Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

License checker process/script #1104

Closed
UlisesGascon opened this issue Sep 14, 2023 · 6 comments
Closed

License checker process/script #1104

UlisesGascon opened this issue Sep 14, 2023 · 6 comments

Comments

@UlisesGascon
Copy link
Member

Recently, we had some concerns regarding licenses for the Node.js sub-dependencies, and there was a suggestion on nodejs/node#49625 to include a script that validates the licenses for the Node.js dependencies.

As an initial kick-off, we had this comment on nodejs/node#49625 (comment).

This will require a good discussion within the team, but overall potential objectives (from #1100) are:

  • Include a script/GH Action that consolidates the project dependencies and stores them.
  • Trigger an alert (issue/PR) if there are changes in the licenses (sub-dependency added/removed, relicensed).
  • Create documentation on how to review these changes and what the criteria are to accept/reject them.
@fasenderos
Copy link

I would like to take this one.
Just to make sure I understand it correctly, when you say consolidates the project dependencies and stores them, you mean to save all the licenses in a separate file and checking against that file, or check the package LICENSE with the one already stored in repo?

@fraxken
Copy link
Member

fraxken commented Sep 28, 2023

I'm interested in joining because that's something I'm working on for NodeSecure.

I spent quite few hours on license detection (and others) for NodeSecure/scanner. Most solution in the ecosystem doesn't detect much licenses compared what available in SPDX :\

@RafaelGSS
Copy link
Member

@richardlau
Copy link
Member

Reference: https://github.com/nodejs/node/blob/main/.github/workflows/license-builder.yml

This merely rebuilds the main Node.js license based on what was manually added to tools/license-builder.sh -- i.e. it checks for consistency. It doesn't check the type of license or any sub-dependencies. For nodejs/node#49625 npm's main license was unchanged but the license of one of its dependencies changed.

@pombredanne
Copy link

@fraxken you wrote: #1104 (comment)

I'm interested in joining because that's something I'm working on for NodeSecure.

I spent quite few hours on license detection (and others) for NodeSecure/scanner. Most solution in the ecosystem doesn't detect much licenses compared what available in SPDX :\

If you want to give the node and its deps and embedded code a good license scrub, you may want to check out scancode-toolkit (or scancode.io) which is considered the leading FOSS tool in space. If there is any license or copyright not detected correctly, this is a bug. And we fix bugs. Also does SBOMs.

Copy link
Contributor

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

@github-actions github-actions bot added the stale label Mar 21, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Apr 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants
@pombredanne @fasenderos @fraxken @UlisesGascon @richardlau @RafaelGSS @marco-ippolito and others