[Proposal] mix deps.licenses to list all dependencies' licenses

[unn...@unnawut.com]

TLDR: Proposal of `mix deps.licenses` to list all depedencies' licenses for review, which can be very manually tedious but very important to do to stay legally safe.

-----

Often times when developing an app, some new dependencies may be added/removed over time, some dependencies change their licenses throughout their lives.

Especially in a team setting where multiple people may add/remove dependencies from the project, we need to periodically review the licenses used by our dependencies to make sure we are not violating them. Currently this can be tedious work as the licenses are specified in their respective Mixfile, and one project may have dozens of dependencies. (Worse is that a lot of packages don't define their `Mix.Project.config.package.licenses`, but that's a separate concern).

So I would like to propose a `mix deps.licenses` task that extract `Mix.Project.config.package.licenses` from each dependencies and output it on command line. This would be similar to `composer licenses` in PHP.

I tinkered a little with creating a simple mix task. This is the result I can extract using the `licenses` attribute:

```

$ mix deps.licenses

poolboy: license undefined

decimal: Apache 2.0

warning: String.strip/1 is deprecated, use String.trim/1

  /path/to/project/deps/poison/mix.exs:4

poison: CC0-1.0

elixir_make: Apache 2

bcrypt_elixir: BSD

db_connection: Apache 2.0

postgrex: Apache 2.0

ecto: Apache 2.0

ex_machina: MIT

connection: Apache 2.0

poolboy: license undefined

decimal: Apache 2.0

poison: CC0-1.0

elixir_make: Apache 2

bcrypt_elixir: BSD

db_connection: Apache 2.0

rabbit_common: license undefined

postgrex: Apache 2.0

ecto: Apache 2.0

connection: Apache 2.0

poolboy: license undefined

meck: license undefined

mock: MIT

decimal: Apache 2.0

poison: CC0-1.0

elixir_make: Apache 2

db_connection: Apache 2.0

postgrex: Apache 2.0

ecto: Apache 2.0

connection: Apache 2.0

ranch: license undefined

poolboy: license undefined

decimal: Apache 2.0

poison: CC0-1.0

elixir_make: Apache 2

db_connection: Apache 2.0

phoenix_pubsub: MIT

cowlib: license undefined

cowboy: license undefined

amqp_client: license undefined

amqp: MIT

mime: Apache 2

plug: Apache 2

phoenix: MIT

postgrex: Apache 2.0

ecto: Apache 2.0
```

Obviously there is more work to do: duplicate packages (packages having same dependencies), warnings as a result of `Mix.Dep.in_dependency`. But let me know this is worth adding (I think so!), would be happy to continue working and submit a PR for this.

[José Valim]

Hi, I agree such a Mix task can be useful but I don't see a reason for it to be included as part of Elixir. So please do release it as a separate project that folks can bring into their application as necessary. Thank you!

José Valim

www.plataformatec.com.br

Founder and 

Director of R&D

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-lang-core+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/401033dd-db2f-4e5f-8935-4df9cee196e9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Unnawut Leepaisalsuwanna]

Sure thing. Thanks!

--
You received this message because you are subscribed to a topic in the Google Groups "elixir-lang-core" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/elixir-lang-core/UHqv3ngKeEc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to elixir-lang-core+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4Kjf_FaJzi6PBy1awDdmUVJxqQqNkzkZRC%3DP2wj_zLFHQ%40mail.gmail.com.

[Eric Meadows-Jönsson]

If you wait for the next Hex release we have added the hex_metadata.config file so you can read metadata of all fetched Hex packages, including Erlang projects, without having to read mix.exs.

This is the PR that adds it: https://github.com/hexpm/hex/pull/433.

Here is an example of the contents of the hex_metadata.config file:

{<<"app">>,<<"cowlib">>}.

{<<"build_tools">>,[<<"make">>]}.

{<<"description">>,<<"Support library for manipulating Web protocols.">>}.

{<<"files">>,

 [<<"src/cow_cookie.erl">>,<<"src/cow_date.erl">>,<<"src/cow_http.erl">>,

  <<"src/cow_http_hd.erl">>,<<"src/cow_http_te.erl">>,

  <<"src/cow_mimetypes.erl">>,<<"src/cow_mimetypes.erl.src">>,

  <<"src/cow_multipart.erl">>,<<"src/cow_qs.erl">>,<<"src/cow_spdy.erl">>,

  <<"src/cow_spdy.hrl">>,<<"src/cowlib.app.src">>,

  <<"include/cow_inline.hrl">>,<<"README.md">>,<<"LICENSE">>,<<"Makefile">>,

  <<"erlang.mk">>]}.

{<<"licenses">>,[<<"ISC">>]}.

{<<"links">>,[{<<"GitHub">>,<<"https://github.com/ninenines/cowlib">>}]}.

{<<"maintainers">>,[<<"Loïc Hoguin"/utf8>>]}.

{<<"name">>,<<"cowlib">>}.

{<<"requirements">>,[]}.

{<<"version">>,<<"1.0.2">>}.

To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAB%3DEmQSMsWVXc8jOKQqjoH_tN-0pcTZHaef0V-6ZXHisAjwERg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Eric Meadows-Jönsson

[Unnawut Leepaisalsuwanna]

Hi everyone,

I got some requests to publish my work-in-progress since it's minimally working.

- https://hex.pm/packages/licensir

- https://github.com/unnawut/licensir

The code is far from professional, but until I got around to polish that, I'm happy to accept any feedback so I can prioritize.

As per Eric's suggestion, I'll definitely implement the hex_metadata.config once it's released. Thanks for the suggestion!

Thanks all for the support!

To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAM_eapiWmwVcAsuvxE%3D__Ka9ec_-qnXPuSH4eYSELGpNyB3PkQ%40mail.gmail.com.