[oxigraph_server] Add dependency licenses #4088
Conversation
Co-authored-by: Mosè Giordano <[email protected]>
Co-authored-by: Mosè Giordano <[email protected]>
Co-authored-by: Mosè Giordano <[email protected]>
Getting to the original question, we don't really have a policy for the case of static linking, simply because we almost never do it, apart from Rust and Go packages, which are a tiny minority of our ecosystem. We want to ship in each tarball the license of the package itself, which is rather straightforward when we do dynamic linking: each tarball basically has a single package, and we have only its license. However, with static linking you basically smash dozens of packages into a single build, so it isn't clear what license you want to ship: only the "final" package or all of its dependencies? When in doubt, I usually look at Linux distributions. Debian is a good one as they take the matter of license seriously (Arch Linux is less conscious of license), do they have Rust-based packages? What they do in that case? |
|
Fedora follows the following practices:
On the other hand, Debian seems to just grab the top-level license and leave things at that, e.g. ripgrep. |
|
But, as far as I can see, in Fedora they only ship the license files of ripgrep (which is exactly what we do as well), no? |
|
Useful thread about this issue suggesting rust community still developing an approach: rust-lang/rust#67014 |
This is an experiment for rust binaries so that we can package the full licenses of package dependencies. Not sure what the Yggdrasil policy is / what appropriate convention is as to what licenses need to come along into the jll, but cargo-license seems to offer an elegant solution and it is a practice followed (in some instances) by conda-forge. (see here: https://github.com/conda-forge/oxigraph-feedstock)
Ref: https://github.com/onur/cargo-license