Licenses Assemble project

[practicalli-johnny]

The Clojure CLI deps project can generate a fairly accurate list of licences as used by a project dependencies (and each dependency transitive dependencies)

Getting License LIst Clojure CLI -X;deps list

https://clojure.github.io/tools.deps.alpha/clojure.tools.cli.api-api.html#clojure.tools.cli.api/list works with Maven deps, pom-based file deps, local jars, but not with deps-only local/git deps

Pulls the license information from a pom.xml file, either from a repository or a packaged jar file.

Limitation: deps projects don't have a license definition in a known place. Establishing a standard license location and formant would also allow obtaining a license from local/root or git repository.

Example

clj -X:deps list :extra '{:deps {com.amazonaws/aws-java-sdk-core {:mvn/version "1.12.122"}}}'
com.amazonaws/aws-java-sdk-core 1.12.122  (Apache-2.0)
com.fasterxml.jackson.core/jackson-annotations 2.12.3  (Apache-2.0)
com.fasterxml.jackson.core/jackson-core 2.12.3  (Apache-2.0)
com.fasterxml.jackson.core/jackson-databind 2.12.3  (Apache-2.0)
com.fasterxml.jackson.dataformat/jackson-dataformat-cbor 2.12.3  (Apache-2.0)
commons-codec/commons-codec 1.15  (Apache-2.0)
commons-logging/commons-logging 1.2  (Apache-2.0)
joda-time/joda-time 2.8.1  (Apache 2)
org.apache.httpcomponents/httpclient 4.5.13  (Apache-2.0)
org.apache.httpcomponents/httpcore 4.4.13  (Apache-2.0)
org.clojure/clojure 1.10.3  (EPL-1.0)
org.clojure/core.specs.alpha 0.2.56  (EPL-1.0)
org.clojure/spec.alpha 0.2.194  (EPL-1.0)
software.amazon.ion/ion-java 1.0.2  (The Apache License, Version 2.0)

Export license list as EDN ?

Will Clojure -X:deps list export information as EDN? A hash map of info could include Project name Project URL (if it's discovered - a git domain and project name) source of licence - from a jar, pom in a repo, a guess Licences used - one or more licences

Figuring out unstructured licenses

existing best practice in this area i.e. https://spdx.dev/license-list/matching-guidelines/

“corner cases” - e.g. dual-or-more licensed software where the author has concatenated all of the licenses’ texts into a single ./LICENSE or ./COPYING

New Features

download the text of a license for each unique licence found across all dependencies.

Create a LICENCES directory with a readme listing each license used

• bonus points for listing which dependency uses which license
• LICENCES directory used to avoid conflict with the common LICENCE file -- check with community as to where licenses are contained

Alternatively: concatenate all the licenses together with a mention of the library name each time, so we could be sure we're properly recreating the copyright message. As opposed to just saying “library: license type”. Also probably needs to descend into dependencies recursively (not really clear on the legal ramifications honestly).

Alternative projects

• https://github.com/pmonks/tools-pom

References

• Clojure CLI deps list announcement - https://clojurians.slack.com/archives/C06MAR553/p1638374097097000
• License discussion (a little toxic toward the end by one person) - https://clojurians.slack.com/archives/C6QH853H8/p1638336981325200
• https://spdx.org/licenses/

[practicalli-johnny]

Provides within the Clojure CLI tool now.