Hey,
On 08/04/2024 19:11, Polarian wrote:
<SNIP>
One way of doing it (which I heard of some codebases doing) is to
append
all the dependency licences into a single file
"DEPENDENCYLICENSES" or
"3RDPARTYLICENSES", a lot of android apps do this and then spit
out the
file in a "licence" screen, I have seen proprietary products do
this as
well, I believe Discord has a file on their website with all the
attribution. Simply install this next to the LICENCE in
/usr/share/licenses and all is solved.
Although then you would need to stick this in the licenses array,
which
will again cause sprawling, but this time on your screen. So
possible
implementation of a "dependency_licenses" array, and then that can
be a
minimised list or a second page <package
url>/dependency-licenses as an
example. Although this then needs to be coded into the Arch build
system... which isn't ideal either.
I don't see why you would need to stick this in the license array.
Putting it in /usr/share/licenses is good enough for compliance with
the license requirements.
<SNIP>
Questions:
- Is this solution worth the manpower?
Personally I doubt it. A Rust project can easily explode into 300
dependencies. For somewhat bigger ones I have seen around 500~600
too. I suppose in the end many projects will share a large subset of
those, but quite possibly at different versions.
And for me more importantly, dynamic linking is not the supported
way of building the software. Who knows what kind of edge cases you
would run in to. The upstream developers will certainly not have
done that.
-
Has Arch ever been sued or hit with legal action over attribution?
A quick search and my memory seems to suggest not. That is not a
good reason to knowingly ignore license compliance though.
-
Is it upstreams responsibility to attribute the dependencies?
No, because upstream doesn't ship the dependencies. Arch Linux ships
the dependencies, so Arch Linux must do the attribution.
-
Does Arch have the manpower to undergo any solution to this
problem?]
I think so. Using `cargo-about` or `cargo-bundle-licenses` is pretty
easy and solves the problem of license compliance.
Kind regards,
Maarten de Vries