Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check for non-permissive licenses in CI #80

Closed
5 of 6 tasks
emteknetnz opened this issue Dec 9, 2024 · 4 comments
Closed
5 of 6 tasks

Check for non-permissive licenses in CI #80

emteknetnz opened this issue Dec 9, 2024 · 4 comments
Assignees

Comments

@emteknetnz
Copy link
Member

emteknetnz commented Dec 9, 2024

Non-permissive open source licenses such a GPLv2 in dependencies cause a level of confusion as to whether they require websites to make their source code available. Because of the grey-area, we should ensure there are no non-permissive licences in any of our dependencies.

TinyMCE 7 switched from an MIT license to a GPLv2 license. While it would be unexpected for a dependency to chance its licence in a minor release, and we do use ^ carets for our dependencies, we have less visibility over dependencies of dependencies which could more easily go up majors with no input from our side.

Because of this we should add a CI logic in sink that validates there are no non-permissive (i.e copyleft) opensource licences in the installed dependencies

After merging create a new 1.3 branch and manually release 1.3.0

Notes

Acceptance criteria

  • A list of non-permissive allowed licenses is created
  • New CI workflow logic runs looking for non-permissive licenses
  • The broken builds card is updated to link to runs of the new workflow
  • The entire build will fail if this logic fails so that we have visibility of it in rhino
  • This logic runs for all supported versions of Silverstripe
  • All installed composer and npm dependencies are checked i.e. the root composer.lock and every package.lock e.g. admin, asset-admin, etc

PRs

@GuySartorelli
Copy link
Member

Note that some packages may come with multiple licenses, e.g.
https://github.com/nette/schema/blob/2073a5a4156aa8f2849f2e81e2b743f338ed3f45/composer.json#L6

In those cases so long as an appropriately permissive license is available, the CI job should not fail.

@GuySartorelli
Copy link
Member

Can we please not drag things out of refinement that haven't been refined?

@emteknetnz
Copy link
Member Author

My bad, sorry

@GuySartorelli
Copy link
Member

PRs merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants