Conversation
github-actions
bot
added
the
enhancement
jhdub23
force-pushed
the
feat/license
branch
2 times, most recently
from
f4c199e to
41384c3
Compare
jhdub23
changed the title
RobPasMue
left a comment
RobPasMue
left a comment
There was a problem hiding this comment.
LGPL cannot be accepted as a license by default - investigations need to be performed on the way the impacted package is used on our side.
|
The ability to release Python libraries freely but NOT as fully OSS (aka Freeware) is desirable and there is at least one library that falls into this category at the moment within ansys and there could be more in the future. |
|
Under what circumstances would an LGPL package X be permissible while an LGPL package Y be denied? For example: GPL - internal use only, allowed. Shipped within a closed-source product: not allowed. I'm trying to understand the decision factors that would apply for us to deny the use of an LGPL package. I can't think of any, assuming the product team has ok'd the use of the package. |
|
As far as I am concerned:
The reason for the last point is that we would be force to distribute our software under a free software license. |
|
All Contributor License Agreement (CLA) signatures have been captured successfully. Thanks for contributing! |
LGPL packages don't force us to distribute our software under a free software license. Also, software in the |
jorgepiloto
force-pushed
the
feat/license
branch
from
bf16479 to
3899a83
Compare
|
As discussed with @jhdub23, this should be fine. We are just using them as a dependencies. We are not modifying or copy-pasting their source code. |
If we end up allowing it, please revisit the https://github.com/ansys/actions/blob/main/check-licenses/ignored-packages.txt packages so that if any of them are LGPL, we can accept them |
|
The main reason for my reservations here remains in place - we have downstream consumers of these packages who bundle them into executables using pyInstaller. In that context LGPL dependencies are almost certainly not going to be acceptable, and we've previously discussed at length the need to work with those teams. Permitting LGPL components as strictly parts of the build or documentation process seems reasonable, but for any of the flagship libraries, hard dependencies on LGPL libraries will prevent this bundling, and impact those workflows. This discriminated permission process is not supported by pip-licenses or by the existing workflows, and will require manual approval and tracking (which I remain convinced we should do) |
|
Per yesterdays discussion this is reasonable - I would like to see the support policy written down somewhere, but we seem comfortable drawing a line around open-source. We also discussed improving the reporting process for SBOMs which I'll take a swing at today. |
jorgepiloto
changed the title
jorgepiloto
changed the title
check-licenses/action.yml
Outdated
| done | ||
| fi | ||
|
|
||
| - name: Force review and acceptance of whitelisted licenses |
There was a problem hiding this comment.
After some thoughs, I would remove this checking tbh.
While I would like to ensure that every developer pays attention to direct/transitive dependencies' licenses, I don't think adding a step in our action is the right way. If one updates the whitelist-license-check input, then one should already take responsibility for this.
There was a problem hiding this comment.
Everything works on my side. I thought to add this extra-step so that it forces developers to think twice about what they are doing.
There was a problem hiding this comment.
Yes, that is a good point @SMoraisAnsys. You convinced me 😄
There was a problem hiding this comment.
Yeah the check is not needed as an action input. I thought we agreed on this yesterday. Modifying the whitelist acknowledges that you know what you are doing.
The bot comment as discussed is a good double-check though, but it has to be separate from the action itself
jorgepiloto
force-pushed
the
feat/license
branch
2 times, most recently
from
813351e to
83fbc43
Compare
9 participants
No description provided.