Managing licenses of dependencies

[bruchar1]

One requirement I have is to ensure that all the libs my project uses have compatible licenses, and to distribute the license files for every dependency. I know that project() already has license and license_files fields. I also know that pkg-config does not provide that kind of information.

What would be the best strategy to achieve my goal? Is it something that could (should?) eventually be managed by meson?

One possible idea I have would be to add license and license_files attributes to dependency(), and to have a global switch to make those keywords mandatory. This would force every dependency to specify its license. Then there could be a module with functions to install license files, and to check for license compatibility (something similar to Python liccheck package).

[eli-schwartz]

Meson allows you to declare your licenses, and e.g. write a dependency manifest describing exchange license used in the project (and its subprojects).

It doesn't have any enforcement method though, it's purely advisory. I'm not sure what license compliance enforcement at the build system level would look like anyway.

As far as providing license kwargs to dependency() goes, what do you envision this doing?

• Would you specify the license you expect/require the dependency to be licensed under? What compliance does this enforce? It doesn't have to be compatible with your project, all you're doing is checking that the dependency hasn't changed its license recently?
• Would you specify the license of your own project and run a comparison program to make sure that the licenses are considered compatible? Why do you need a kwarg? Who is maintaining this license checker? Is it a problem if your MIT project is restricted by linking it to a GPL3 dependency causing the combined work to no longer be the MIT you began with? Do we need to also check static/shared linkage to handle cases where your dependency is LGPL, but you're only compatible with that as long as you avoid static linkage? What should we do about programs you build but don't install, which would be license violations except that you don't distribute it, for example, testsuite programs? What about code generators?

[bruchar1]

Those are very good points.

• In the best world, every dependency would provide information about its own license. But we all know this is not the case. Having to manually enter the license for each dependency is far from ideal, but it is the best solution I can think of in the current state. Ideally, I would automate this as much as possible (e.g. reading the license from a file at a known path)
• For the enforcement, I'm thinking about something similar to liccheck, i.e. lists of allowed and disallowed licences, that each project could configure. Or another approach would simply be to call an external process with the list of licenses collected by meson.
• static vs shared linkage is a good point in favor of managing this inside meson.
• For the dependency kwarg, it would allow to:
  • Get a dict of dependency: license
  • Copy the license files to a specific installation folder
  • Optionally enforce that every dependency has a license
• I guess the function to enforce licenses should have ignore list for handling exceptions (e.g. I know I use this specific incompatible package, but it is ok in my context). Maybe the licence enforcement should only be on installable target.

Another option would be to enforce nothing, but simply to allow meson to provide a license report:

- project:
      license: xyz
      license_files: []
      dependencies:
          - depa: { license: xyz, license_files: [], linkage: shared, installed: true }
          - depb: { license: None, license_files: [], linkage: static, installed: false }
          - depc: { license: abc, license_files: [], linkage: both, installed: true }
- subproject: ...

then an external script could use that information to do what it wants.

[eli-schwartz]

static vs shared linkage is a good point in favor of managing this inside meson.

Interesting, because I mentioned it as a point against wanting to be responsible for managing it.

Another option would be to enforce nothing, but simply to allow meson to provide a license report:

Meson can mostly do this for anything you built as a subproject. We could probably expand it to also annotate what kind of linkage it uses and whether it's installed.

[bruchar1]

Interesting, because I mentioned it as a point against wanting to be responsible for managing it.

I agree that it's probably not meson's business to take a decision based on this. But since the linkage may depend on the prefer_static option and on the static kwarg, how could I know what kind of linkage is used, outside meson?

Meson can mostly do this for anything you built as a subproject. We could probably expand it to also annotate what kind of linkage it uses and whether it's installed.

Interesting... How can it do it? Through intro-mesonproject.json ? Maybe I could encapsulate every dependency inside a subproject. But in that case, could the subproject take its version from the dependency version? Not sure...

[bruchar1]

meson.install_dependency_manifest() . Just found it.

[xclaesse]

What I think we could potentially do:

• Add a license kwarg in declare_dependency() that defaults to project's license.
• Add dep.license() method to retrieve that info.
• Maybe we could add the license in pkgconfig generator and get at least pkgconf support it.
• Add allowed_licenses built-in option (just list of strings) and any subproject() or dependency() that has a license not in that list would return not-found instead.

