Allow me to ignore UNKNOWN licenses
Issue #292
resolved
I have a few upstream dependencies that are years old and are not about to accept changes. Some of them do not have a license specified. It would be nice if I could choose to ignore these projects, either on a case by case basis or as a blanket policy, at least for the purpose of pull requests.
Comments (9)
-
-
Account Deactivated
+1, this is currently driving out team nuts with PRs, as we have a whole lot of packages from wpackagist.org, which don't have license information.
-
Personally, I think this feature (ignore or whitelist UNKNOWN-licensed dependencies in a sweeping way) is a horrible idea. If you are using a dependency for which you do not have a license, you're opening yourself up to a world of pain. Forcing people to whitelist these cases forces people to say "I'm OK using someone's code without proper permission" (or, in the rare case, "I have explicit permission that versioneye doesn't know about") is a good thing, and it protects people from legal ramifications.
There is already an ability to ignore the license check for specific dependencies, which is how we're dealing with UNKNOWN-licensed dependencies (multiple of our own modules in SNAPSHOT mode are causing this for us right now). The whitelist mechanism can work at both a coarse- and fine-grained level, so it works pretty well. I think if might be good to add more flexibility to how these are specified, but the general capability is already there.
-
Account Deactivated
Hi Rick, we would be more than happy with a fine grained whitelist. However, how do we do this? We have PHP deps that are marked as UNKNOWN. We don't want to enable UNKNOWN as a satisfactory licence as part of a blanket policy, we only want it for certain deps.
There is already an ability to ignore the license check for specific dependencies Please tell how you did it :)
I've read https://blog.versioneye.com/2015/08/26/component-whitelist/ but that doesn't seem to help in this situation. Or do I need to set up a license whitelist first?
-
Yes, you do need a license whitelist first, otherwise the component whitelist won't work. Hopefully that restriction lifts at some point in the future, but for now you need both.
You can also mute individual warnings if needed / desired, but I'd personally take the whitelist approach first and see how much milage that gets you.
-
Account Deactivated
Oh, that's the trick! A whitelist will actually be quite useful for us after all, as for one group of dependancies we allow GPL, but for another we don't. VersionEye seems to be having issues at the moment (504 Gateway Time-out), but once it's back up properly, I'll test this out. Thanks Rick, you're a legend!
-
Hi @aidanlane @cdeszaq @barryvanveen @venantius. Sorry for the late response. Some how this didn't pop up in my mailbox.
In the mean while we did many small improvements to this. Now you can use the component whitelist independently from the license whitelist. And now the component whitelist will taken into account at the pullrequest integration.
Beside that we made it much easier to add dependencies to the component whitelist. Now you just need to click on an icon: https://blog.versioneye.com/2017/01/31/simplified-component-whitelist/.
-
- edited description
- changed status to resolved
I close this because now you can ignore UNKNOWN licenses in pullrequests by putting the corresponding dependencies to the component whitelist.
-
Account Deactivated
@reiz you're a legend!
"Now you can use the component whitelist independently from the license whitelist" – great! "And now the component whitelist will taken into account at the pullrequest integration." – perfect! "Beside that we made it much easier to add dependencies to the component whitelist." – love it! (helped me fix a couple issues already where I had the wrong syntax)
Cheers!
- Log in to comment
I agree with William. Personally I don't want to check the licenses at all, since I don't have a lot of control over them. The warnings that versioneye triggers are now cluttering my PRs and distracting from my main concern of keeping the dependencies up-to-date.