Maintain list of project dependencies and their respective licenses #345
Assignees
Labels
area/build-release
Issues or PRs related to building and releasing
area/dependency
Issues or PRs related to dependency changes.
area/licensing
Issues or PRs related to Antrea licensing.
enhancement
New feature or request
kind/documentation
Categorizes issue or PR as related to a documentation.
lifecycle/active
Indicates that an issue or PR is actively being worked on by a contributor.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Comments
McCodeman
added
area/dependency
McCodeman
added
the
area/build-release
|
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment, or this will be closed in 180 days |
github-actions
bot
added
the
lifecycle/stale
antoninbas
removed
the
lifecycle/stale
antoninbas
added a commit
to antoninbas/antrea
that referenced
this issue
Aug 19, 2020
We add a script and a corresponding CI job to analyze the Antrea binaries and extract their Go dependencies. I could not find any good tool for source-based dependency analysis (https://github.com/google/go-licenses seems to have many issues, and fails for quite a lot of depedencies, without any possibility of manual override). Analyzing binaries also mean that we can avoid some false positives for transitive dependencies that end up not actually being used by Antrea. The CI job will help us automatically detect licensing issues (e.g. non business-friendly license, such as GPL/LGPL) with new dependencies before we merge a patch. With the CI integration, we can also publish a list of the Go dependencies for the Antrea binaries with each release. TODO: for releases, upload full dependency list to Antrea S3 account. Fixes antrea-io#345
antoninbas
added a commit
to antoninbas/antrea
that referenced
this issue
Aug 19, 2020
We add a script and a corresponding CI job to analyze the Antrea binaries and extract their Go dependencies. I could not find any good tool for source-based dependency analysis (https://github.com/google/go-licenses seems to have many issues, and fails for quite a lot of depedencies, without any possibility of manual override). Analyzing binaries also mean that we can avoid some false positives for transitive dependencies that end up not actually being used by Antrea. The CI job will help us automatically detect licensing issues (e.g. non business-friendly license, such as GPL/LGPL) with new dependencies before we merge a patch. With the CI integration, we can also publish a list of the Go dependencies for the Antrea binaries with each release. TODO: for releases, upload full dependency list to Antrea S3 account. Fixes antrea-io#345
antoninbas
added a commit
to antoninbas/antrea
that referenced
this issue
Aug 28, 2020
We add a script and a corresponding CI job to analyze the Antrea binaries and extract their Go dependencies. I could not find any good tool for source-based dependency analysis (https://github.com/google/go-licenses seems to have many issues, and fails for quite a lot of depedencies, without any possibility of manual override). Analyzing binaries also mean that we can avoid some false positives for transitive dependencies that end up not actually being used by Antrea. The CI job will help us automatically detect licensing issues (e.g. non business-friendly license, such as GPL/LGPL) with new dependencies before we merge a patch. With the CI integration, we can also publish a list of the Go dependencies for the Antrea binaries with each release. TODO: for releases, upload full dependency list to Antrea S3 account. Fixes antrea-io#345
antoninbas
added a commit
to antoninbas/antrea
that referenced
this issue
Sep 2, 2020
We add a script and a corresponding CI job to analyze the Antrea binaries and extract their Go dependencies. I could not find any good tool for source-based dependency analysis (https://github.com/google/go-licenses seems to have many issues, and fails for quite a lot of depedencies, without any possibility of manual override). Analyzing binaries also mean that we can avoid some false positives for transitive dependencies that end up not actually being used by Antrea. The CI job will help us automatically detect licensing issues (e.g. non business-friendly license, such as GPL/LGPL) with new dependencies before we merge a patch. With the CI integration, we can also publish a list of the Go dependencies for the Antrea binaries with each release. TODO: for releases, upload full dependency list to Antrea S3 account. Fixes antrea-io#345
antoninbas
added a commit
that referenced
this issue
Sep 8, 2020
We add a script and a corresponding CI job to analyze the Antrea binaries and extract their Go dependencies. I could not find any good tool for source-based dependency analysis (https://github.com/google/go-licenses seems to have many issues, and fails for quite a lot of depedencies, without any possibility of manual override). Analyzing binaries also mean that we can avoid some false positives for transitive dependencies that end up not actually being used by Antrea. The CI job will help us automatically detect licensing issues (e.g. non business-friendly license, such as GPL/LGPL) with new dependencies before we merge a patch. With the CI integration, we can also publish a list of the Go dependencies for the Antrea binaries with each release. TODO: for releases, upload full dependency list to Antrea S3 account. Fixes #345
GraysonWu
pushed a commit
to GraysonWu/antrea
that referenced
this issue
Sep 22, 2020
We add a script and a corresponding CI job to analyze the Antrea binaries and extract their Go dependencies. I could not find any good tool for source-based dependency analysis (https://github.com/google/go-licenses seems to have many issues, and fails for quite a lot of depedencies, without any possibility of manual override). Analyzing binaries also mean that we can avoid some false positives for transitive dependencies that end up not actually being used by Antrea. The CI job will help us automatically detect licensing issues (e.g. non business-friendly license, such as GPL/LGPL) with new dependencies before we merge a patch. With the CI integration, we can also publish a list of the Go dependencies for the Antrea binaries with each release. TODO: for releases, upload full dependency list to Antrea S3 account. Fixes antrea-io#345
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the problem/challenge you have
A list of open source projects and their respective licenses should be maintained to enable us to quickly respond to requests for this information.
Describe the solution you'd like
If feasible, we should investigate if this list can be fully or partially generated by using the module dependency file
go.modas a source of dependencies. As all dependencies may not be golang based, we may need to augment any generated list with a static list of known dependencies and licenses. In the worst case scenario, we will have to maintain this list manually and periodically update it to reflect the dependencies used within the project (per release would be reasonable).Anything else you would like to add?
Many users and companies using this project may require a transparent list of project dependencies and their respective licenses in order to satisfy open source use compliance policies within their organizations.
The text was updated successfully, but these errors were encountered: