incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Piotrowski <piotrow...@gmail.com>
Subject Re: FOSSA.com: a new service to monitor licenses on Github repos
Date Tue, 09 Jul 2019 09:05:47 GMT
> See it in action here:
> https://app.fossa.com/projects/git%2Bgithub.com%2Fmistercrunch%2Fsuperset/refs/branch/master/396a655de13ced6e25f4e793b0eb281bf4f4cd79/issues/licensing?status=resolved

Endless loading spinners for me unfortunately.

J

Am Di., 9. Juli 2019 um 08:30 Uhr schrieb Maxime Beauchemin
<maximebeauchemin@gmail.com>:
>
> Hi all,
>
> [this is not a promotional email in any way, I'm not affiliated with the
> service/company discussed here]
>
> I just discovered fossa.com, self described as "Realtime license and
> vulnerability management
> for open source dependencies".
>
> For context, Apache Superset has a dependency tree rich of 700+ deps (crazy
> right?), at that scale license management is huge burden at best, or worse:
> a legal risk for the ASF.
>
> Oh btw I tried searching the ASF mailing lists for existing threads on this
> topic but failed miserably, apologies if this has been discussed already.
>
> I couldn't set up the FOSSA service on the projects repo I'm PMC on as I
> don't have the required Github rights, but I set it up against my fork and
> it's all you could ever hope for in terms of license-related automation.
> See it in action here:
> https://app.fossa.com/projects/git%2Bgithub.com%2Fmistercrunch%2Fsuperset/refs/branch/master/396a655de13ced6e25f4e793b0eb281bf4f4cd79/issues/licensing?status=resolved
>
> It seems like we may want to set this up against most if not all ASF
> projects. As the ASF is in the line of fire for legal troubles around
> licensing, it seems like automation/prevention would be strategic,
> especially in a world where micro packages and frequent releases are
> trending. Without using a service like this one, bumping a release, or even
> just allowing an open version range can result in integrating
> non-permissive licenses in a bundle, in ways that could take months to
> catch, if ever.
>
> For the record I opened a ticket with ASF infra to set it up on
> `apache/incubator-superset`:
> https://issues.apache.org/jira/browse/INFRA-18719 I'm hoping this goes
> smoothly, and that Apache Infra is ok granting the required perms to FOSSA.
>
> I wanted to bring the attention to this as this seems like something very
> useful for most projects.
>
> Thoughts?
>
> Max

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message