> See it in action here: > https://app.fossa.com/projects/git%2Bgithub.com%2Fmistercrunch%2Fsuperset/refs/branch/master/396a655de13ced6e25f4e793b0eb281bf4f4cd79/issues/licensing?status=resolved
Endless loading spinners for me unfortunately. J Am Di., 9. Juli 2019 um 08:30 Uhr schrieb Maxime Beauchemin <maximebeauche...@gmail.com>: > > Hi all, > > [this is not a promotional email in any way, I'm not affiliated with the > service/company discussed here] > > I just discovered fossa.com, self described as "Realtime license and > vulnerability management > for open source dependencies". > > For context, Apache Superset has a dependency tree rich of 700+ deps (crazy > right?), at that scale license management is huge burden at best, or worse: > a legal risk for the ASF. > > Oh btw I tried searching the ASF mailing lists for existing threads on this > topic but failed miserably, apologies if this has been discussed already. > > I couldn't set up the FOSSA service on the projects repo I'm PMC on as I > don't have the required Github rights, but I set it up against my fork and > it's all you could ever hope for in terms of license-related automation. > See it in action here: > https://app.fossa.com/projects/git%2Bgithub.com%2Fmistercrunch%2Fsuperset/refs/branch/master/396a655de13ced6e25f4e793b0eb281bf4f4cd79/issues/licensing?status=resolved > > It seems like we may want to set this up against most if not all ASF > projects. As the ASF is in the line of fire for legal troubles around > licensing, it seems like automation/prevention would be strategic, > especially in a world where micro packages and frequent releases are > trending. Without using a service like this one, bumping a release, or even > just allowing an open version range can result in integrating > non-permissive licenses in a bundle, in ways that could take months to > catch, if ever. > > For the record I opened a ticket with ASF infra to set it up on > `apache/incubator-superset`: > https://issues.apache.org/jira/browse/INFRA-18719 I'm hoping this goes > smoothly, and that Apache Infra is ok granting the required perms to FOSSA. > > I wanted to bring the attention to this as this seems like something very > useful for most projects. > > Thoughts? > > Max --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
