On Wed, 12 Sep 2018 at 09:40, Aurelien Bompard <abompard@fedoraproject.org> wrote:

> everything should be there for
> this with one exception: We really want to have some check in place for
> s2i so that it checks license, so we don't accidentally push out
> something thats not under a open source license. This doesn't need to be
> a blocker, but it would be great to get in place soon.

I could see that as an integration test in PDC, or have a regular (or
evented) job on the devpi host that would check the licences of all
cached (and thus requested) packages.

I like the CI test idea, a little bit like when we tests that the code base is pep8 compliant or the test coverage in above 90%. There are a couple of python packages that could be useful to help with that [0] [1].

[0] https://github.com/dhatim/python-license-check

[1] https://github.com/raimon49/pip-licenses

The downside of doing it on devpi is that we won't know directly which
app has requested the nonfree package. Since all dependencies are
already available locally and the license is in the package metadata
(PKG-INFO file), a script running in the integration testsuite
wouldn't even need internet access.

I can write a POC if you want.

A.
_______________________________________________
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org