If you wait for the next Hex release we have added the hex_metadata.config file so you can read metadata of all fetched Hex packages, including Erlang projects, without having to read mix.exs.
This is the PR that adds it: https://github.com/hexpm/hex/pull/433. Here is an example of the contents of the hex_metadata.config file: {<<"app">>,<<"cowlib">>}. {<<"build_tools">>,[<<"make">>]}. {<<"description">>,<<"Support library for manipulating Web protocols.">>}. {<<"files">>, [<<"src/cow_cookie.erl">>,<<"src/cow_date.erl">>,<<"src/cow_http.erl">>, <<"src/cow_http_hd.erl">>,<<"src/cow_http_te.erl">>, <<"src/cow_mimetypes.erl">>,<<"src/cow_mimetypes.erl.src">>, <<"src/cow_multipart.erl">>,<<"src/cow_qs.erl">>,<<"src/cow_spdy.erl">>, <<"src/cow_spdy.hrl">>,<<"src/cowlib.app.src">>, <<"include/cow_inline.hrl">>,<<"README.md">>,<<"LICENSE">>,<<"Makefile">>, <<"erlang.mk">>]}. {<<"licenses">>,[<<"ISC">>]}. {<<"links">>,[{<<"GitHub">>,<<"https://github.com/ninenines/cowlib";>>}]}. {<<"maintainers">>,[<<"Loïc Hoguin"/utf8>>]}. {<<"name">>,<<"cowlib">>}. {<<"requirements">>,[]}. {<<"version">>,<<"1.0.2">>}. On Fri, Nov 10, 2017 at 9:06 AM, Unnawut Leepaisalsuwanna < [email protected]> wrote: > Sure thing. Thanks! > > On Fri, Nov 10, 2017 at 2:00 PM, José Valim <[email protected]> wrote: > >> Hi, I agree such a Mix task can be useful but I don't see a reason for it >> to be included as part of Elixir. So please do release it as a separate >> project that folks can bring into their application as necessary. Thank you! >> >> >> >> *José Valimwww.plataformatec.com.br >> <http://www.plataformatec.com.br/>Founder and Director of R&D* >> >> On Fri, Nov 10, 2017 at 4:37 AM, <[email protected]> wrote: >> >>> TLDR: Proposal of `mix deps.licenses` to list all depedencies' licenses >>> for review, which can be very manually tedious but very important to do to >>> stay legally safe. >>> >>> ----- >>> >>> Often times when developing an app, some new dependencies may be >>> added/removed over time, some dependencies change their licenses throughout >>> their lives. >>> >>> Especially in a team setting where multiple people may add/remove >>> dependencies from the project, we need to periodically review the licenses >>> used by our dependencies to make sure we are not violating them. Currently >>> this can be tedious work as the licenses are specified in their respective >>> Mixfile, and one project may have dozens of dependencies. (Worse is that a >>> lot of packages don't define their `Mix.Project.config.package.licenses`, >>> but that's a separate concern). >>> >>> So I would like to propose a `mix deps.licenses` task that extract ` >>> Mix.Project.config.package.licenses` from each dependencies and output >>> it on command line. This would be similar to `composer licenses` in PHP >>> <https://getcomposer.org/doc/03-cli.md#licenses>. >>> >>> I tinkered a little with creating a simple mix task. This is the result >>> I can extract using the `licenses` attribute: >>> >>> ``` >>> $ mix deps.licenses >>> >>> poolboy: license undefined >>> decimal: Apache 2.0 >>> warning: String.strip/1 is deprecated, use String.trim/1 >>> /path/to/project/deps/poison/mix.exs:4 >>> >>> poison: CC0-1.0 >>> elixir_make: Apache 2 >>> bcrypt_elixir: BSD >>> db_connection: Apache 2.0 >>> postgrex: Apache 2.0 >>> ecto: Apache 2.0 >>> ex_machina: MIT >>> connection: Apache 2.0 >>> poolboy: license undefined >>> decimal: Apache 2.0 >>> poison: CC0-1.0 >>> elixir_make: Apache 2 >>> bcrypt_elixir: BSD >>> db_connection: Apache 2.0 >>> rabbit_common: license undefined >>> postgrex: Apache 2.0 >>> ecto: Apache 2.0 >>> connection: Apache 2.0 >>> poolboy: license undefined >>> meck: license undefined >>> mock: MIT >>> decimal: Apache 2.0 >>> poison: CC0-1.0 >>> elixir_make: Apache 2 >>> db_connection: Apache 2.0 >>> postgrex: Apache 2.0 >>> ecto: Apache 2.0 >>> connection: Apache 2.0 >>> ranch: license undefined >>> poolboy: license undefined >>> decimal: Apache 2.0 >>> poison: CC0-1.0 >>> elixir_make: Apache 2 >>> db_connection: Apache 2.0 >>> phoenix_pubsub: MIT >>> cowlib: license undefined >>> cowboy: license undefined >>> amqp_client: license undefined >>> amqp: MIT >>> mime: Apache 2 >>> plug: Apache 2 >>> phoenix: MIT >>> postgrex: Apache 2.0 >>> ecto: Apache 2.0 >>> ``` >>> >>> Obviously there is more work to do: duplicate packages (packages having >>> same dependencies), warnings as a result of `Mix.Dep.in_dependency`. But >>> let me know this is worth adding (I think so!), would be happy to continue >>> working and submit a PR for this. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "elixir-lang-core" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/d/ms >>> gid/elixir-lang-core/401033dd-db2f-4e5f-8935-4df9cee196e9%40 >>> googlegroups.com >>> <https://groups.google.com/d/msgid/elixir-lang-core/401033dd-db2f-4e5f-8935-4df9cee196e9%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "elixir-lang-core" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/elixir-lang-core/UHqv3ngKeEc/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit https://groups.google.com/d/ms >> gid/elixir-lang-core/CAGnRm4Kjf_FaJzi6PBy1awDdmUVJxqQqNkzkZR >> C%3DP2wj_zLFHQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4Kjf_FaJzi6PBy1awDdmUVJxqQqNkzkZRC%3DP2wj_zLFHQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "elixir-lang-core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/elixir-lang-core/CAB%3DEmQSMsWVXc8jOKQqjoH_tN- > 0pcTZHaef0V-6ZXHisAjwERg%40mail.gmail.com > <https://groups.google.com/d/msgid/elixir-lang-core/CAB%3DEmQSMsWVXc8jOKQqjoH_tN-0pcTZHaef0V-6ZXHisAjwERg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Eric Meadows-Jönsson -- You received this message because you are subscribed to the Google Groups "elixir-lang-core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAM_eapiWmwVcAsuvxE%3D__Ka9ec_-qnXPuSH4eYSELGpNyB3PkQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
