Thanks Julian, I manually checked the top-level dependencies by hand this time around, but I am also aware of other tools that can list the license of all installed packages so maybe I can work that into a checker script.
I'll mirror the question to general@ On 2024/01/09 19:09:50 Julian Hyde wrote: > I don’t have a good answer to that. In the java world, we use maven or > gradle, and there may be plugins to assert that the license is acceptable for > an ASF project (and remains acceptable each time the dependency is upgrade), > but I’m not fully aware of those plugins. For other languages my knowledge is > near zero. > > This would be a good question to ask on the incubator list. > > Julian > > > > On Jan 9, 2024, at 10:11 AM, Riley Kuttruff <r...@apache.org> wrote: > > > > I was performing a more thorough check of our dependencies in preparation > > of opening graduation discussions with the Incubator PMC and found at least > > one package that, while not directly used in the code, is installed as a > > dependency of multiple top-level dependencies that is LGPL licensed. The > > dependencies that rely on this are themselves not a license issue (BSD-3 & > > MIT licenses). How is this situation usually handled? > > > > I also found a package that has a license that isn't listed on the 3rd > > party licenses page: HPND [1][2] which, from what I can tell, is similar to > > the BSD-3 or MIT licenses, though I just wanted to double-check on that... > > > > [1] https://github.com/python-pillow/Pillow/blob/main/LICENSE > > [2] > > https://en.wikipedia.org/wiki/Historical_Permission_Notice_and_Disclaimer > >
