[all] Do a license audit on all crates used in workspace `r3bl_rs_utils`

nazmulidris commented 1 year ago

Use of r3bl_ansi_color crate and stop using ansi-colours crate.

Make sure to remove all dependencies that don't use MIT or Apache (ie, that use any kind of copyleft license), eg: ansi-colours, maybe lolcat?

We should look at all the crates we have as dependencies and remove the ones that have incompatible licenses to ours (Apache2.0), such as any copyleft type license.

More info

https://docs.rs/crates_io_api/latest/crates_io_api/ - This crate provides a client API to crates.io which allows us to get all kinds of metadata for any published crates. We can use this to determine what the license for a given crate is, and then determine whether it is ok to use or not.
If we wanted to build our own Rust program to do this check, we could publish it on crates.io itself, and then use it in a github action to perform this check, in a CI/CD context on github.com

Related issues:

Harshil-Jani commented 1 year ago

Hey @nazmulidris have you checked this out yet ? https://embarkstudios.github.io/cargo-deny/index.html

If you look at config in ch-3.1 we can set based on our requirement

[licenses]
unlicensed = "deny"
allow-osi-fsf-free = "neither"
copyleft = "deny"
# We want really high confidence when inferring licenses from text
confidence-threshold = 0.93
allow = [
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "MIT",
    "MPL-2.0",
    "BSD-3-Clause",
    "ISC",
]

And we can test this directly. I feel this to be a good alternative to have instead of building entire application to do this. I suggest to include this into the CI using Github Actions https://github.com/EmbarkStudios/cargo-deny-action. Please let me know about this :)

nazmulidris commented 1 year ago

@Harshil-Jani That is a great suggestion 👏🏽 . I didn't know about that crate. I like the idea of the GitHub Action as well to automate this in CI/CD. That's cool that the GA was written by EmbardStudios. We use crossterm which is written by Timon who works there 👍🏽

Harshil-Jani commented 1 year ago

Hii, So I have done the audit locally and below is the script which you can include in deny.toml in project root. And then run cargo deny check licenses.

[licenses]
unlicensed = "deny"
allow = [
    "MIT",
    "Apache-2.0",
]
copyleft = "deny"

This is the generated report based on above configuration

error[rejected]: failed to satisfy license requirements
  ┌─ ansi_colours 1.2.2 (registry+https://github.com/rust-lang/crates.io-index):4:12
  │
4 │ license = "LGPL-3.0-or-later"
  │            ^^^^^^^^^^^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft
  │
  = ansi_colours v1.2.2
    ├── r3bl_rs_utils_core v0.9.3
    │   ├── r3bl_redux v0.2.3
    │   │   ├── r3bl_rs_utils v0.9.8
    │   │   └── r3bl_tui v0.3.4
    │   │       └── r3bl_rs_utils v0.9.8 (*)
    │   ├── r3bl_rs_utils v0.9.8 (*)
    │   ├── r3bl_rs_utils_macro v0.9.3
    │   │   ├── r3bl_redux v0.2.3 (*)
    │   │   ├── r3bl_rs_utils v0.9.8 (*)
    │   │   └── r3bl_tui v0.3.4 (*)
    │   └── r3bl_tui v0.3.4 (*)
    └── r3bl_tui v0.3.4 (*)

error[rejected]: failed to satisfy license requirements
  ┌─ encoding_rs 0.8.33 (registry+https://github.com/rust-lang/crates.io-index):4:13
  │
4 │ license = "(Apache-2.0 OR MIT) AND BSD-3-Clause"
  │            -^^^^^^^^^^----^^^------^^^^^^^^^^^^
  │            ││             │        │
  │            ││             │        rejected: not explicitly allowed
  │            ││             accepted: license is explicitly allowed
  │            │accepted: license is explicitly allowed
  │            license expression retrieved via Cargo.toml `license`
  │
  = encoding_rs v0.8.33
    └── reqwest v0.11.20
        └── r3bl_rs_utils_core v0.9.3
            ├── r3bl_redux v0.2.3
            │   ├── r3bl_rs_utils v0.9.8
            │   └── r3bl_tui v0.3.4
            │       └── r3bl_rs_utils v0.9.8 (*)
            ├── r3bl_rs_utils v0.9.8 (*)
            ├── r3bl_rs_utils_macro v0.9.3
            │   ├── r3bl_redux v0.2.3 (*)
            │   ├── r3bl_rs_utils v0.9.8 (*)
            │   └── r3bl_tui v0.3.4 (*)
            └── r3bl_tui v0.3.4 (*)

