[openstack-dev] Storing license information in openstack/requirements

Thierry Carrez thierry at openstack.org
Wed Feb 19 11:04:09 UTC 2014


David Koo wrote:
> 
>> Should we store licensing information as a comment in the
>> *-requirements files ? Can it be stored on the same line ? Something
>> like:
>>
>> oslo.messaging>=1.3.0a4  # Apache-2.0
> 
> Since it's licenses we're tracking shouldn't we be tracking indirect
> dependencies too (i.e. packages pulled in by required packages)? And if
> we want to do that then the method above won't be sufficient.
> 
> And, of course, we want an automated way of generating this info -
> dependencies (can) change from version to version. Do we have such a
> tool?

I think tracking licensing for first-level dependencies is a good start.
Basically, if we require a license-incompatible dependency it's clearly
our fault, whereas if a second-layer dependency requires a
license-incompatible dependency itself, we are just affected by their
mistake.

This is a first step, but it covers most of the issue we are trying to
prevent.

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list