Exclude dev/test gems with GPL license to simplify license compliance #2525
Conversation
rkoster
requested review from
a team,
aramprice,
selzoc and
beyhan
and removed request for
a team
| @@ -15,3 +15,6 @@ files: | |||
| - vendor/cache/*.gem | |||
| - vendor/cache/extensions/** | |||
| - vendor/cache/netaddr-rb-*/** | |||
|
|
|||
| excluded_files: | |||
| - vendor/cache/{bundle-audit,bundler-audit,coderay}-*.gem # test dependency with GPL license | |||
There was a problem hiding this comment.
coderay appears to have had an MIT license for at least 12 years. Doesn't hurt to exclude it, but perhaps not necessary.
There was a problem hiding this comment.
Yeah might be a BlackDuck issue, it performs a file match/snippet signature match or something like that and some files might have not changed in the past 12 years...
|
@rkoster have you built/deployed/tested with this configuration, or are you depending on the pipeline to fail after this is merged? It seems like a fine change. |
|
@selzoc shouldn't we -at minimum- correct the comment introduced by the modification? |
You mean |
|
I have not tested this change myself and was hoping to rely on the pipeline for that. I did create a release with these changes and verified the it resolved some of the license compliance issues Black Duck found, and it did. |
|
I'm also thinking about maybe excluding all gems from test groups. What do you y'all think? |
|
I'm worried about the fragility of hand-coded exclusions. Probably fine for the time being but perhaps there is a |
While looking at BlackDuck scan results I noticed that there are a few dev/test gems that bring (strong) copy left licenses.
Since these gems are not a runtime dependency, let's try and exclude these from our final releases.