incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maxime Beauchemin <maximebeauche...@gmail.com>
Subject FOSSA.com: a new service to monitor licenses on Github repos
Date Tue, 09 Jul 2019 06:30:32 GMT
Hi all,

[this is not a promotional email in any way, I'm not affiliated with the
service/company discussed here]

I just discovered fossa.com, self described as "Realtime license and
vulnerability management
for open source dependencies".

For context, Apache Superset has a dependency tree rich of 700+ deps (crazy
right?), at that scale license management is huge burden at best, or worse:
a legal risk for the ASF.

Oh btw I tried searching the ASF mailing lists for existing threads on this
topic but failed miserably, apologies if this has been discussed already.

I couldn't set up the FOSSA service on the projects repo I'm PMC on as I
don't have the required Github rights, but I set it up against my fork and
it's all you could ever hope for in terms of license-related automation.
See it in action here:
https://app.fossa.com/projects/git%2Bgithub.com%2Fmistercrunch%2Fsuperset/refs/branch/master/396a655de13ced6e25f4e793b0eb281bf4f4cd79/issues/licensing?status=resolved

It seems like we may want to set this up against most if not all ASF
projects. As the ASF is in the line of fire for legal troubles around
licensing, it seems like automation/prevention would be strategic,
especially in a world where micro packages and frequent releases are
trending. Without using a service like this one, bumping a release, or even
just allowing an open version range can result in integrating
non-permissive licenses in a bundle, in ways that could take months to
catch, if ever.

For the record I opened a ticket with ASF infra to set it up on
`apache/incubator-superset`:
https://issues.apache.org/jira/browse/INFRA-18719 I'm hoping this goes
smoothly, and that Apache Infra is ok granting the required perms to FOSSA.

I wanted to bring the attention to this as this seems like something very
useful for most projects.

Thoughts?

Max

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message