#8386 review licenses of python dependencies

v1.13.0
closed
General
nobody
2021-09-10
2021-03-26
No

I came across https://pypi.org/project/liccheck/ and thought we should see what it reports for Allura. With a .ini file like

[Licenses]
authorized_licenses:
        bsd
        new bsd
        bsd license
        new bsd license
        simplified bsd
        apache
        apache 2.0
        apache software license
        Apache Software
        mit
        mit license
        python software foundation license

output is:

$ liccheck -r requirements.txt -s lic.ini
gathering licenses...
94 packages and dependencies.
check authorized packages...
81 packages.
check unknown packages...
13 packages.
    certifi (2019.6.16): ['MPL-2.0', 'Mozilla Public License 2.0 (MPL 2.0)']
      dependencies:
          certifi << requests << pysolr
          certifi << requests << requests-oauthlib
    chardet (3.0.4): ['GNU Library or Lesser General Public License (LGPL)', 'LGPL']
      dependencies:
          chardet << requests << pysolr
          chardet << requests << requests-oauthlib
    colander (1.7.0): ['BSD-derived (http://www.repoze.org/LICENSE.txt)']
      dependency:
          colander
    feedparser (5.2.1): UNKNOWN
      dependency:
          feedparser
    ipaddress (1.0.22): ['Python Software Foundation']
      dependency:
          ipaddress
    nose (1.3.7): ['GNU LGPL', 'GNU Library or Lesser General Public License (LGPL)']
      dependency:
          nose
    pexpect (4.7.0): ['ISC', 'ISC License (ISCL)']
      dependency:
          pexpect << ipython
    Pillow (6.2.2): ['Historical Permission Notice and Disclaimer (HPND)', 'HPND']
      dependency:
          Pillow
    ptyprocess (0.6.0): ['ISC License (ISCL)']
      dependency:
          ptyprocess << pexpect << ipython
    repoze.lru (0.7): ['BSD-derived (http://www.repoze.org/LICENSE.txt)']
      dependency:
          repoze.lru << TurboGears2
    simplegeneric (0.8.1): ['ZPL 2.1', 'Zope Public']
      dependency:
          simplegeneric << ipython
    translationstring (1.3): ['BSD-like (http://repoze.org/license.html)']
      dependency:
          translationstring << colander
    waitress (1.4.3): ['ZPL 2.1', 'Zope Public']
      dependency:
          waitress << WebTest

Related

Tickets: #8396

Discussion

  • Dave Brondsema

    Dave Brondsema - 2021-05-03
    • status: open --> review
    • assigned_to: Dave Brondsema
     
  • Dave Brondsema

    Dave Brondsema - 2021-05-03

    allura,forgehg,forgepastebin:db/8386

    • With chardet uninstalled you should still be able to run Allura, paster commands, tests, etc.
    • With nose uninstalled you should still be able to run Allura (but not run tests of course - later we can switch to pytest [#8387])
     

    Related

    Tickets: #8387

  • Dave Brondsema

    Dave Brondsema - 2021-05-04
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -74,6 +74,7 @@
         - chardet won&#39;t change their license: https://github.com/chardet/chardet/issues/36
         - alternatives: https://github.com/Ousret/charset_normalizer or https://github.com/PyYoshi/cChardet (MPL multi licensed? https://github.com/PyYoshi/cChardet/issues/54)
         - another ASF project has discussed a bit at https://github.com/apache/airflow/issues/10667
    +    - latest: https://github.com/psf/requests/pull/5797
     - `nose` LGPL is not good
         - it is mostly a test runner, but we do import &#39;nose&#39; modules within our tests
         - should switch to `pytest` anyway since nose isn&#39;t maintained
    
     
  • Kenton Taylor

    Kenton Taylor - 2021-05-05
    • status: review --> closed
     
  • Dave Brondsema

    Dave Brondsema - 2021-05-17
    • Milestone: unreleased --> v1.13.0
     
  • Dave Brondsema

    Dave Brondsema - 2021-09-10
    • labels: asf --> asf, licensing
     

Log in to post a comment.