janhoy opened a new issue, #9: URL: https://github.com/apache/solr-orbit/issues/9
## Summary Add [`liccheck`](https://github.com/dhatim/python-liccheck) with an authorised-license allowlist in `setup.cfg` so that CI fails if any (transitive) Python dependency carries an unapproved license (e.g. GPL, LGPL, or ASF Category X licenses). ## Motivation - Apache Superset uses `liccheck` to automatically flag problematic transitive deps - Known issue: `certifi` is MPL-2.0 (ASF Category B — allowed with attribution, not bundled); liccheck will surface this and similar cases - Avoids manual license audits when adding or upgrading dependencies ## Proposed changes 1. Add `[liccheck]` section to `setup.cfg` (or a `liccheck.ini`) with: - `authorized_licenses` allowlist (Apache-2.0, MIT, BSD-*, ISC, Python-2.0, …) - `unauthorized_licenses` blocklist (GPL, LGPL, AGPL, …) 2. Add `liccheck` to dev/CI dependencies 3. Add `make liccheck` target 4. Integrate into CI pipeline (fail on unapproved licenses) 5. Document in `DEVELOPER_GUIDE.md` ## References - https://github.com/dhatim/python-liccheck -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