error[rejected]: failed to satisfy license requirements
  ┌─ unicode-ident 1.0.12 (registry+https://github.com/rust-lang/crates.io-index):4:13
  │
4 │ license = "(MIT OR Apache-2.0) AND Unicode-DFS-2016"
  │            -^^^----^^^^^^^^^^------^^^^^^^^^^^^^^^^
  │            ││      │               │
  │            ││      │               rejected: not explicitly allowed
  │            ││      accepted: license is explicitly allowed
  │            │accepted: license is explicitly allowed
  │            license expression retrieved via Cargo.toml `license`
  │
  = unicode-ident v1.0.12
    ├── proc-macro2 v1.0.67
    │   ├── async-trait v0.1.73
    │   │   ├── r3bl_redux v0.2.3
    │   │   │   ├── r3bl_rs_utils v0.9.8
    │   │   │   └── r3bl_tui v0.3.4
    │   │   │       └── r3bl_rs_utils v0.9.8 (*)
    │   │   ├── r3bl_rs_utils v0.9.8 (*)
    │   │   ├── r3bl_rs_utils_core v0.9.3
    │   │   │   ├── r3bl_redux v0.2.3 (*)
    │   │   │   ├── r3bl_rs_utils v0.9.8 (*)
    │   │   │   ├── r3bl_rs_utils_macro v0.9.3
    │   │   │   │   ├── r3bl_redux v0.2.3 (*)
    │   │   │   │   ├── r3bl_rs_utils v0.9.8 (*)
    │   │   │   │   └── r3bl_tui v0.3.4 (*)
    │   │   │   └── r3bl_tui v0.3.4 (*)
    │   │   └── r3bl_tui v0.3.4 (*)
    │   ├── attribute-derive v0.6.1
    │   │   └── get-size-derive v0.1.3
    │   │       └── get-size v0.1.4
    │   │           ├── r3bl_redux v0.2.3 (*)
    │   │           ├── r3bl_rs_utils v0.9.8 (*)
    │   │           ├── r3bl_rs_utils_core v0.9.3 (*)
    │   │           └── r3bl_tui v0.3.4 (*)
    │   ├── attribute-derive-macro v0.6.1
    │   │   └── attribute-derive v0.6.1 (*)
    │   ├── derive-where v1.2.5
    │   │   └── quote-use-macros v0.7.2
    │   │       └── quote-use v0.7.2
    │   │           └── attribute-derive-macro v0.6.1 (*)
    │   ├── futures-macro v0.3.28
    │   │   └── futures-util v0.3.28
    │   │       ├── futures v0.3.28
    │   │       │   ├── r3bl_redux v0.2.3 (*)
    │   │       │   ├── r3bl_rs_utils v0.9.8 (*)
    │   │       │   └── r3bl_tui v0.3.4 (*)
    │   │       ├── futures-executor v0.3.28
    │   │       │   └── futures v0.3.28 (*)
    │   │       ├── h2 v0.3.21
    │   │       │   ├── hyper v0.14.27
    │   │       │   │   ├── hyper-tls v0.5.0
    │   │       │   │   │   └── reqwest v0.11.20
    │   │       │   │   │       └── r3bl_rs_utils_core v0.9.3 (*)
    │   │       │   │   └── reqwest v0.11.20 (*)
    │   │       │   └── reqwest v0.11.20 (*)
    │   │       ├── hyper v0.14.27 (*)
    │   │       ├── r3bl_redux v0.2.3 (*)
    │   │       ├── r3bl_rs_utils v0.9.8 (*)
    │   │       ├── r3bl_rs_utils_core v0.9.3 (*)
    │   │       ├── r3bl_rs_utils_macro v0.9.3 (*)
    │   │       ├── r3bl_tui v0.3.4 (*)
    │   │       └── reqwest v0.11.20 (*)
    │   ├── openssl-macros v0.1.1
    │   │   └── openssl v0.10.57
    │   │       └── native-tls v0.2.11
    │   │           ├── hyper-tls v0.5.0 (*)
    │   │           ├── reqwest v0.11.20 (*)
    │   │           └── tokio-native-tls v0.3.1
    │   │               ├── hyper-tls v0.5.0 (*)
    │   │               └── reqwest v0.11.20 (*)
    │   ├── palette_derive v0.6.1
    │   │   └── palette v0.6.1
    │   │       └── r3bl_tui v0.3.4 (*)
    │   ├── phf_macros v0.11.2
    │   │   └── phf v0.11.2
    │   │       └── palette v0.6.1 (*)
    │   ├── proc-macro-error v1.0.4
