_WHITE_LIST.csv)
* the package is whitelisted as per [PACKAGES_WHITE_LIST.csv](PACKAGES_WHITE_LIST.csv)
* any dependency whose license or package is not whitelisted is then considered **non compliant**
### Licenses
We use a *white list* approach: explicitly defining which licenses are allowed.
The white listed licenses are defined in [LICENSES_WHITE_LIST.csv](LICENSES_WHITE_LIST.csv)
As you can see the file is grouped by *license group* (e.g. EPL, *Eclipse Public License*).
The *license group* is a logical constructor and it's only used to group similar licenses in the csv file.
Especially in the maven world, there are many variants on how a an underlying open source license is defined that makes sense to group them together.
### Packages
[PACKAGES_WHITE_LIST.csv](PACKAGES_WHITE_LIST.csv) is a way to filter packages created internally.
### What if the check fails?
#### Failure due to a non white-listed dependency
Please coordinate with the SPG group to ensure the offending license is reviewed with CTO / General Counselor.
It may be a variation of an already approved license. If that's the case, once approved, it can be added to the white listed licenses.
TODO: provide a link to a list of approved licenses
### How to invoke the compliance check
To invoke the oss compliance check, invoke:
`make oss-compliance`
This will then trigger the following:
[check_oss_license.sh](check_oss_license.sh)