Exclude dev/test gems with GPL license to simplify license compliance#2525
Exclude dev/test gems with GPL license to simplify license compliance#2525rkoster wants to merge 1 commit into
Conversation
rkoster
requested review from
a team,
aramprice,
beyhan and
selzoc
and removed request for
a team
| - vendor/cache/netaddr-rb-*/** | ||
|
|
||
| excluded_files: | ||
| - vendor/cache/{bundle-audit,bundler-audit,coderay}-*.gem # test dependency with GPL license |
There was a problem hiding this comment.
coderay appears to have had an MIT license for at least 12 years. Doesn't hurt to exclude it, but perhaps not necessary.
There was a problem hiding this comment.
Yeah might be a BlackDuck issue, it performs a file match/snippet signature match or something like that and some files might have not changed in the past 12 years...
|
@rkoster have you built/deployed/tested with this configuration, or are you depending on the pipeline to fail after this is merged? It seems like a fine change. |
|
@selzoc shouldn't we -at minimum- correct the comment introduced by the modification? |
You mean |
|
I have not tested this change myself and was hoping to rely on the pipeline for that. I did create a release with these changes and verified the it resolved some of the license compliance issues Black Duck found, and it did. |
|
I'm also thinking about maybe excluding all gems from test groups. What do you y'all think? |
|
I'm worried about the fragility of hand-coded exclusions. Probably fine for the time being but perhaps there is a |
|
Its been ~2 years, should we close this? Or maybe revisit the idea in a more wholistic way for the CF ruby ecosystem? |
github-project-automation
Bot
moved this from Pending Review | Discussion
to Done
in Foundational Infrastructure Working Group
5 participants
While looking at BlackDuck scan results I noticed that there are a few dev/test gems that bring (strong) copy left licenses.
Since these gems are not a runtime dependency, let's try and exclude these from our final releases.