    │   │   └── attribute-derive-macro v0.6.1 (*)
    │   ├── proc-macro-error-attr v1.0.4
    │   │   └── proc-macro-error v1.0.4 (*)
    │   ├── proc-macro-utils v0.8.0
    │   │   └── attribute-derive-macro v0.6.1 (*)
    │   ├── quote v1.0.33
    │   │   ├── async-trait v0.1.73 (*)
    │   │   ├── attribute-derive v0.6.1 (*)
    │   │   ├── attribute-derive-macro v0.6.1 (*)
    │   │   ├── derive-where v1.2.5 (*)
    │   │   ├── futures-macro v0.3.28 (*)
    │   │   ├── get-size-derive v0.1.3 (*)
    │   │   ├── openssl-macros v0.1.1 (*)
    │   │   ├── palette_derive v0.6.1 (*)
    │   │   ├── phf_macros v0.11.2 (*)
    │   │   ├── proc-macro-error v1.0.4 (*)
    │   │   ├── proc-macro-error-attr v1.0.4 (*)
    │   │   ├── proc-macro-utils v0.8.0 (*)
    │   │   ├── quote-use v0.7.2 (*)
    │   │   ├── quote-use-macros v0.7.2 (*)
    │   │   ├── r3bl_rs_utils_macro v0.9.3 (*)
    │   │   ├── serde_derive v1.0.188
    │   │   │   └── serde v1.0.188
    │   │   │       ├── bincode v1.3.3
    │   │   │       │   └── syntect v5.1.0
    │   │   │       │       ├── r3bl_rs_utils_core v0.9.3 (*)
    │   │   │       │       └── r3bl_tui v0.3.4 (*)
    │   │   │       ├── crossterm v0.24.0
    │   │   │       │   └── reedline v0.16.0
    │   │   │       │       ├── (dev) r3bl_rs_utils v0.9.8 (*)
    │   │   │       │       └── (dev) r3bl_tui v0.3.4 (*)
    │   │   │       ├── crossterm v0.26.1
    │   │   │       │   ├── r3bl_redux v0.2.3 (*)
    │   │   │       │   ├── r3bl_rs_utils v0.9.8 (*)
    │   │   │       │   ├── r3bl_rs_utils_core v0.9.3 (*)
    │   │   │       │   ├── r3bl_rs_utils_macro v0.9.3 (*)
    │   │   │       │   └── r3bl_tui v0.3.4 (*)
    │   │   │       ├── plist v1.5.0
    │   │   │       │   └── syntect v5.1.0 (*)
    │   │   │       ├── r3bl_redux v0.2.3 (*)
    │   │   │       ├── r3bl_rs_utils v0.9.8 (*)
    │   │   │       ├── r3bl_rs_utils_core v0.9.3 (*)
    │   │   │       ├── r3bl_tui v0.3.4 (*)
    │   │   │       ├── reedline v0.16.0 (*)
    │   │   │       ├── reqwest v0.11.20 (*)
    │   │   │       ├── serde_json v1.0.107
    │   │   │       │   ├── r3bl_redux v0.2.3 (*)
    │   │   │       │   ├── r3bl_rs_utils v0.9.8 (*)
    │   │   │       │   ├── r3bl_rs_utils_core v0.9.3 (*)
    │   │   │       │   ├── r3bl_tui v0.3.4 (*)
    │   │   │       │   ├── reqwest v0.11.20 (*)
    │   │   │       │   └── syntect v5.1.0 (*)
    │   │   │       ├── serde_urlencoded v0.7.1
    │   │   │       │   └── reqwest v0.11.20 (*)
    │   │   │       ├── syntect v5.1.0 (*)
    │   │   │       └── toml v0.5.11
    │   │   │           └── find-crate v0.6.3
    │   │   │               └── palette_derive v0.6.1 (*)
    │   │   ├── strum_macros v0.24.3
    │   │   │   ├── r3bl_tui v0.3.4 (*)
    │   │   │   └── reedline v0.16.0 (*)
    │   │   ├── syn v1.0.109
    │   │   │   ├── palette_derive v0.6.1 (*)
    │   │   │   ├── proc-macro-error v1.0.4 (*)
    │   │   │   ├── r3bl_rs_utils_macro v0.9.3 (*)
    │   │   │   └── strum_macros v0.24.3 (*)
    │   │   ├── syn v2.0.37
    │   │   │   ├── async-trait v0.1.73 (*)
    │   │   │   ├── attribute-derive v0.6.1 (*)
    │   │   │   ├── attribute-derive-macro v0.6.1 (*)
    │   │   │   ├── derive-where v1.2.5 (*)
    │   │   │   ├── futures-macro v0.3.28 (*)
    │   │   │   ├── get-size-derive v0.1.3 (*)
    │   │   │   ├── openssl-macros v0.1.1 (*)
    │   │   │   ├── phf_macros v0.11.2 (*)
