David Koo wrote: > >> Should we store licensing information as a comment in the >> *-requirements files ? Can it be stored on the same line ? Something >> like: >> >> oslo.messaging>=1.3.0a4 # Apache-2.0 > > Since it's licenses we're tracking shouldn't we be tracking indirect > dependencies too (i.e. packages pulled in by required packages)? And if > we want to do that then the method above won't be sufficient. > > And, of course, we want an automated way of generating this info - > dependencies (can) change from version to version. Do we have such a > tool?
I think tracking licensing for first-level dependencies is a good start. Basically, if we require a license-incompatible dependency it's clearly our fault, whereas if a second-layer dependency requires a license-incompatible dependency itself, we are just affected by their mistake. This is a first step, but it covers most of the issue we are trying to prevent. -- Thierry Carrez (ttx) _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev