Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a way to get dependency licenses #150

Closed
i-am-the-slime opened this issue Mar 17, 2019 · 8 comments · Fixed by #201
Closed

Provide a way to get dependency licenses #150

i-am-the-slime opened this issue Mar 17, 2019 · 8 comments · Fixed by #201
Labels
document me
Milestone
0.8

Comments

@i-am-the-slime
Copy link
Contributor

This is something we need in order to comply with GDPR if we want to switch to Spago.
@f-f
Copy link
Member

f-f commented Mar 17, 2019

@i-am-the-slime how should this work?

I.e. would something like cat $(find .spago -iname 'LICENSE') be enough?

@i-am-the-slime
Copy link
Contributor Author

I think something along those lines could work. Sounds like it could be a separate tool then. It would be nice to not include transitive dependencies if possible. That would involve parsing some spago or packages files for filtering, I guess.

@f-f
Copy link
Member

f-f commented Mar 21, 2019
edited
Loading

@i-am-the-slime you can get various lists of packages, versions, etc with the list-packages command.

It has a --filter flag, so in this case we can do spago list-dependencies --filter direct to get only the direct dependencies.

Building on the bash example above we get:

#!/bin/bash

# Note: the `awk` part is to cut out only the package name
for dep in $(spago list-packages -f direct | awk '{print $1}')
do
  cat $(find ".spago/${dep}" -iname 'LICENSE')
done

I'd like to avoid baking this kind of functionality into Spago, as:

  1. it's achievable with some lines of bash vs more lines into Spago
  2. the desidered output might not be the same for different usecases, so this way of doing it provides maximum flexibility (as you can tweak formatting, etc as desired)

@Ivewinne

This comment has been minimized.

Sign in to view
@i-am-the-slime
Copy link
Contributor Author

This is very nice, thank you very much.

@f-f
Copy link
Member

f-f commented Mar 24, 2019

@i-am-the-slime you're welcome! 🙂

I think this is a useful bit of information worth adding to the FAQ, so I'll add the "docs" label and keep this open

@wires
Copy link

wires commented Apr 17, 2019

Many package managers (cargo, elba, npm) allow you to specify the license in the package manifest, usually by specifying a license field which has some SPDX identifier as value.

Maybe it is a good idea to follow this approach?

@f-f
Copy link
Member

f-f commented Apr 17, 2019

@wires in this case we're talking about getting license information from dependencies, which at the time of writing are going to be 100% bower projects. So this means adapting the above bash snippet to call jq to extract the license field from the bower config instead of printing the license file.

I'm open to adding a license field to our config, but I'd say we should discuss it in another issue

@f-f f-f added this to the 0.8 milestone May 6, 2019
@f-f f-f mentioned this issue May 15, 2019
Merged
@f-f f-f closed this as completed in #201 May 16, 2019
@f-f f-f mentioned this issue Jul 9, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
document me
Projects
None yet
Milestone
0.8
Development

Successfully merging a pull request may close this issue.

Update readme purescript/spago
4 participants
@wires @i-am-the-slime @f-f @Ivewinne