So daffodil which is an Apache project built with sbt uses apache rat via sbt in order to check for problematic licenses, see https://github.com/Apache/daffodil#license-check. I think we can just copy them
For SBOM, this is already covered in Pekko (this was carried over from Akka) On Wed, Feb 8, 2023 at 4:29 PM Josep Prat <[email protected]> wrote: > Hi there, > > FOSSA is usually used for a couple of things. One is the one you already > assumed (check for problematic licenses). The other is to generate an SBOM. > AFAIR, Akka was using an sbt plugin to generate the SBOM. So the license > checker would be the feature we are interested in. > > Best, > > > > On 2023/02/08 16:04 CET PJ Fanning <[email protected]> wrote: > > > > > > Hi everyone, > > > > Is anyone familiar with the Fossa checks in the Akka CI builds? We've > disabled them in Pekko builds because we don't have API keys setup as > repository secrets. > > > > ASF requires us to check for problematic licenses in our dependencies > [1]. I'm making assumptions but I presume that this is what the Fossa check > is doing. If there is anyone who can correct me, that would be great. > > > > If this check does indeed make useful checks for annoying licenses, then > I'll see about getting the INFRA team to get an API key from Fossa and set > it up as a Repository secret for us. > > > > Regards, > > PJ > > > > [1] https://www.apache.org/legal/resolved.html > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Matthew de Detrich *Aiven Deutschland GmbH* Immanuelkirchstraße 26, 10405 Berlin Amtsgericht Charlottenburg, HRB 209739 B Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen *m:* +491603708037 *w:* aiven.io *e:* [email protected]
