Dependencies with missing license files

shipwright-io / build

Shipwright - a framework for building container images on Kubernetes

https://shipwright.io

Apache License 2.0

659 stars 113 forks source link

Dependencies with missing license files #754

Open adambkaplan opened 3 years ago

adambkaplan commented 3 years ago

From @HeavyWombat: some of our deeper dependencies do not have identifiable licenses:

github.com/bmizerany/assert github.com/bmizerany/perks github.com/gonum/blas github.com/gonum/diff github.com/gonum/floats github.com/gonum/integrate github.com/gonum/internal github.com/gonum/lapack github.com/gonum/mathext github.com/gonum/matrix github.com/gonum/stat github.com/hudl/fargo

imjasonh commented 3 years ago

How have we determined this list?

$ go mod why github.com/bmizerany/assert
# github.com/bmizerany/assert
(main module does not need package github.com/bmizerany/assert)

And another randomly selected example:

$ go mod why github.com/gonum/lapack
# github.com/gonum/lapack
(main module does not need package github.com/gonum/lapack)

qu1queee commented 3 years ago

@HeavyWombat ^^

HeavyWombat commented 3 years ago

We use some kind of license checker that pops out a list of all modules in use. Let me double check how the tool comes up with the list of dependencies.

HeavyWombat commented 3 years ago

Apparently, it is go list -mod=readonly -m -u -json all and this returns entries for gonum. However, I cannot find why this would show up in that list as it is not a direct import or can be found indirectly.

HeavyWombat commented 3 years ago

If I read it correctly, the graph is like: github.com/shipwright-io/build -> knative.dev/pkg -> github.com/tsenart/vegeta/v12 -> github.com/gonum/*.

I did go mod graph | grep gonum and then searched my way back up to our module.

imjasonh commented 3 years ago

Weird. I think go.sum keeps tabs on all possible versions of dependencies, and all their possible versions that might satisfy the constraints, even if you don't actually depend on those to build the final binary or run tests.

Using https://github.com/google/go-licenses seems to show that no dependencies are "Forbidden" (by their definition), and don't seem to complain about any missing licenses. I don't know if that's sufficient for your use case though (IANAL).

HeavyWombat commented 3 years ago

Originally, it just started with the question whether the licenses are something we actively look into at the moment. If https://github.com/google/go-licenses is giving us a good list, I am totally fine with that, especially since the gonum finding through go list -mod=readonly -m -u -json all seems to be a very special edge case.