Document packages bundled inside wheels

[stefan6419846]

The binary wheels on PyPI currently ship with a shared object compiled using Rust which seems to have some external dependencies: https://github.com/ariebovenberg/whenever/blob/main/Cargo.lock

For now, the corresponding packages including their version and licenses are not documented inside the whenever package itself, thus requiring additional documentation/modification work to ensure license compliance. As far as I have seen, in the source distributions at least the lock file is provided.

It would be great to have the whenever packages/wheels to provide these information for the official builds.

[ariebovenberg]

Hi @stefan6419846 thanks for posting. It's indeed important to include all relevant license information! Do you happen to have an example of an extension library that does this well?

[stefan6419846]

I unfortunately do not have a complete (public) example which would have all the metadata and cover all aspects, especially in an automated fashion. https://github.com/python-pillow/Pillow/tree/main/wheels/dependency_licenses and https://github.com/numpy/numpy/blob/main/LICENSES_bundled.txt provide some hints, but omit the actual versions.

Given that most dependencies (as Rust packages in general) are subject to Apache-2.0 OR MIT, I would probably list all the package with their versions, homepage and copyright holders (authors/maintainers) and SPDX license expression in one place and include copies of the relevant licenses once.

A basic example (in German, but should not really matter; mostly generated automatically) could look like this, although in this case it is rendered as HTML and does not attempt to de-duplicate licenses by just copying the original license text over for each package (this still omits copyrights and notices from within the actual source code, but AFAIK there is no clean way to actually automate this for now):

[ariebovenberg]

Looks like it wasn't so hard to automate, see PR #144.

Note that most Rust-extension Python wheels don't seems to do this—even it's one of the few things required by these permissive licenses 😅

[stefan6419846]

Thanks. I have to admit that I do not really have any knowledge of the Rust ecosystem - apparently there already has been a package for it ;)

Just as a side note: In the README, the special cases of Apache-2.0 WITH LLVM-exception and (MIT OR Apache-2.0) AND Unicode-DFS-2016 seem to be omitted.

[ariebovenberg]

@stefan6419846 I'll adjust the README text a bit and just refer to the distributions for full details 👍

[ariebovenberg]

Release 0.6.2 is now out with the changes 🚀