What I'd be interested in is, as a developer of a project, how should I make the legal team's life easier? I personally already review all of my dependencies' licenses, and am quite familiar with free software licensing, so it seems a waste for that energy to be duplicated for every update.
[ The project that I linked originally is one that I authored. ]
I was just asking coolo about this (and he reviewed it while I watched)
I didn't mean to prod you directly on this package, "everyone is on vacation" is a totally fine way of spelling "shoo". :P As an aside, is it possible for the legal-auto bots to post a message if they decide that it needs manual legal review? Just to make it less confusing for someone like me that didn't know that legal-auto doesn't tell a submitter if a package needs manual review.
The main risks which our legal tooling is concerned about with umoci seems to be a rather large proliferation of different licenses across the package
Apache-2.0, CC-BY-SA, BSD-3-Clause, MIT, BSD-2-Clause are all clearly referenced in files across the package, but only Apache-2.0 is cited in the specfile
Would you prefer if I reference all of them in the spec-file? The CC-BY-SA stuff (which is what I assume the fuss would be about) is for documentation that isn't shipped in umoci (it's included automatically by the vendoring scripts I use).
But then, the thing is written in go, there's a ton of bundled magical nonsense in there, I think that's the nature of the beast.. rewrite the thing in a saner language with less bundled deps? ;) (I jest...mostly)
The other option I was considering was Rust, and that makes the licensing situation several fold more complicated (not to mention that we still don't know how to package the damn thing). ;) -- Aleksa Sarai Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org