Hi, I agree such a Mix task can be useful but I don't see a reason for it to be included as part of Elixir. So please do release it as a separate project that folks can bring into their application as necessary. Thank you!
*José Valimwww.plataformatec.com.br <http://www.plataformatec.com.br/>Founder and Director of R&D* On Fri, Nov 10, 2017 at 4:37 AM, <[email protected]> wrote: > TLDR: Proposal of `mix deps.licenses` to list all depedencies' licenses > for review, which can be very manually tedious but very important to do to > stay legally safe. > > ----- > > Often times when developing an app, some new dependencies may be > added/removed over time, some dependencies change their licenses throughout > their lives. > > Especially in a team setting where multiple people may add/remove > dependencies from the project, we need to periodically review the licenses > used by our dependencies to make sure we are not violating them. Currently > this can be tedious work as the licenses are specified in their respective > Mixfile, and one project may have dozens of dependencies. (Worse is that a > lot of packages don't define their `Mix.Project.config.package.licenses`, > but that's a separate concern). > > So I would like to propose a `mix deps.licenses` task that extract > `Mix.Project.config.package.licenses` from each dependencies and output > it on command line. This would be similar to `composer licenses` in PHP > <https://getcomposer.org/doc/03-cli.md#licenses>. > > I tinkered a little with creating a simple mix task. This is the result I > can extract using the `licenses` attribute: > > ``` > $ mix deps.licenses > > poolboy: license undefined > decimal: Apache 2.0 > warning: String.strip/1 is deprecated, use String.trim/1 > /path/to/project/deps/poison/mix.exs:4 > > poison: CC0-1.0 > elixir_make: Apache 2 > bcrypt_elixir: BSD > db_connection: Apache 2.0 > postgrex: Apache 2.0 > ecto: Apache 2.0 > ex_machina: MIT > connection: Apache 2.0 > poolboy: license undefined > decimal: Apache 2.0 > poison: CC0-1.0 > elixir_make: Apache 2 > bcrypt_elixir: BSD > db_connection: Apache 2.0 > rabbit_common: license undefined > postgrex: Apache 2.0 > ecto: Apache 2.0 > connection: Apache 2.0 > poolboy: license undefined > meck: license undefined > mock: MIT > decimal: Apache 2.0 > poison: CC0-1.0 > elixir_make: Apache 2 > db_connection: Apache 2.0 > postgrex: Apache 2.0 > ecto: Apache 2.0 > connection: Apache 2.0 > ranch: license undefined > poolboy: license undefined > decimal: Apache 2.0 > poison: CC0-1.0 > elixir_make: Apache 2 > db_connection: Apache 2.0 > phoenix_pubsub: MIT > cowlib: license undefined > cowboy: license undefined > amqp_client: license undefined > amqp: MIT > mime: Apache 2 > plug: Apache 2 > phoenix: MIT > postgrex: Apache 2.0 > ecto: Apache 2.0 > ``` > > Obviously there is more work to do: duplicate packages (packages having > same dependencies), warnings as a result of `Mix.Dep.in_dependency`. But > let me know this is worth adding (I think so!), would be happy to continue > working and submit a PR for this. > > -- > You received this message because you are subscribed to the Google Groups > "elixir-lang-core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/elixir-lang-core/401033dd-db2f-4e5f-8935- > 4df9cee196e9%40googlegroups.com > <https://groups.google.com/d/msgid/elixir-lang-core/401033dd-db2f-4e5f-8935-4df9cee196e9%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elixir-lang-core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4Kjf_FaJzi6PBy1awDdmUVJxqQqNkzkZRC%3DP2wj_zLFHQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
