Skip to content

Instantly share code, notes, and snippets.

@robertohuertasm
Last active November 23, 2024 10:54
Show Gist options
  • Save robertohuertasm/4770217e40209ad6a65acb1d725c3f87 to your computer and use it in GitHub Desktop.
Save robertohuertasm/4770217e40209ad6a65acb1d725c3f87 to your computer and use it in GitHub Desktop.
Simple .licrc config file for Licensebat
# IMPORTANT!: ALL SECTIONS ARE MANDATORY
[licenses]
# This indicates which are the only licenses that Licensebat will accept.
# The rest will be flagged as not allowed.
accepted = ["MIT", "MSC", "BSD"]
# This will indicate which licenses are not accepted.
# The rest will be accepted, except for the unknown licenses or dependencies without licenses.
# unaccepted = ["LGPL"]
# Note that only one of the previous options can be enabled at once.
# If both of them are informed, only accepted will be considered.
[dependencies]
# This will allow users to flag some dependencies so that Licensebat will not check for their license.
ignored=["ignored_dep1", "ignored_dep2"]
# If set to true, Licensebat will ignore the dev dependencies.
ignore_dev_dependencies = true
# If set to true, Licensebat will ignore the optional dependencies.
ignore_optional_dependencies = true
[behavior]
# False by default, if true, it will only run the checks when one of the dependency files or the .licrc file has been modified.
run_only_on_dependency_modification = true
# False by default, if true, it will never block the build.
do_not_block_pr = false
@utkarshsethi
Copy link

Please add documentation of all license types supported and acceptable values for the fields.

@robertohuertasm
Copy link
Author

@utkarshsethi I think there are enough examples for the different values, let me know which field you would like to be clearer. Regarding the licenses, it really depends on what each platform decides to expose. Normally, these would be spdx identifiers but the tool it's not limited to that, because there are platforms (like pub.dev) that expose custom identifiers.

@utkarshsethi
Copy link

The link helped.

Maybe just a mention of the link with text to use identifiers from the list is enough.

thanks

@tmillr
Copy link

tmillr commented Aug 25, 2022

Quick question @robertohuertasm: Does Licensebat do any sort of license validation beyond simply parsing out dependencies' licenses and then checking those for:

  1. unknown or missing licenses
  2. licenses which contradict the manual configuration (i.e. .licrc)

?

In other words, is there any sort of implicit, automatic license conflict detection going on beyond conflicts which merely arise due to 1 and 2 above?

@robertohuertasm
Copy link
Author

Hi @tmillr, not sure what you mean by beyond... The tool basically gets the information about the license of a particular dependency from some source, most of the time, the registries. Then, depending on the language and the registry, it compares the declared license with the actual license (the file present in the repo) to double check that the real license is not contradicting the declared one and finally it compares that information with what you have declared in .licrc.

@tmillr
Copy link

tmillr commented Aug 25, 2022

@robertohuertasm Thanks for the explanation. I just installed this app and was wondering how it works, or what it's doing exactly, because I was originally under the impression that everything was handled automatically and that no manual configuration was needed.

But then I got the error for missing the required config file, so then I started wondering if this app does any sort of automatic checking for implicit license conflicts at all. For example, some licenses cannot be combined (e.g. Apache 2.0 and GPL2), and manual configuration doesn't seem like it would be necessary to detect these sort of implicit conflicts.

@robertohuertasm
Copy link
Author

That's a good point @tmillr but the tool does not that sort of verification, unfortunately. That would be a really cool feature to implement, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment