[openstack-dev] Storing license information in openstack/requirements
Thierry Carrez
thierry at openstack.org
Wed Feb 19 11:04:09 UTC 2014
David Koo wrote:
>
>> Should we store licensing information as a comment in the
>> *-requirements files ? Can it be stored on the same line ? Something
>> like:
>>
>> oslo.messaging>=1.3.0a4 # Apache-2.0
>
> Since it's licenses we're tracking shouldn't we be tracking indirect
> dependencies too (i.e. packages pulled in by required packages)? And if
> we want to do that then the method above won't be sufficient.
>
> And, of course, we want an automated way of generating this info -
> dependencies (can) change from version to version. Do we have such a
> tool?
I think tracking licensing for first-level dependencies is a good start.
Basically, if we require a license-incompatible dependency it's clearly
our fault, whereas if a second-layer dependency requires a
license-incompatible dependency itself, we are just affected by their
mistake.
This is a first step, but it covers most of the issue we are trying to
prevent.
--
Thierry Carrez (ttx)
More information about the OpenStack-dev
mailing list