~amolith/willow#46: 
Audit all dependencies, both direct and indirect

Primarily look at their licences; I want to make sure the permissive binary doesn't include any copyleft code.

Check Willow in socket.dev as well, it should evaluate all direct and indirect dependencies based on more than just their licences. I specifically want a human to check the licences though.

Status
REPORTED
Submitter
~amolith
Assigned to
No-one
Submitted
10 months ago
Updated
4 months ago
Labels
v0.0.1

~amolith 4 months ago

Hmm I believe we violate the license of the first dependency I see. Mergo's BSD-3-Clause license requires binary redistributions to reproduce the text of its license. I guess we need to vendor all dependencies, script extracting their licenses, and embed them in the binary for printing with --licenses or something?

~amolith 4 months ago*

Google's go-licenses tool might be the thing to solve this

Register here or Log in to comment, or comment via email.