What I personally would be totally against is making policy decisions in Meson. We are not a lawyer firm and deciding which licenses are compatible is a full time job for a whole legal team.

[bruchar1]

License kwarg would be required for dependency() as well I think, or I would need to create an internal dependency for every dependency that do not provide a license (maybe this is the way to go?)

For pkgconfig, I guess the best is to use a variable, like license and license_files. No upstream changes required. Since in my project I generate the .pc files using conan, this would be easy for me to add the information from the conan package, when it is available.

Does cmake provide license information? If so, that would be another point in favor of a dep.licence() function.

[eli-schwartz]

Add allowed_licenses built-in option (just list of strings) and any subproject() or dependency() that has a license not in that list would return not-found instead.

We formally recommend people not use a list of licenses in the project() field, but to use SPDX expressions instead as those support conditional logic, booleans and/or, and so on.

So at a minimum your idea would require parsing the textual content and figuring out whether a forbidden license is optional and thus not a real restriction.

[xclaesse]

SPDX has a formal spec for their string format IIRC, so we could parse it. But that's assuming the string is actually using SPDX like we recommend... A direct string match could already work in most cases, and worst case you can also do e.g. -Dallowed_licenses=['Foo or Bar', 'Foo'].

But I think a first step that I think does make sense is to at least list all licenses from subprojects/deps and print that into the summary().

[eli-schwartz]

Why is it the summary()'s job to print licensing info to the console log? It's included in the introspection and there's a builtin option "licensedir" to install the license files as well as a json manifest. I added this option when adding the license_files kwarg, because previously all there was was a function you could run to install the json manifest on its own. I wanted distros to be able to choose where to install this information.

Strong -1 on adding more information to the console log for this without the project explicitly choosing to print it.

[bruchar1]

If meson had a function to get a dict of all subproject / dependency licenses, then you could feed that information to the summary() function, if you want. Nothing special here.

[xclaesse]

Right, that's what I meant, projects could do their summary() if we have dep.license() for example.

But it's even more complicated than this. GStreamer for example has a bunch of plugins with different licenses. Those would not show up in dependencies. In the very hypothetical case everyone adds the license information in their pc file, I guess we could detect that GStreamer did dependency('x264') and that has GPL license and then somehow add that license to the list of licenses for the gstreamer project...

To be honest my general feeling is we should keep as far away of this topic as possible because it's a huge can of worms. At best let projects provide the info if they want with dep.license() method.

[bruchar1]

Here is my proposal:

• Add dep.license() and dep.license_files() functions to dependencies.
  • Get that informations from pkgconfig variables, if available
  • Get that information from cmake?
  • Get that information from other methods (config-tool, system, ....)?
• Add license and license_files kwargs to declare_dependency()
  • Default to project licence? Or to no license at all? I think no license, but have a special value to inherit from project.
• Add those kwarg to dependency() as well? Not sure...
• Add project / subprojects license information to intro-mesonproject.json file
• Add a new intro-licenses.json introspection file with details about every dependencies?
  • Including linkage and install states
• Add options to meson.install_dependency_manifest() to list dependencies as well
• Add a new meson.install_license_files() function to copy the license files to a specified directory
• Add meson.get_all_licenses() and meson.get_all_license_files() functions returning a dict of subproject / dependency associated with their licenses

[eli-schwartz]

Add options to meson.install_dependency_manifest() to list dependencies as well

Subprojects are dependencies, do you mean specifically external dependencies?

Add a new meson.install_license_files() function to copy the license files to a specified directory

Honestly I'd rather deprecate the function we already have, in favor of the licensedir builtin option I added to do this for you.

Add meson.get_all_licenses() and meson.get_all_license_files() functions returning a dict of subproject / dependency associated with their licenses

Instead of adding an additional function I'd recommend a recursive: true kwarg to the one we do have.

[bruchar1]

Yes, I mean external dependencies. I wasn't aware of the licensedir builtin option. It definitivly does part of what I need. But how would you specify you want external dependencies as well?

Also, the dependency manifest currently uses the devel install tag. Adding an install_tag kwarg to meson.install_dependency_manifest() would allow to change that tag to be able to install license files only.

I fully agree for the recursive: true option instead of new functions.

[eli-schwartz]

I don't know why it's tagged as devel...

[bruchar1]

That was done in ##9110