I don’t have a good answer to that. In the java world, we use maven or gradle, and there may be plugins to assert that the license is acceptable for an ASF project (and remains acceptable each time the dependency is upgrade), but I’m not fully aware of those plugins. For other languages my knowledge is near zero.
This would be a good question to ask on the incubator list. Julian > On Jan 9, 2024, at 10:11 AM, Riley Kuttruff <r...@apache.org> wrote: > > I was performing a more thorough check of our dependencies in preparation of > opening graduation discussions with the Incubator PMC and found at least one > package that, while not directly used in the code, is installed as a > dependency of multiple top-level dependencies that is LGPL licensed. The > dependencies that rely on this are themselves not a license issue (BSD-3 & > MIT licenses). How is this situation usually handled? > > I also found a package that has a license that isn't listed on the 3rd party > licenses page: HPND [1][2] which, from what I can tell, is similar to the > BSD-3 or MIT licenses, though I just wanted to double-check on that... > > [1] https://github.com/python-pillow/Pillow/blob/main/LICENSE > [2] https://en.wikipedia.org/wiki/Historical_Permission_Notice_and_Disclaimer
