On Thu, Feb 14, 2019 at 7:28 AM Tzu-ping Chung <uranu...@gmail.com> wrote:
> Incidentally, someone wondered about this exact same thing on distutils-sig > just a couple of days ago: > > > https://mail.python.org/archives/list/distutils-...@python.org/thread/WPQDP73N7IINXX36UAOG7YDYHD7MYU4X/ > > (Maybe this is not a sign that *something* needs to be done? I don’t know.) > > IANAL, but I believe licensing wouldn’t be an issue if the data is accessed > strictly via the safety tool[1], which is in MIT. Folks at PyUp are also > good > people from what I can tell; I think they’d be willing to help if we > decide we > want to use that. > My interactions with them has also been positive. Plus I would assume pypi.org would give them credit which is plenty of free advertising. :) -Brett > > > [1]: https://pypi.org/project/safety/ > > > Jeremy Stanley於 2019年2月14日星期四 UTC+8上午7時59分05秒寫道: >> >> On 2019-02-13 18:45:57 -0500 (-0500), Alex deVries wrote: >> > Could Pyup's safety be that standardized tool? It's dead simple to >> > run. The tools I put together install a package which recursively >> > installs the dependencies, then dumps the list of installed >> > packages through safety, which generates a report. >> > >> > But another part of this is a policy on what to do with the output >> > of that tool. >> [...] >> >> Their dataset is not free/libre open source (it's cc-by-NC), so >> unlikely unless they alter their business model by freeing the data >> or someone invests in maintaining an alternative data source under >> an actual free license: >> >> https://github.com/pyupio/safety-db/blob/master/LICENSE.txt >> >> -- >> Jeremy Stanley >> >