    │   │   │   ├── quote-use v0.7.2 (*)
    │   │   │   ├── quote-use-macros v0.7.2 (*)
    │   │   │   ├── serde_derive v1.0.188 (*)
    │   │   │   ├── thiserror-impl v1.0.49
    │   │   │   │   └── thiserror v1.0.49
    │   │   │   │       ├── reedline v0.16.0 (*)
    │   │   │   │       └── syntect v5.1.0 (*)
    │   │   │   ├── tokio-macros v2.1.0
    │   │   │   │   └── tokio v1.32.0
    │   │   │   │       ├── h2 v0.3.21 (*)
    │   │   │   │       ├── hyper v0.14.27 (*)
    │   │   │   │       ├── hyper-tls v0.5.0 (*)
    │   │   │   │       ├── r3bl_redux v0.2.3 (*)
    │   │   │   │       ├── r3bl_rs_utils v0.9.8 (*)
    │   │   │   │       ├── r3bl_rs_utils_core v0.9.3 (*)
    │   │   │   │       ├── r3bl_tui v0.3.4 (*)
    │   │   │   │       ├── reqwest v0.11.20 (*)
    │   │   │   │       ├── tokio-native-tls v0.3.1 (*)
    │   │   │   │       └── tokio-util v0.7.9
    │   │   │   │           └── h2 v0.3.21 (*)
    │   │   │   ├── wasm-bindgen-backend v0.2.87
    │   │   │   │   └── wasm-bindgen-macro-support v0.2.87
    │   │   │   │       └── wasm-bindgen-macro v0.2.87
    │   │   │   │           └── wasm-bindgen v0.2.87
    │   │   │   │               ├── chrono v0.4.31
    │   │   │   │               │   ├── r3bl_redux v0.2.3 (*)
    │   │   │   │               │   ├── r3bl_rs_utils v0.9.8 (*)
    │   │   │   │               │   ├── r3bl_rs_utils_core v0.9.3 (*)
    │   │   │   │               │   ├── r3bl_tui v0.3.4 (*)
    │   │   │   │               │   └── reedline v0.16.0 (*)
    │   │   │   │               ├── iana-time-zone v0.1.57
    │   │   │   │               │   └── chrono v0.4.31 (*)
    │   │   │   │               ├── js-sys v0.3.64
    │   │   │   │               │   ├── chrono v0.4.31 (*)
    │   │   │   │               │   ├── iana-time-zone v0.1.57 (*)
    │   │   │   │               │   ├── reqwest v0.11.20 (*)
    │   │   │   │               │   ├── wasm-bindgen-futures v0.4.37
    │   │   │   │               │   │   └── reqwest v0.11.20 (*)
    │   │   │   │               │   └── web-sys v0.3.64
    │   │   │   │               │       ├── reqwest v0.11.20 (*)
    │   │   │   │               │       └── wasm-bindgen-futures v0.4.37 (*)
    │   │   │   │               ├── reqwest v0.11.20 (*)
    │   │   │   │               ├── wasm-bindgen-futures v0.4.37 (*)
    │   │   │   │               └── web-sys v0.3.64 (*)
    │   │   │   └── wasm-bindgen-macro-support v0.2.87 (*)
    │   │   ├── thiserror-impl v1.0.49 (*)
    │   │   ├── tokio-macros v2.1.0 (*)
    │   │   ├── vte_generate_state_changes v0.1.1
    │   │   │   └── vte v0.10.1
    │   │   │       └── strip-ansi-escapes v0.1.1
    │   │   │           └── reedline v0.16.0 (*)
    │   │   ├── wasm-bindgen-backend v0.2.87 (*)
    │   │   ├── wasm-bindgen-macro v0.2.87 (*)
    │   │   └── wasm-bindgen-macro-support v0.2.87 (*)
    │   ├── quote-use-macros v0.7.2 (*)
    │   ├── r3bl_rs_utils_macro v0.9.3 (*)
    │   ├── serde_derive v1.0.188 (*)
    │   ├── strum_macros v0.24.3 (*)
    │   ├── syn v1.0.109 (*)
    │   ├── syn v2.0.37 (*)
    │   ├── thiserror-impl v1.0.49 (*)
    │   ├── tokio-macros v2.1.0 (*)
    │   ├── vte_generate_state_changes v0.1.1 (*)
    │   ├── wasm-bindgen-backend v0.2.87 (*)
    │   └── wasm-bindgen-macro-support v0.2.87 (*)
    ├── syn v1.0.109 (*)
    └── syn v2.0.37 (*)

