TLDR: Proposal of `mix deps.licenses` to list all depedencies' licenses for review, which can be very manually tedious but very important to do to stay legally safe.
----- Often times when developing an app, some new dependencies may be added/removed over time, some dependencies change their licenses throughout their lives. Especially in a team setting where multiple people may add/remove dependencies from the project, we need to periodically review the licenses used by our dependencies to make sure we are not violating them. Currently this can be tedious work as the licenses are specified in their respective Mixfile, and one project may have dozens of dependencies. (Worse is that a lot of packages don't define their `Mix.Project.config.package.licenses`, but that's a separate concern). So I would like to propose a `mix deps.licenses` task that extract `Mix.Project.config.package.licenses` from each dependencies and output it on command line. This would be similar to `composer licenses` in PHP <https://getcomposer.org/doc/03-cli.md#licenses>. I tinkered a little with creating a simple mix task. This is the result I can extract using the `licenses` attribute: ``` $ mix deps.licenses poolboy: license undefined decimal: Apache 2.0 warning: String.strip/1 is deprecated, use String.trim/1 /path/to/project/deps/poison/mix.exs:4 poison: CC0-1.0 elixir_make: Apache 2 bcrypt_elixir: BSD db_connection: Apache 2.0 postgrex: Apache 2.0 ecto: Apache 2.0 ex_machina: MIT connection: Apache 2.0 poolboy: license undefined decimal: Apache 2.0 poison: CC0-1.0 elixir_make: Apache 2 bcrypt_elixir: BSD db_connection: Apache 2.0 rabbit_common: license undefined postgrex: Apache 2.0 ecto: Apache 2.0 connection: Apache 2.0 poolboy: license undefined meck: license undefined mock: MIT decimal: Apache 2.0 poison: CC0-1.0 elixir_make: Apache 2 db_connection: Apache 2.0 postgrex: Apache 2.0 ecto: Apache 2.0 connection: Apache 2.0 ranch: license undefined poolboy: license undefined decimal: Apache 2.0 poison: CC0-1.0 elixir_make: Apache 2 db_connection: Apache 2.0 phoenix_pubsub: MIT cowlib: license undefined cowboy: license undefined amqp_client: license undefined amqp: MIT mime: Apache 2 plug: Apache 2 phoenix: MIT postgrex: Apache 2.0 ecto: Apache 2.0 ``` Obviously there is more work to do: duplicate packages (packages having same dependencies), warnings as a result of `Mix.Dep.in_dependency`. But let me know this is worth adding (I think so!), would be happy to continue working and submit a PR for this. -- You received this message because you are subscribed to the Google Groups "elixir-lang-core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/401033dd-db2f-4e5f-8935-4df9cee196e9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
