Investigate retrieving license information for stack dependencies

[sophiewigmore]

Currently, our stack metadata does not include any information about the licenses associated with each stack dependency.
We should investigate if we can retrieve license information as a part of the work outlined in the BOM RFC.
If this is possible, we should file issues to add license information to the stack metadata.

[martyspiewak]

I have looked into doing this a couple of times but I'm not sure there is a good solution for this.

Every package has a copyright file that's stored in /usr/share/doc/<package-name>/copyright. That copyright file will list the license (or licenses) associated with that package. However, there is no standard format for that file so it is very difficult to write any sort of automation to pull out the name of the license. (There is a a tool call dpkg-licenses that tries to do exactly this, but it only works for a small subset of packages because the format is so unpredictable).

I have searched quite a bit and I have not found any other programmable way to get the license information for each package.

[sophiewigmore]

Upon initial investigation using @martyspiewak's context we have discovered that there are some holes in our ability to get full license information for every OS level package included in the stacks. Even dpkg-licenses only guarantees up to 90% of all license information, due to the lack of standardization in licenses. The tradeoff between the work involved getting that last 10% of license metadata, and user need isn't currently worth it.
Given these challenges we are closing out this investigation for now. We will reopen it if we decide to go this route in the future.
cc @ForestEckhardt