search

google / play-services-plugins

Plugins to help with using Google Play services SDK.
https://developers.google.com/android/guides/overview
Apache License 2.0
471 stars 138 forks source link

OSS Licenses - output customization & visibility #75

Open annania opened 5 years ago

annania commented 5 years ago

Describe the bug

Some relation to #26 , addressing multiple issues/features

Output Customization:

  1. It would be nice if there was some output customization. (related to #26 ) Where for example, Apache 2.0 license is sometimes linked. If there was a way to replace the link with text, that would be nice. So a way for users to point to a config file or something to overwrite. 1.a. Similarly, the copyright/attribution is missing in many cases. If there was a way to add the copyright statement (or missing information) to the results, that would be nice. 1.b. I am not sure the approach here, but I have noticed that Maven and GitHub sometimes show different licenses for projects. So if this plugin is looking to the maven repo, it may not be the correct license.

Visibility: It appears that some of the results are deep/transitive dependencies. It would be nice to know where these dependencies are coming from. Is there a way to see that? I see some related files in app > build > generated > third_party_licenses

Desktop (please complete the following information):

zhiqiao commented 5 years ago

Thanks for the report, @annania. Could you be a bit more specific or provide examples for some of these issues?

It would be nice if there was some output customization. (related to #26 ) Where for example, Apache 2.0 license is sometimes linked. If there was a way to replace the link with text, that would be nice. So a way for users to point to a config file or something to overwrite.

See same comment from #26, we intentionally do not resolve licenses stanzas in POM files which are just URLs as we do not want to incur the complexity or risk.

1.a. Similarly, the copyright/attribution is missing in many cases. If there was a way to add the copyright statement (or missing information) to the results, that would be nice.

Could you list an example?

1.b. I am not sure the approach here, but I have noticed that Maven and GitHub sometimes show different licenses for projects. So if this plugin is looking to the maven repo, it may not be the correct license.

Not sure what you mean. An example would help.

Visibility: It appears that some of the results are deep/transitive dependencies. It would be nice to know where these dependencies are coming from. Is there a way to see that? I see some related files in app > build > generated > third_party_licenses

Do you mean license information for a specific library seems to include transitive dependencies? This is intentional. For any of the play-services- or firebase- dependencies you use, when we compile those, we often use other libraries which are themselves under some license. Therefore, when we publish these artifacts, we are declaring what licenses are required for the software the artifact in question depends on.