licenses FAILED

nazmulidris commented 1 year ago

@Harshil-Jani Thank you for running this audit. I am taking a look at the crates that were flagged. Also did you want to make a PR w/ these changes into the repo? It is hacktoberfest, and you could get credit for it? Also if you would like to chat about the PR, here is our discord server: https://discord.gg/UejyhKfx

nazmulidris commented 1 year ago

@Harshil-Jani I did a little more digging from the generated report that you shared in an earlier comment.

[x] ansi_colours crate has to be dropped & replaced with this.
[x] This license audit step has to be added to the ci/cd work that we have planned as well.
- https://github.com/r3bl-org/r3bl_rs_utils/issues/120
[x] reqwest might need to be dropped as well. I don't know why it is a dependency of r3bl_rs_utils_core in the first place 🤔 .
- https://github.com/r3bl-org/r3bl_rs_utils/issues/140
[x] I think it is safe to add an exception for two crates (unicode-indent, encoding_rs) using (Unicode-DFS-2016, BSD-3-Clause) to deny.toml:

[licenses]
unlicensed = "deny"
allow = ["MIT", "Apache-2.0"]
copyleft = "deny"

# https://github.com/EmbarkStudios/cargo-deny/blob/main/examples/01_allow_license/deny.toml
# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html?highlight=exception#the-exceptions-field-optional
# https://docs.rs/cargo-deny/latest/cargo_deny/licenses/cfg/struct.Exception.html
exceptions = [
    { 
        name = "unicode-ident", 
        allow = ["Unicode-DFS-2016"] 
    },
    { 
        name = "encoding_rs", 
        allow = ["BSD-3-Clause"] 
    }
]

Note - I haven't tried to run this yet 😄

Unicode-DFS-2016

The Unicode License Agreement - Data Files and Software (2016) is a license agreement that governs the use of Unicode’s data files and software.
The license is free of charge and allows users to use, copy, modify, merge, publish, distribute, and sell copies of the data files or software without restriction.
https://spdx.org/licenses/Unicode-DFS-2016.html

BSD-3-Clause

The BSD-3-Clause License is a permissive open-source software license that allows users to use, copy, modify, merge, publish, distribute, and sell copies of the software without restriction.
https://opensource.org/license/BSD-3-clause/

SPDX identifiers

https://spdx.org/licenses/

SPDX identifiers are short text strings that uniquely identify a software license. SPDX identifiers are used to communicate license information in a standardized and machine-readable format. SPDX identifiers are part of the Software Package Data Exchange (SPDX) standard, which is an open standard for communicating software bill of materials (SBOM) information including components, licenses, copyrights, and security references.

mdbook for the crate

Also I found the mdbook for this crate here: https://embarkstudios.github.io/cargo-deny/

`exception` field in `deny.toml`

The exception field in the cargo-deny crate is a way to allow one or more licenses to be permitted only for a particular crate. It is a part of the cfg module in the licenses module of the cargo-deny crate.

The exception field has three fields: name, version, and allow. The name field specifies the name of the crate to apply the exception to. The version field is an optional version constraint for the crate, which defaults to any version. The allow field is a list of one or more SPDX identifiers that are allowed only for this crate.

Example: https://github.com/EmbarkStudios/cargo-deny/blob/main/examples/01_allow_license/deny.toml

nazmulidris commented 1 year ago

@Harshil-Jani Also we have a discord server if you want to chat about this issue over there: https://discord.com/invite/UejyhKfx

Harshil-Jani commented 1 year ago

Also did you want to make a PR w/ these changes into the repo?

Sure, I would love to contribute in the project.

Looking forward towards doing all the changes suggested by you above 🚀 .

nazmulidris commented 1 year ago

@Harshil-Jani I am assigning this issue to you 🎉 And I will work on generating new issues for each of the Action item checkboxes in one of the comments above. And I will clean up this issue and other existing issues as well (update cross links, etc) 👍🏽

r3bl-org / r3bl-open-core