Hey,

On 08/04/2024 19:11, Polarian wrote:

<SNIP>

One way of doing it (which I heard of some codebases doing) is to append all the dependency licences into a single file "DEPENDENCYLICENSES" or "3RDPARTYLICENSES", a lot of android apps do this and then spit out the file in a "licence" screen, I have seen proprietary products do this as well, I believe Discord has a file on their website with all the attribution. Simply install this next to the LICENCE in /usr/share/licenses and all is solved. Although then you would need to stick this in the licenses array, which will again cause sprawling, but this time on your screen. So possible implementation of a "dependency_licenses" array, and then that can be a minimised list or a second page <package url>/dependency-licenses as an example. Although this then needs to be coded into the Arch build system... which isn't ideal either.
I don't see why you would need to stick this in the license array. Putting it in /usr/share/licenses is good enough for compliance with the license requirements.

<SNIP> Questions: - Is this solution worth the manpower?
Personally I doubt it. A Rust project can easily explode into 300 dependencies. For somewhat bigger ones I have seen around 500~600 too. I suppose in the end many projects will share a large subset of those, but quite possibly at different versions.
And for me more importantly, dynamic linking is not the supported way of building the software. Who knows what kind of edge cases you would run in to. The upstream developers will certainly not have done that.

- Has Arch ever been sued or hit with legal action over attribution?
A quick search and my memory seems to suggest not. That is not a good reason to knowingly ignore license compliance though.

- Is it upstreams responsibility to attribute the dependencies?
No, because upstream doesn't ship the dependencies. Arch Linux ships the dependencies, so Arch Linux must do the attribution.

- Does Arch have the manpower to undergo any solution to this problem?]
I think so. Using `cargo-about` or `cargo-bundle-licenses` is pretty easy and solves the problem of license compliance.


Kind regards,
Maarten de Vries