Open adambkaplan opened 3 years ago
How have we determined this list?
$ go mod why github.com/bmizerany/assert
# github.com/bmizerany/assert
(main module does not need package github.com/bmizerany/assert)
And another randomly selected example:
$ go mod why github.com/gonum/lapack
# github.com/gonum/lapack
(main module does not need package github.com/gonum/lapack)
@HeavyWombat ^^
We use some kind of license checker that pops out a list of all modules in use. Let me double check how the tool comes up with the list of dependencies.
Apparently, it is go list -mod=readonly -m -u -json all
and this returns entries for gonum
. However, I cannot find why this would show up in that list as it is not a direct import or can be found indirectly.
If I read it correctly, the graph is like: github.com/shipwright-io/build
-> knative.dev/pkg
-> github.com/tsenart/vegeta/v12
-> github.com/gonum/*
.
I did go mod graph | grep gonum
and then searched my way back up to our module.
Weird. I think go.sum
keeps tabs on all possible versions of dependencies, and all their possible versions that might satisfy the constraints, even if you don't actually depend on those to build the final binary or run tests.
Using https://github.com/google/go-licenses seems to show that no dependencies are "Forbidden" (by their definition), and don't seem to complain about any missing licenses. I don't know if that's sufficient for your use case though (IANAL).
Originally, it just started with the question whether the licenses are something we actively look into at the moment. If https://github.com/google/go-licenses is giving us a good list, I am totally fine with that, especially since the gonum
finding through go list -mod=readonly -m -u -json all
seems to be a very special edge case.
From @HeavyWombat: some of our deeper dependencies do not have identifiable licenses:
github.com/bmizerany/assert github.com/bmizerany/perks github.com/gonum/blas github.com/gonum/diff github.com/gonum/floats github.com/gonum/integrate github.com/gonum/internal github.com/gonum/lapack github.com/gonum/mathext github.com/gonum/matrix github.com/gonum/stat github.com/hudl/fargo