Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New linter rule: validating LICENSE files #228

Open
schuylermartin45 opened this issue May 10, 2023 · 5 comments
Open

New linter rule: validating LICENSE files #228

schuylermartin45 opened this issue May 10, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@schuylermartin45
Copy link
Collaborator

Not sure how feasible this is, but I wanted to capture the thought here anyways.

Coming out of this PR, I wonder if we can validate what we claim the license should be from what the LICENSE file in the repository indicates: AnacondaRecipes/libmicrohttpd-feedstock#1

Maybe the linter can use the dev_url or some other required field to probe the LICENSE file against a known list of files (or SHA-256 hashes of known license files) to validate what we list in meta.yaml matches.

Perhaps this can catch other mistakes in conda-forge or detect if the license changes between versions?

@schuylermartin45 schuylermartin45 added the enhancement New feature or request label May 10, 2023
@razzlestorm
Copy link
Contributor

Potentially also validate against licensing restrictions that Anaconda has per company-wide policies.

@razzlestorm
Copy link
Contributor

@skupr-anaconda, I've heard you have tooling that might already do something like this?

@skupr-anaconda
Copy link
Contributor

Yeah, this script checks if the license exists on GitHub and GitLab https://github.com/anaconda-distribution/finder/blob/main/finder/common/check_urls_exist.py.
But the license names can differ and my script doesn't cover all use cases (around 10-20%). But other projects outside GitHub/GitLab are completely out of the scope

@schuylermartin45
Copy link
Collaborator Author

Nice work @skupr-anaconda , it's at least a good starting point for this linting project.

I'm guessing SHA-256 hashes are probably the safest finger printing and I think there might be existing tools out there that do some of this work for us. I know I've seen some tools at previous companies I've worked at that can detect if a license is allowed for NPM packages based on some pre-defined rules. I'm sure there's some Python equivalent library we could leverage.

@schuylermartin45
Copy link
Collaborator Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants